Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

IBM DB2 Server

IBM DB2 Server

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring
JDBC None Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "db2" in the Device Type and Description column to see the event types associated with this device.

Configuration

Configuring IBM DB2 Audit on Linux - DB2 side
  1. Log in to IBM Installation Manager.
  2. Click the Databases tab, and click the + icon to create a new Database Connection.
  3. Enter these settings.

    SettingValue
    Database Connection NameEnter a name for the connection, such as FortiSIEM
    Data Server TypeDB2 for Linux, Unix, and Windows
    Database Name Name of the database
    Host namedb2.org
    Port number50000
    JDBC SecurityClear text password
    User IDThe username you want to use to access this Server from FortiSIEM
    JDBC URLjdbc:db2://db2.org:50000/<databasename>:
    retrieveMessagesFromServerOnGetMessage=true;securi
  4. In the Job Manager tab, click Add Job.
  5. For Name, enter audit.
  6. For Type, select DB2 CLP Script.
  7. Click OK.
  8. Add script.
  9. Add schedule detail to audit task.
  10. Add database to audit task.

You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials' for Device Discovery under Chapter: Configuring FortiSIEM.

Configuring IBM DB2 Audit on Windows - DB2 side

  1. Create a non-admin user on Windows, for example “AoAuditUser” , and set password
  2. Login DB2 task center, add the user to DB Users, connect it to database
  3. Grant Permission (use Administrator), use commands below
    1. Grant audit permission to db2admin
      db2 connect to sample user administrator using 'ProspectHills!'
      DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO DB2ADMIN
      DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO DB2ADMIN
      db2 grant load on database to db2admin
      db2 grant secadm on database to db2admin
      db2 connect reset
      
    2. Grant query permission to non-admin user
      db2 connect to sample user db2admin using  'ProspectHills!'
      db2 grant select on AUDIT to AOAuditUser
      db2 grant select on CHECKING to AOAuditUser
      db2 grant select on OBJMAINT to AOAuditUser
      db2 grant select on SECMAINT to AOAuditUser
      db2 grant select on SYSADMIN to AOAuditUser
      db2 grant select on VALIDATE to AOAuditUser
      db2 grant select on CONTEXT to AOAuditUser
      db2 grant select on EXECUTE to AOAuditUser
      db2 connect reset 
    3. Check permission for non-admin user
      db2 connect to sample user AOAuditUser using 'ProspectHills!'
      db2 select count (*) from DB2ADMIN.AUDIT
      db2 select count (*) from DB2ADMIN.CHECKING
      db2 select count (*) from DB2ADMIN.OBJMAINT
      db2 select count (*) from DB2ADMIN.SECMAINT
      db2 select count (*) from DB2ADMIN.SYSADMIN
      db2 select count (*) from DB2ADMIN.VALIDATE
      db2 select count (*) from DB2ADMIN.CONTEXT
      db2 select count (*) from DB2ADMIN.EXECUTE
      db2 connect reset
  4. Create Catalog with db2admin
  5. Create task in DB2 user Administrator:
    1. Open DB2 task center, create a task like below
    2. Add schedule
    3. Add task

Settings for Access Credentials

Settings for IBM DB2 JDBC Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device:

Values for Used For = Audit:

Setting Value
Name db2_linux
Device Type IBM DB2
Access Protocol JDBC
Used For audit
Pull Interval (minutes) 5
Port 50000
Database Name <database_name>
Audit Table AUDIT
Checking Table CHECKING
ObjMaint Table OBJMAINT
SecMaint Table SECMAINT
SysAdmin Table SYSADMIN
Validate Table VALIDATE
Context Table CONTEXT
Execute Table EXECUTE
Account Name The administrative user for your IBM DB2 server
Password The password associated with the administrative user for your IBM DB2 server

Values for Used For = Synthetic Transaction Monitoring:

Setting Value
Name db2_linux
Device Type IBM DB2
Access Protocol JDBC
Used For Synthetic Transaction Monitoring
Pull Interval (minutes) 5
Port 50000
Database Name <database_name>
Account Name The administrative user for your IBM DB2 server
Password The password associated with the administrative user for your IBM DB2 server

Sample Events

IBMDB2_CHECKING_OBJECT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=TABLES,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0
IBMDB2_CHECKING_FUNCTION
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO,[objName]=CHECKING,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0
IBMDB2_STATEMENT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_COMMIT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=10.1.2.81,[srcApp]=db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924,[srcName]=SP81,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_ROLLBACK
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_CONNECT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_CONNECT_RESET
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_CREATE_OBJECT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=CAN_MONITOR=CAN_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.30.14.827242,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode]=0
IBMDB2_JDBC_PULL_STAT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO,[reptModel]=DB2,[dbName]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68,[auditEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[appGroupName]=IBM DB2 Server
IBMDB2_ARCHIVE
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0
IBMDB2_EXTRACT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0
IBMDB2_LIST_LOGS
<134>May 14 14:03:39 10.1.2.68 java: [IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.58.43.204054,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0

IBM DB2 Server

IBM DB2 Server

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring
JDBC None Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "db2" in the Device Type and Description column to see the event types associated with this device.

