Enterprise Database

IBM Db2 Connector

Comprehensive audit logging for IBM Db2 databases. Monitor SQL operations, track user access, and capture security events using Db2's native audit facility and audit policies.

Native Deep Integration

DB Audit leverages Db2's built-in db2audit facility and audit policies for comprehensive coverage including all SQL operations, authorization events, and system administration activities.

db2audit Facility Audit Policies Activity Monitor
Start Free Trial View Configuration

Enterprise-Grade Security

IBM-certified audit capabilities for mission-critical enterprise workloads.

Granular Policies

Create audit policies for specific tables, users, roles, and authorization groups.

Comprehensive Categories

Track EXECUTE, SECMAINT, SYSADMIN, VALIDATE, and all Db2 audit categories.

Prerequisites

Supported Versions

  • IBM Db2 11.1 and later
  • Db2 11.5 (recommended)
  • Db2 on Cloud (IBM Cloud)
  • Db2 Warehouse on Cloud
  • Db2 for z/OS (via DRDA)

Network Requirements

  • Port 50000 (default)
  • Port 50001 (SSL/TLS)
  • DRDA protocol (TCP/IP)
  • SSL/TLS encryption (recommended)

Configuration Reference

1 Basic Connection

Field Type Required Default Description
name string Yes - A unique, descriptive name for this connection (e.g., "db2-warehouse-prod")
db_type select Yes db2 Database type - select "IBM Db2"
host string Yes - Db2 server hostname (e.g., "db2.example.com" or IBM Cloud hostname)
port number Yes 50000 Db2 port (default: 50000 for standard, 50001 for SSL)
database_name string Yes - Target database name (e.g., "SAMPLE", "WAREHOUSE")
username string Yes - Db2 user with audit privileges (e.g., "dbaudit_reader")
password password Yes - Password for the Db2 user

2 SSL/TLS Configuration

Field Type Required Default Description
use_ssl boolean No false Enable SSL/TLS encryption for connections
ssl_server_certificate textarea No - Server certificate for SSL connections
ssl_client_certificate textarea No - Client certificate for mutual TLS authentication
ssl_client_key password No - Client private key for mutual TLS authentication
security_mechanism select No ENCRYPTED_PASSWORD Security mechanism: CLEAR_TEXT_PASSWORD, ENCRYPTED_PASSWORD, KERBEROS

3 IBM Cloud Configuration

Field Type Required Description
cloud_provider select No Cloud provider: ibm_cloud, aws, azure
instance_crn string No IBM Cloud instance CRN for Db2 on Cloud
api_key password No IBM Cloud API key for management operations

4 Log Collection Configuration

Field Type Required Default Description
log_collection_type select Yes native_audit Log collection method: native_audit (db2audit), audit_policy, custom_query
audit_log_path string No - Path to db2audit archive files (e.g., "/db2/audit")
use_audit_policies boolean No true Use Db2 audit policies for granular logging
poll_interval number No 30 How often to poll for new audit events (in seconds)
audit_categories multiselect No - Audit categories: AUDIT, CHECKING, CONTEXT, EXECUTE, OBJMAINT, SECMAINT, SYSADMIN, VALIDATE

Log Collection Methods

db2audit Facility

Recommended

Native Db2 audit facility for comprehensive event capture

Advantages:

  • Complete audit trail
  • All operation types
  • Low performance impact
  • IBM certified
Setup: Configure with db2audit command and extract to delimited files

Audit Policies

Recommended

Fine-grained audit policies for specific objects and users

Advantages:

  • Granular control
  • Object-level auditing
  • Role-based policies
  • Database-level config
Setup: CREATE AUDIT POLICY and associate with objects

Activity Monitor

Real-time activity monitoring via SYSIBMADM views

Advantages:

  • Real-time data
  • No file parsing
  • Built-in views
Setup: Query SYSIBMADM.MON_* catalog views

Setup Instructions

1

Create Audit User

Create a dedicated Db2 user for DB Audit with appropriate privileges.

