SmartConnector for IBM DB2 Multiple Instance UDB Audit File

0 Likes

Labels:

SmartConnector Configuration Guides - File
Comment List
Anonymous
Parents
  • Hi Mark,

    I'm fighting on and off with DB2 as well.  You are working with the *del files right?

    Looking at IBM's documentation, the StatementText is only seen in the Context and Execute audit categories.  This field is a CLOB of size 8M which I'm assuming means maximum size of 8*1024*1024.  Not sure what, if any, field in a CEF event can accommodate that size.  For my companies purposes, we don't currently require those types of events so I'm only looking at this from the outside... but if the SQL statement can be that large, is Arcsight the right tool to collect them?  Do you see the StatementText (SQL query) in the 15th field of the raw context.del or execute.del files?  If they are aren't in the files that Arcsight parses, you for sure won't see the events in Logger/ESM.  I'm just curious if you see the SQL statements and how large the statements are if you see them.

    I have a few items that you might be able to answer that are currently causing me headaches.  Hoping you can provide insight.

    Do you experience/have a solution for getting non-ASCII characters in the log files? I'm 99% sure that the non-ASCII characters come from the "Local Transaction ID"  and the "Global Transaction ID"  fields.  Both of these fields are described as "VARCHAR(10) FOR BIT DATA" and I'm thinking at this point that my DBA needs to tweak his config to convert the bit data to ASCII but I only started looking at this specific issue at the beginning of the week and am waiting for more info from my DBAs. 

    Also, unless my internal DBAs are adding values to each line of the CSV files, the number of tokens in the each of DB2 parsers does not match the number in almost all 8 DB2 audit log types.  I see this for DB2 10.1 and am curious if you see the same thing.

    Finally, if you are looking for the SC to support DB2 10.5, I have an enhancement opened for that one.  If you need it, please add let support know.  The JIRA number is CON-15703.


    Best

    Carl

Comment
  • Hi Mark,

    I'm fighting on and off with DB2 as well.  You are working with the *del files right?

    Looking at IBM's documentation, the StatementText is only seen in the Context and Execute audit categories.  This field is a CLOB of size 8M which I'm assuming means maximum size of 8*1024*1024.  Not sure what, if any, field in a CEF event can accommodate that size.  For my companies purposes, we don't currently require those types of events so I'm only looking at this from the outside... but if the SQL statement can be that large, is Arcsight the right tool to collect them?  Do you see the StatementText (SQL query) in the 15th field of the raw context.del or execute.del files?  If they are aren't in the files that Arcsight parses, you for sure won't see the events in Logger/ESM.  I'm just curious if you see the SQL statements and how large the statements are if you see them.

    I have a few items that you might be able to answer that are currently causing me headaches.  Hoping you can provide insight.

    Do you experience/have a solution for getting non-ASCII characters in the log files? I'm 99% sure that the non-ASCII characters come from the "Local Transaction ID"  and the "Global Transaction ID"  fields.  Both of these fields are described as "VARCHAR(10) FOR BIT DATA" and I'm thinking at this point that my DBA needs to tweak his config to convert the bit data to ASCII but I only started looking at this specific issue at the beginning of the week and am waiting for more info from my DBAs. 

    Also, unless my internal DBAs are adding values to each line of the CSV files, the number of tokens in the each of DB2 parsers does not match the number in almost all 8 DB2 audit log types.  I see this for DB2 10.1 and am curious if you see the same thing.

    Finally, if you are looking for the SC to support DB2 10.5, I have an enhancement opened for that one.  If you need it, please add let support know.  The JIRA number is CON-15703.


    Best

    Carl

Children
No Data
Related Discussions
Recommended