Configuration

Configuring IBM DB2 Audit on Linux - DB2 side
  1. Log in to IBM Installation Manager.
  2. Click the Databases tab, and click the + icon to create a new Database Connection.
  3. Enter these settings.

    SettingValue
    Database Connection NameEnter a name for the connection, such as FortiSIEM
    Data Server TypeDB2 for Linux, Unix, and Windows
    Database Name Name of the database
    Host namedb2.org
    Port number50000
    JDBC SecurityClear text password
    User IDThe username you want to use to access this Server from FortiSIEM
    JDBC URLjdbc:db2://db2.org:50000/<databasename>:
    retrieveMessagesFromServerOnGetMessage=true;securi
  4. In the Job Manager tab, click Add Job.
  5. For Name, enter audit.
  6. For Type, select DB2 CLP Script.
  7. Click OK.
  8. Add script.
  9. Add schedule detail to audit task.
  10. Add database to audit task.

You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials' for Device Discovery under Chapter: Configuring FortiSIEM.

Configuring IBM DB2 Audit on Windows - DB2 side

  1. Create a non-admin user on Windows, for example “AoAuditUser” , and set password
  2. Login DB2 task center, add the user to DB Users, connect it to database
  3. Grant Permission (use Administrator), use commands below
    1. Grant audit permission to db2admin
      db2 connect to sample user administrator using 'ProspectHills!'
      DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO DB2ADMIN
      DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO DB2ADMIN
      db2 grant load on database to db2admin
      db2 grant secadm on database to db2admin
      db2 connect reset
      
    2. Grant query permission to non-admin user
      db2 connect to sample user db2admin using  'ProspectHills!'
      db2 grant select on AUDIT to AOAuditUser
      db2 grant select on CHECKING to AOAuditUser
      db2 grant select on OBJMAINT to AOAuditUser
      db2 grant select on SECMAINT to AOAuditUser
      db2 grant select on SYSADMIN to AOAuditUser
      db2 grant select on VALIDATE to AOAuditUser
      db2 grant select on CONTEXT to AOAuditUser
      db2 grant select on EXECUTE to AOAuditUser
      db2 connect reset 
    3. Check permission for non-admin user
      db2 connect to sample user AOAuditUser using 'ProspectHills!'
      db2 select count (*) from DB2ADMIN.AUDIT
      db2 select count (*) from DB2ADMIN.CHECKING
      db2 select count (*) from DB2ADMIN.OBJMAINT
      db2 select count (*) from DB2ADMIN.SECMAINT
      db2 select count (*) from DB2ADMIN.SYSADMIN
      db2 select count (*) from DB2ADMIN.VALIDATE
      db2 select count (*) from DB2ADMIN.CONTEXT
      db2 select count (*) from DB2ADMIN.EXECUTE
      db2 connect reset
  4. Create Catalog with db2admin
  5. Create task in DB2 user Administrator:
    1. Open DB2 task center, create a task like below
    2. Add schedule
    3. Add task

Settings for Access Credentials

Settings for IBM DB2 JDBC Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device:

Values for Used For = Audit:

Setting Value
Name db2_linux
Device Type IBM DB2
Access Protocol JDBC
Used For audit
Pull Interval (minutes) 5
Port 50000
Database Name <database_name>
Audit Table AUDIT
Checking Table CHECKING
ObjMaint Table OBJMAINT
SecMaint Table SECMAINT
SysAdmin Table SYSADMIN
Validate Table VALIDATE
Context Table CONTEXT
Execute Table EXECUTE
Account Name The administrative user for your IBM DB2 server
Password The password associated with the administrative user for your IBM DB2 server

Values for Used For = Synthetic Transaction Monitoring:

Setting Value
Name db2_linux
Device Type IBM DB2
Access Protocol JDBC
Used For Synthetic Transaction Monitoring
Pull Interval (minutes) 5
Port 50000
Database Name <database_name>
Account Name The administrative user for your IBM DB2 server
Password The password associated with the administrative user for your IBM DB2 server

Sample Events

IBMDB2_CHECKING_OBJECT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=TABLES,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0
IBMDB2_CHECKING_FUNCTION
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO,[objName]=CHECKING,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0
IBMDB2_STATEMENT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_COMMIT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=10.1.2.81,[srcApp]=db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924,[srcName]=SP81,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_ROLLBACK
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_CONNECT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_CONNECT_RESET
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_CREATE_OBJECT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=CAN_MONITOR=CAN_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.30.14.827242,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode]=0
IBMDB2_JDBC_PULL_STAT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO,[reptModel]=DB2,[dbName]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68,[auditEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[appGroupName]=IBM DB2 Server
IBMDB2_ARCHIVE
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0
IBMDB2_EXTRACT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0
IBMDB2_LIST_LOGS
<134>May 14 14:03:39 10.1.2.68 java: [IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.58.43.204054,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0