Db2

 View Only

 db2audit stop doesn't work for the instance level execution

Mark Gillis's profile image
Mark Gillis IBM Champion posted Thu April 10, 2025 07:45 AM

I have set up db2audit with the intention of monitoring connection attempts on a database. This is Db2 v11.5.7 running on RHEL 8.10. Having done the configure commands I need, describe shows this:

DB2 AUDIT SETTINGS:

Audit active: "TRUE "
Log audit events: "BOTH"
Log checking events: "BOTH"
Log object maintenance events: "BOTH"
Log security maintenance events: "BOTH"
Log system administrator events: "BOTH"
Log validate events: "BOTH"
Log context events: "BOTH"
Return SQLCA on audit error: "FALSE "
Audit Data Path: "/home/db2inst1/TRITON/auditpath/"
Audit Archive Path: "/home/db2inst1/TRITON/auditarchive/"

I'm then trying to do a db2audit stop, flush and archive, all of which are recorded as successful, although the log file is blank

Member   DB Partition   AUD      Archived or Interim Log File
Number   Number         Message
-------- -------------- -------- -------------------------------------------------
       0              0 AUD0000I

AUD0000I  Operation succeeded.

I can see a log file in the archivepath:

/home/db2inst1/TRITON/auditpath:
total 52
-rw-------.  1 db2inst1 db2iadm1 23656 Apr 10 12:37 db2audit.instance.log.0

but if I try and do an extract on that I get 

db2audit extract delasc to /home/db2inst1/TRITON/auditoutput from files /home/db2inst1/TRITON/auditpath/db2audit.instance.log.0
AUD0036N  Extract can not be performed on the active audit log file "/home/db2inst1/TRITON/auditpath/db2audit.instance.log.0".

AUD0001N  Operation failed.

this seems to suggest that audit is still running at the instance level. I can't seem to get that to stop nor extract a valid log file. Obviously got something wrong here; can anyone save me a few hours googling?

Mark Gillis's profile image
Mark Gillis IBM Champion posted Thu April 10, 2025 08:27 AM

might have got this one: I think the problem is that I issued the 

db2audit archive

with a database parameter. (doh). Will double-check and confirm

Jan Nelken's profile image
Jan Nelken IBM Champion posted Thu April 10, 2025 10:05 AM

Yes Mark,

archive - this parameter moves the current audit log for either an individual database or the instance to a new location for archiving and later extraction.

Mark Barinstein's profile image
Mark Barinstein posted Thu April 10, 2025 11:24 AM

Mark,

To audit database connections you must do it at the corresponding database level, not at the instance one.

CONNECT TO MYDB;
CREATE AUDIT POLICY VAL CATEGORIES VALIDATE STATUS BOTH ERROR TYPE NORMAL;
AUDIT DATABASE USING POLICY VAL;

Then you may try to connect, archive and extract the corresponding events with:
db2audit archive database MYDB
db2audit extract delasc to /home/db2inst1/TRITON/auditoutput from files "db2audit.db.MYDB.log.0.*"

And inspect the `/home/db2inst1/TRITON/auditoutput/validate.del` file.

You may switch the instance audit off, if you don't need it as well.

Related Content