Configuring log streaming for Db2

After Db2 audit logging is enabled, you can create a log streaming pod to forward the audit logs to the IBM® Software Hub audit service.

Before you begin

Enable audit logging for the Db2 service. For more information, see Configuring audit logging for Db2.

Procedure

Create environment variables for your environment.
1. Run the following command to determine the name of your active Db2uCluster or Db2uInstance:
```
oc get db2ucluster,db2uinstance -n ${PROJECT_CPD_INST_OPERANDS}
```
2. Set DB2_CR_ID to the resource name of your Db2uCluster or Db2uInstance.
```
export DB2_CR_ID=<db2ucluster resource name/<db2uinstance resource name>
```
3. Run the following command to determine the TLS secret of your database instance:
```
$ oc get secret -n ${PROJECT_CPD_INST_OPERANDS} | grep tls
```
4. Set the INSTANCE_TLS environment variable to the TLS secret for the database instance that you want to configure log streaming:
```
export INSTANCE_TLS=<instance-tls>
```
  For the DB2OLTP instance, you can set it to the default secret:
```
export INSTANCE_TLS=db2oltp-internal-tls
```
Run the following command for Db2uCluster or Db2uInstance to confirm that audit logging is enabled and that the auditlogs PVC was created for your deployed database.
For Db2uCluster:
```
oc get db2u <DB2_CR_ID> -oyaml
```
For Db2uInstance:
```
oc get db2 <DB2_CR_ID> -oyaml
```
Confirm that enableAudit is set to true and auditlogs PVC is added in storage configs.

Create the log stream pod for Db2uCluster or Db2uInstance :

cat << EOF | oc apply -f -
apiVersion: db2ulog.databases.ibm.com/v1alpha1
kind: Db2uLogStream
metadata:
  name: $DB2_CR_ID
spec:
  configurations:
    - type: audit
      format: cadf
      connection: cp4d
  connections:
    cp4d:
      endpoint: https://zen-audit-svc.${PROJECT_CPD_INST_OPERANDS}:9880/records
      credentials: $INSTANCE_TLS
      authType: tls
  resources: # this field is optional and used to control the resources of the logstreaming pod
    limits:
      cpu: "100m"
      memory: "300Mi"
    requests:
      cpu: "100m"
      memory: "300Mi"
EOF

Note: You can set resource limits for your log streaming pod by populating the resources fields. Default values are used if you leave the fields empty.

The log stream pod is created after applying the yaml file. You can run the following command to verify that the pod is now active:

$ oc get pod | grep logstream

The command will generate output similar to the following example:

c-db2oltp-audit-test-logstream-6fb596cd5f-5r4xd                   1/1     Running     0            43h

Optional: Enable the debugging mod for log streaming.

The debugging mod returns more details in the output from your log streaming pod.

Run the following command to edit your log streaming pod:
```
oc edit cm c-<instance-name>-logstream -oyaml
```

Add the following content to the data field in your instance:

fluent.conf: "\n        <system>\n            log_level trace\n        </system>\n
    \       <source>\n            @type tail\n            path /var/log/auditlogs/*.del\n
    \           pos_file /tmp/auditlog.pos\n            tag audit.*\n            <parse>\n
    \               @type none\n            </parse>\n        </source>\n\n        <filter
    audit.**>\n            @type audit\n        </filter>\n        <filter audit.**>\n
    \           @type cadf\n        </filter>\n        <match audit.**>\n           @type
    http\n\t\t\t\t\t   endpoint https://zen-audit-svc.zen:9880/records\n\t\t\t\t\t
    \  <format>\n\t\t\t\t\t\t   @type json\n\t\t\t\t\t   </format>\n\t\t\t\t\t   json_array
    true\n\t\t\t\t\t   \n\t\ttls_ca_cert_path /etc/credentials/cp4d/ca.crt\n        tls_client_cert_path
    /etc/credentials/cp4d/tls.crt\n        tls_private_key_path /etc/credentials/cp4d/tls.key\n\t\t\n
    \       </match>\n    "

Delete your log streaming pod by running the following command:
```
oc delete pod c-<instance-name>-logstream-0
```
The log streaming pod restarts and applies the new configuration.