Can I use Splunk to search DB2 LUW active logs and archive logs looking for DML activity against database tables? We have 12 tables with sensitive data and I am hoping to Splunk Insert, Delete or Update records in the DB2 LUW logs to use for audit reporting of user activity against these tables. Thank you. -Victor
koshyk - Thank you for the excellent reply and the link that was provided in (1) was information that I had not discovered in my research of this topic. Can you expand the explanation in (2) especially the "collect this information using DBconnect" statement? I have asked for SECADM authority to create an Audit Policy, but this has not yet been granted by the Information Security group. If you have time, also please provide more text about how the process to "dump the data into flat files with respective table names in filename and collect the UF" is performed. Sorry for all the questions but what is 'UF'? Thank you again for the links and the well-formed response. I will be unavailable next week, but I will view your next reply in a week. -Victor
DB2 doesnt have a TA of its own. There are 2 parts to your question
(1) there is a default DB2 monitoring and auditing. But its upto your company policy and admin to disable/enable them
The db2 auditing is done in multiple tables. This link shows the details of Audit facilities available
(2) Method of collection. You can collect this information using DBconnect (but requires privileged access which you need to setup with DB2 admin). Or ask the admin to dump the data into flat files with respective table names in filename and collect using UF
The DML auditing is part of "Audit Execute layout". Please beware sometimes, the dataset will be huge as it will contain select statements too. The details of table and data is in this link