We're going to be enabling the audit facility on some of our DB2
servers in the future, and I need some basic information on how large
I can expect the log to grow.

I've already been warning NOT to enable everything as a single event
can generate multiple BIG records that will swamp the system.

Going over the requirementat and our access standards, here's the list
of the items we neet to monitor, broken down by the categories:
AUDIT--- Changes to the Audit settings.
CHECKING --- Failed authorization checking on server authentication as
well as object permissions.
SECMAINT --- Security Maintenace changes (grants/revokes on database
objects or DBADM authority, database manager configuration
parameters).
SYSADMIN --- Commands where SYSADM, SYSMAIN, or SYSCTRL permissions
are required (powerful roles).
VALIDATE --- Failed user validation (authentication or retrieving
security information).

If someone can also supply me with some actual logs, I'd appreciate it
as I also have to create tools to parse the logs and examine them.

Of course, I suspect that someone already has tools to do this. Please
provide a link to the tool if possible.

Thanks in advance!

Bruce

The actual db2audit log is "unreadable". You need to "db2audit
extract". You can do this to an ASC DEL file which you can then load
into a table of your own design to pick up what you need.
There's the rub. You need to pick up failures of CHECKING and VALIDATE,
but you also need to pick up succes and failure of SYSADMIN, AUDIT,
SECMAINT.
Unfortunately, the audit facility config will not allow this. You'll
need to specify STATUS BOTH in the config scope which will also give you
succes records for CHECKING and VALIDATE. However, if you extract to an
ASCDEL file and load into a table you can then use SELECT stmts. to
filter wexactly what you need.
As to size estimate, this is vry difficult as it is event based and we
have no clue at all as to how many events will happen or about their
rate of arrival.
I've seen ASCII flat files from audit output which generated 7 to 9
records of 3-4 lines of text for just a CONNECT statement when audit
scope was defined with ALL, so you can expect a fairly sized output file.
You shouldn't get too many records from SYSADMIN, AUDIT and SECMAINT as
they require sysadmin and dbadm authorities and there should not be that
many. Where you may get "hurt" is at VALIDATE and CHECKING as these
events will apply to all of your connections and every object that they
attempt to touch.

HTH, Pierre.

Byrocat wrote:
> We're going to be enabling the audit facility on some of our DB2
> servers in the future, and I need some basic information on how large
> I can expect the log to grow.
>
> I've already been warning NOT to enable everything as a single event
> can generate multiple BIG records that will swamp the system.
>
> Going over the requirementat and our access standards, here's the list
> of the items we neet to monitor, broken down by the categories:
> AUDIT--- Changes to the Audit settings.
> CHECKING --- Failed authorization checking on server authentication as
> well as object permissions.
> SECMAINT --- Security Maintenace changes (grants/revokes on database
> objects or DBADM authority, database manager configuration
> parameters).
> SYSADMIN --- Commands where SYSADM, SYSMAIN, or SYSCTRL permissions
> are required (powerful roles).
> VALIDATE --- Failed user validation (authentication or retrieving
> security information).
>
> If someone can also supply me with some actual logs, I'd appreciate it
> as I also have to create tools to parse the logs and examine them.
>
> Of course, I suspect that someone already has tools to do this. Please
> provide a link to the tool if possible.
>
> Thanks in advance!
>
> Bruce

--
Pierre Saint-Jacques - Reply to: sescons at attglobal dot net
IBM DB2 Cerified Solutions Expert - Administration
SES Consultants Inc.