IBM DB2 Server
What is Discovered and Monitored
Protocol | Information discovered | Metrics collected | Used for |
---|---|---|---|
SNMP | Application type | Process level CPU and memory utilization | Performance Monitoring |
WMI | Application type, service mappings | Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec | Performance Monitoring |
JDBC | None | Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations | Security Monitoring |
Event Types
In ADMIN > Device Support > Event, search for "db2" in the Device Type and Description column to see the event types associated with this device.
Configuration
Configuring IBM DB2 Audit on Linux - DB2 side
- Log in to IBM Installation Manager.
- Click the Databases tab, and click the + icon to create a new Database Connection.
- Enter these settings.
Setting Value Database Connection Name Enter a name for the connection, such as FortiSIEM Data Server Type DB2 for Linux, Unix, and Windows Database Name Name of the database Host name db2.org Port number 50000 JDBC Security Clear text password User ID The username you want to use to access this Server from FortiSIEM JDBC URL jdbc:db2://db2.org:50000/<databasename>:
retrieveMessagesFromServerOnGetMessage=true;securi - In the Job Manager tab, click Add Job.
- For Name, enter audit.
- For Type, select DB2 CLP Script.
- Click OK.
- Add script.
- Add schedule detail to audit task.
- Add database to audit task.
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials' for Device Discovery under Chapter: Configuring FortiSIEM.
Configuring IBM DB2 Audit on Windows - DB2 side
- Create a non-admin user on Windows, for example “AoAuditUser” , and set password
- Login DB2 task center, add the user to DB Users, connect it to database
-
Grant Permission (use Administrator), use commands below
-
Grant audit permission to db2admin
db2 connect to sample user administrator using 'ProspectHills!' DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO DB2ADMIN DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO DB2ADMIN db2 grant load on database to db2admin db2 grant secadm on database to db2admin db2 connect reset
- Grant query permission to non-admin user
db2 connect to sample user db2admin using 'ProspectHills!' db2 grant select on AUDIT to AOAuditUser db2 grant select on CHECKING to AOAuditUser db2 grant select on OBJMAINT to AOAuditUser db2 grant select on SECMAINT to AOAuditUser db2 grant select on SYSADMIN to AOAuditUser db2 grant select on VALIDATE to AOAuditUser db2 grant select on CONTEXT to AOAuditUser db2 grant select on EXECUTE to AOAuditUser db2 connect reset
- Check permission for non-admin user
db2 connect to sample user AOAuditUser using 'ProspectHills!' db2 select count (*) from DB2ADMIN.AUDIT db2 select count (*) from DB2ADMIN.CHECKING db2 select count (*) from DB2ADMIN.OBJMAINT db2 select count (*) from DB2ADMIN.SECMAINT db2 select count (*) from DB2ADMIN.SYSADMIN db2 select count (*) from DB2ADMIN.VALIDATE db2 select count (*) from DB2ADMIN.CONTEXT db2 select count (*) from DB2ADMIN.EXECUTE db2 connect reset
-
Grant audit permission to db2admin
- Create Catalog with db2admin
- Create task in DB2 user Administrator:
- Open DB2 task center, create a task like below
- Add schedule
- Add task
Settings for Access Credentials
Settings for IBM DB2 JDBC Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device:
Values for Used For = Audit:
Setting | Value |
---|---|
Name | db2_linux |
Device Type | IBM DB2 |
Access Protocol | JDBC |
Used For | audit |
Pull Interval (minutes) | 5 |
Port | 50000 |
Database Name | <database_name> |
Audit Table | AUDIT |
Checking Table | CHECKING |
ObjMaint Table | OBJMAINT |
SecMaint Table | SECMAINT |
SysAdmin Table | SYSADMIN |
Validate Table | VALIDATE |
Context Table | CONTEXT |
Execute Table | EXECUTE |
Account Name | The administrative user for your IBM DB2 server |
Password | The password associated with the administrative user for your IBM DB2 server |
Values for Used For = Synthetic Transaction Monitoring:
Setting | Value |
---|---|
Name | db2_linux |
Device Type | IBM DB2 |
Access Protocol | JDBC |
Used For | Synthetic Transaction Monitoring |
Pull Interval (minutes) | 5 |
Port | 50000 |
Database Name | <database_name> |
Account Name | The administrative user for your IBM DB2 server |
Password | The password associated with the administrative user for your IBM DB2 server |
Sample Events
IBMDB2_CHECKING_OBJECT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=TABLES,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0 IBMDB2_CHECKING_FUNCTION <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO,[objName]=CHECKING,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0 IBMDB2_STATEMENT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_COMMIT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=10.1.2.81,[srcApp]=db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924,[srcName]=SP81,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_ROLLBACK <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CONNECT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CONNECT_RESET <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CREATE_OBJECT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=CAN_MONITOR=CAN_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.30.14.827242,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode]=0 IBMDB2_JDBC_PULL_STAT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO,[reptModel]=DB2,[dbName]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68,[auditEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[appGroupName]=IBM DB2 Server IBMDB2_ARCHIVE <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0 IBMDB2_EXTRACT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0 IBMDB2_LIST_LOGS <134>May 14 14:03:39 10.1.2.68 java: [IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.58.43.204054,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0