                -- Create a dedicated audit user
CREATE USER dbaudit_reader USING 'secure_password';

-- Grant connect privilege
GRANT CONNECT ON DATABASE TO USER dbaudit_reader;

-- Grant access to audit tables
GRANT SELECT ON SYSIBMADM.PDLOGMSGS_LAST24HOURS TO dbaudit_reader;
GRANT SELECT ON SYSCAT.AUDITPOLICIES TO dbaudit_reader;
GRANT SELECT ON SYSCAT.AUDITUSE TO dbaudit_reader;
GRANT SELECT ON SYSCAT.EVENTMONITORS TO dbaudit_reader;

-- Grant access to activity monitor views
GRANT SELECT ON SYSIBMADM.MON_CURRENT_SQL TO dbaudit_reader;
GRANT SELECT ON SYSIBMADM.MON_DB_SUMMARY TO dbaudit_reader;
GRANT SELECT ON SYSIBMADM.MON_LOCKWAITS TO dbaudit_reader;

-- Grant EXECUTE authority on audit procedures
GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO dbaudit_reader;
GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO dbaudit_reader;
2

Configure db2audit Facility

Configure and start the Db2 audit facility (requires instance owner authority).

                -- Configure db2audit facility (as instance owner)

-- Start the audit facility
db2audit configure scope all status both errortype audit

-- Enable all audit categories
db2audit configure scope all status both categories all

-- Specify audit data path
db2audit configure datapath /db2/audit archivepath /db2/audit/archive

-- Start auditing
db2audit start

-- Verify audit configuration
db2audit describe

Note: db2audit configuration requires SYSADM or SYSCTRL authority.

3

Create Audit Policies (Optional)

Create granular audit policies for specific tables and users.

                -- Create audit policy for sensitive tables
CREATE AUDIT POLICY sensitive_data_policy
  CATEGORIES EXECUTE STATUS BOTH,
             CONTEXT STATUS BOTH
  ERROR TYPE AUDIT;

-- Apply policy to specific tables
AUDIT TABLE schema.customers USING POLICY sensitive_data_policy;
AUDIT TABLE schema.transactions USING POLICY sensitive_data_policy;

-- Create policy for privileged users
CREATE AUDIT POLICY admin_policy
  CATEGORIES ALL STATUS BOTH
  ERROR TYPE AUDIT;

-- Apply to authorization IDs
AUDIT AUTHORIZATION GROUP db_admins USING POLICY admin_policy;

-- Verify active policies
SELECT * FROM SYSCAT.AUDITPOLICIES;
SELECT * FROM SYSCAT.AUDITUSE;

Tip: Audit policies provide more granular control than the db2audit facility alone.

4

Test Connection

Verify connectivity and permissions using the Db2 CLI.

                # Test connection using db2 CLI
db2 connect to SAMPLE user dbaudit_reader using 'secure_password'

# Verify audit user can read audit tables
db2 "SELECT COUNT(*) FROM SYSCAT.AUDITPOLICIES"

# Check audit status
db2audit describe

# Disconnect
db2 disconnect SAMPLE
5

Configure in DB Audit

Add the Db2 connection in the DB Audit dashboard.

  1. Navigate to Connections in DB Audit
  2. Click Add Connection
  3. Select IBM Db2 as the database type
  4. Enter your connection details and credentials
  5. Configure SSL if using encrypted connections
  6. Test the connection and save

Data Collected

SQL Statements

SELECT, INSERT, UPDATE, DELETE, DDL operations

Security Events

Authentication, authorization, privilege changes

User Sessions

Connect, disconnect, session context

Object Maintenance

CREATE, ALTER, DROP, RENAME operations

System Admin

Database configuration, utility commands

Validation

Authorization checking, access validation

Errors & Failures

Authorization failures, SQL errors

Performance Context

Rows affected, execution time, resources

Troubleshooting

Connection failed: SQL30081N

TCP/IP communication error. Verify the hostname, port, and network connectivity.

            # Test network connectivity
telnet db2server 50000

SQL1092N: Insufficient authority

The user lacks required privileges. Grant appropriate authorities.

            GRANT SELECT ON SYSCAT.AUDITPOLICIES TO USER dbaudit_reader;

Audit logs not being generated

Verify the audit facility is started and configured correctly.

            db2audit describe
db2audit start

SSL connection failure

Ensure the correct port (50001 for SSL) and valid certificates are configured.

Compliance Support

SOC 2

Access logging and change tracking

HIPAA

PHI access auditing

PCI DSS

Cardholder data monitoring

GDPR

Personal data access trails

Next Steps

Configure Alerts

Set up real-time alerts for suspicious database activity.

Create Policies

Define audit policies for your Db2 databases.

SIEM Integration

Forward audit events to your security operations platform.

Ready to Audit Your IBM Db2 Databases?

Start monitoring your enterprise databases in minutes with comprehensive audit logging.

Start Free Trial Contact Sales