DB2 audit trace

The audit trace enables you to trace different events or categories of events by authorization IDs, object ownership, and so on.

When started, the audit trace records certain types of actions and sends the report to a named destination. The trace reports can indicate who has accessed data.

As with other types of DB2® traces, you can choose the following options for the audit trace:

Categories of events
Particular authorization IDs or plan IDs
Methods to start and stop the audit trace
Destinations for audit records

You can choose whether to audit the activity on a table by specifying an option of the CREATE and ALTER statements.

Audit trace classes

Table 1. Classes for DB2 audit trace
Class	Description of class	Activated IFCIDs
1	Access attempts denied due to inadequate authorization. This default class is also activated when you omit the `CLASS` keyword from the START TRACE command when you start the audit trace.	0140
2	Explicit GRANT and REVOKE.	0141
3	CREATE, ALTER, and DROP operations against audited tables.	0142
4	First change of audited object.	0143
5	First read of audited object.	0144
6	Bind time information about SQL statements that involve audited objects.	0145
7	Assignment or change of authorization ID.	0055, 0083, 0087, 0169, 0319
8	Utilities.	0023, 0024, 0025, 0219, 0220
9	Installation-defined audit record.	146
10	Trusted context information.	0269, 0270
11	Audits of successful access.	0361¹
12 - 29	Reserved.
30 - 32	Available for local use.
Notes: If IFCID 0361 is started through START TRACE, all successful access is traced. If IFCID 0361 is started because audit policy category SYSADMIN is on, only successful access using the SYSADMIN administrative authority is traced. If IFCID 0361 is started because audit policy category DBADMIN is on, only successful access using the DBADMIN administrative authority is traced.

Authorization IDs traced by auditing
An audit trace generally identifies a process by its primary authorization ID. It records the primary ID before and after the invocation of an authorization exit routine. Therefore, you can identify the primary ID that is associated with a data change.
Audit classes
When you start the trace, you choose the events to audit by specifying one or more audit classes.
Audit trace reports
If you regularly start the audit trace for all classes, you can generate audit reports based on the data that you accumulate.
Audit trace records
An audit trace record contains the information about the authorization ID that initiated the activity that is traced.
Limitations of the audit trace
The audit trace has certain limitations, including that it does not automatically record everything.
Starting the audit trace
You can start an audit trace at any time or specify that an audit trace starts automatically whenever DB2 is started.
Stopping the audit trace
You can have multiple traces that run at the same time, including more than one audit trace. You can stop a particular trace by issuing the STOP TRACE command with the same options that you use for START TRACE.
Collecting audit trace records
You can prepare the System Management Facility (SMF) or Generalized Trace Facility (GTF) to accept audit trace records the same way as you prepare performance trace records. The records are of SMF type 102, as are performance trace records.
Formatting audit trace records
You can extract, format, and print DB2 trace records.
Auditing in a distributed data environment
The DB2 audit trace records any access to your data, whether the request is from a remote location or from your local DB2 subsystem.

Parent topic: Auditing access to DB2

Related concepts:

Audit trace records

Audit trace reports

Related tasks:

Starting the audit trace

Stopping the audit trace

Related reference:

-START TRACE (DB2)