Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can Splunk search DB2 LUW active logs and archive logs looking for DML activity against sensitive data tables?

vaharr
New Member
‎09-14-2017 01:03 PM

Can I use Splunk to search DB2 LUW active logs and archive logs looking for DML activity against database tables? We have 12 tables with sensitive data and I am hoping to Splunk Insert, Delete or Update records in the DB2 LUW logs to use for audit reporting of user activity against these tables. Thank you. -Victor

0 Karma
Reply

vaharr
New Member
‎09-15-2017 11:11 AM

koshyk - Thank you for the excellent reply and the link that was provided in (1) was information that I had not discovered in my research of this topic. Can you expand the explanation in (2) especially the "collect this information using DBconnect" statement? I have asked for SECADM authority to create an Audit Policy, but this has not yet been granted by the Information Security group. If you have time, also please provide more text about how the process to "dump the data into flat files with respective table names in filename and collect the UF" is performed. Sorry for all the questions but what is 'UF'? Thank you again for the links and the well-formed response. I will be unavailable next week, but I will view your next reply in a week. -Victor

0 Karma
Reply

koshyk
Super Champion
‎09-15-2017 02:42 AM

DB2 doesnt have a TA of its own. There are 2 parts to your question

  1. what auditing is done in your DB2 systems
  2. method of monitoring

(1) there is a default DB2 monitoring and auditing. But its upto your company policy and admin to disable/enable them
The db2 auditing is done in multiple tables. This link shows the details of Audit facilities available

(2) Method of collection. You can collect this information using DBconnect (but requires privileged access which you need to setup with DB2 admin). Or ask the admin to dump the data into flat files with respective table names in filename and collect using UF

The DML auditing is part of "Audit Execute layout". Please beware sometimes, the dataset will be huge as it will contain select statements too. The details of table and data is in this link

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...