By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,441 Members | 1,831 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,441 IT Pros & Developers. It's quick & easy.

Scoping out the size needed for running DB2 audit facility

P: n/a
We're going to be enabling the audit facility on some of our DB2
servers in the future, and I need some basic information on how large
I can expect the log to grow.

I've already been warning NOT to enable everything as a single event
can generate multiple BIG records that will swamp the system.

Going over the requirementat and our access standards, here's the list
of the items we neet to monitor, broken down by the categories:
AUDIT--- Changes to the Audit settings.
CHECKING --- Failed authorization checking on server authentication as
well as object permissions.
SECMAINT --- Security Maintenace changes (grants/revokes on database
objects or DBADM authority, database manager configuration
parameters).
SYSADMIN --- Commands where SYSADM, SYSMAIN, or SYSCTRL permissions
are required (powerful roles).
VALIDATE --- Failed user validation (authentication or retrieving
security information).

If someone can also supply me with some actual logs, I'd appreciate it
as I also have to create tools to parse the logs and examine them.

Of course, I suspect that someone already has tools to do this. Please
provide a link to the tool if possible.

Thanks in advance!

Bruce
Nov 12 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
The actual db2audit log is "unreadable". You need to "db2audit
extract". You can do this to an ASC DEL file which you can then load
into a table of your own design to pick up what you need.
There's the rub. You need to pick up failures of CHECKING and VALIDATE,
but you also need to pick up succes and failure of SYSADMIN, AUDIT,
SECMAINT.
Unfortunately, the audit facility config will not allow this. You'll
need to specify STATUS BOTH in the config scope which will also give you
succes records for CHECKING and VALIDATE. However, if you extract to an
ASCDEL file and load into a table you can then use SELECT stmts. to
filter wexactly what you need.
As to size estimate, this is vry difficult as it is event based and we
have no clue at all as to how many events will happen or about their
rate of arrival.
I've seen ASCII flat files from audit output which generated 7 to 9
records of 3-4 lines of text for just a CONNECT statement when audit
scope was defined with ALL, so you can expect a fairly sized output file.
You shouldn't get too many records from SYSADMIN, AUDIT and SECMAINT as
they require sysadmin and dbadm authorities and there should not be that
many. Where you may get "hurt" is at VALIDATE and CHECKING as these
events will apply to all of your connections and every object that they
attempt to touch.

HTH, Pierre.

Byrocat wrote:
We're going to be enabling the audit facility on some of our DB2
servers in the future, and I need some basic information on how large
I can expect the log to grow.

I've already been warning NOT to enable everything as a single event
can generate multiple BIG records that will swamp the system.

Going over the requirementat and our access standards, here's the list
of the items we neet to monitor, broken down by the categories:
AUDIT--- Changes to the Audit settings.
CHECKING --- Failed authorization checking on server authentication as
well as object permissions.
SECMAINT --- Security Maintenace changes (grants/revokes on database
objects or DBADM authority, database manager configuration
parameters).
SYSADMIN --- Commands where SYSADM, SYSMAIN, or SYSCTRL permissions
are required (powerful roles).
VALIDATE --- Failed user validation (authentication or retrieving
security information).

If someone can also supply me with some actual logs, I'd appreciate it
as I also have to create tools to parse the logs and examine them.

Of course, I suspect that someone already has tools to do this. Please
provide a link to the tool if possible.

Thanks in advance!

Bruce


--
Pierre Saint-Jacques - Reply to: sescons at attglobal dot net
IBM DB2 Cerified Solutions Expert - Administration
SES Consultants Inc.
Nov 12 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.