Administration Guide
By considering the syntax of the audit facility, we can review the way the
facility can be used.
Figure 21. DB2AUDIT Syntax
The following is a description and the implied use of each parameter:
- configure
- This parameter allows the modification of the db2audit.cfg
configuration file in the instance's security
subdirectory. Updates to this file can occur even when the instance is
shut down. Updates occurring when the instance is active dynamically
affect the auditing being done by DB2 across all partitions. The
configure action on the configuration file causes the creation of an audit
record if the audit facility has been started and the audit
category of auditable events is being audited.
The following are the possible actions on the configuration file:
- RESET. This action causes the configuration file to revert to the
initial configuration (where SCOPE is all of the categories except CONTEXT,
STATUS is FAILURE, ERRORTYPE is NORMAL, and AUDIT is OFF). This action
will create a new audit configuration file if the original has been lost or
damaged.
- SCOPE. This action specifies which category or categories of events
are to be audited. This action also allows a particular focus for
auditing and reduces the growth of the log. It is recommended that the
number and type of events being logged be limited as much as possible,
otherwise the audit log will grow rapidly.
| Note: | Please notice that the default SCOPE is all categories except CONTEXT and may
result in records being generated rapidly. In conjunction with the mode
(synchronous or asynchronous), the selection of the categories may result in a
significant performance reduction and significantly increased disk
requirements.
|
- STATUS. This action specifies whether only successful or failing
events, or both successful and failing events, should be logged.
| Note: | Context events occur before the status of an operation is known.
Therefore, such events are logged regardless of the value associated with this
parameter.
|
- ERRORTYPE. This action specifies whether audit errors are returned
to the user or are ignored. The value for this parameter can be:
- AUDIT. All errors including errors occurring within the audit
facility are managed by DB2 and all negative SQLCODEs are reported back to the
caller.
- NORMAL. Any errors generated by db2audit are ignored and only the
SQLCODEs for the errors associated with the operation being performed are
returned to the application.
- describe
- This parameter displays to standard output the current audit configuration
information and status.
- extract
- This parameter allows the movement of audit records from the audit log to
an indicated destination. If no optional clauses are specified, then
all of the audit records are extracted and placed in a flat report
file. If the "extract" parameter is not specified, the audit
record is placed a file called db2audit.out in the
security directory. If output_file already
exists, an error message is returned.
The following are the possible options that can be used when
extracting:
- FILE. The extracted audit records are placed in a file
(output_file).
- DELASC. The extracted audit records are placed in a delimited ASCII
format suitable for loading into DB2 relational tables. The output is
placed in separate files: one for each category. The filenames
are:
- audit.del
- checking.del
- objmaint.del
- secmaint.del
- sysadmin.del
- validate.del
- context.del
The DELASC choice also allows you to override the default audit character
string delimiter ("0xff") when extracting from the audit log. You
would use DELASC DELIMITER followed by the new delimiter that you wish to use
in preparation for loading into a table that will hold the audit
records. The new load delimiter can be either a single character (such
as !) or a four-byte string representing a hexadecimal number (such as
0xff). For more information, refer to "Audit Facility Tips and Techniques".
- CATEGORY. The audit records for the specified categories of audit
events are to be extracted. If not specified, all categories are
eligible for extraction.
- DATABASE. The audit records for a specified database are to be
extracted. If not specified, all databases are eligible for
extraction.
- STATUS. The audit records for the specified status are to be
extracted. If not specified, all records are eligible for
extraction.
- flush
- This parameter forces any pending audit records to be written to the audit
log. Also, the audit state is reset in the engine from "unable to
log" to a state of "ready to log" if the audit facility is in an error
state.
- prune
- This parameter allows for the deletion of audit records from the audit
log. If the audit facility is active and the "audit" category of
events has been specified for auditing, then an audit record will be logged
after the audit log is pruned.
The following are the possible options that can be used when pruning:
- start
- This parameter causes the audit facility to begin auditing events based on
the contents of the db2audit.cfg file. In a partitioned DB2
instance, auditing will begin on all partitions when this clause is
specified. If the "audit" category of events has been specified
for auditing, then an audit record will be logged when the audit facility is
started.
- stop
- This parameter causes the audit facility to stop auditing events.
In a partitioned DB2 instance, auditing will be stopped on all partitions when
this clause is specified. If the "audit" category of events has
been specified for auditing, then an audit record will be logged when the
audit facility is stopped.
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]
[ DB2 List of Books |
Search the DB2 Books ]