Auditing
As a security officer, auditor, or manager, you can use the IBM Cloud® Activity Tracker service to track how users and applications interact with the Db2 on Cloud service in IBM Cloud.
IBM Cloud Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see the getting started tutorial for IBM Cloud Activity Tracker.
Activity Tracker with LogDNA integration is available for IBM® Db2® on Clouddeployments in the regions according to the following table:
| Deployment region | Activity Tracker region |
|---|---|
| Dallas | us-south |
| Washington | us-east |
| Frankfurt | eu-de |
| London | eu-gb |
| Sydney | au-syd |
| Tokyo | jp-tok |
| São Paulo | br-sao |
| Toronto | ca-tor |
Activity Tracker with LogDNA provisioning
After you provision the service, events are automatically forwarded from all of your IBM® Db2® on Cloud deployments in the same region.
The service can be provisioned from its catalog page or from an existing Observability Dashboard.
The Activity Tracker with LogDNA service has a Lite plan that is free to use, but it only offers streaming events. To take advantage of the tagging, export, retention, and other features, you need to use one of the paid plans.
Event fields
A description of the common fields for an Activity Tracker event is on the Event fields page.
List of events
The following table lists the events that get sent to Activity Tracker from IBM® Db2® on Cloud deployments:
| Action | Description |
|---|---|
<service_id>.backup-scheduled.create |
A scheduled backup of your deployment was created. If the backup failed, a "-failure" flag is included in the message. |
<service_id>.backup.create |
A backup of your deployment was created. If the backup failed, a "-failure" flag is included in the message. |
<service_id>.backup.restore |
A restore from backup was created. If the attempted restore failed, a "-failure" flag is included in the message. |
<service_id>.restore.start |
A restore from backup was created. If the attempted restore failed, a "-failure" flag is included in the message. |
<service_id>.user-password.update |
A user's password was updated. A "-failure" flag is included in the message if the attempt to update a user's password failed. |
<service_id>.user.create |
A user was created. A "-failure" flag is included in the message if the attempt to create a user failed. |
<service_id>.user.delete |
A user was deleted. A "-failure" flag is included in the message if the attempt to delete a user failed. |
<service_id>.resources.scale |
A scaling operation was performed. If the scaling operation failed, a "-failure" flag is included in the message. |
<service_id>.privilege.update |
A privilege was granted of revoked. A "-failure" flag is included in the message if the attempt to delete a user failed. |
<service_id>.whitelisted-ips-list.update |
The allowlist was modified. A "-failure" flag is included in the message if the attempt to modify the allowlist failed. |
<service_id>.serviceendpoints.update |
A change has been made to the service endpoints configuration. If the operation failed, a "-failure" flag is included in the message. |
<service_id>.schema.create |
A schema was created. A "-failure" flag is included in the message if the attempt to delete a user failed. |
<service_id>.privilege.revoke |
A privilege was revoked. A "-failure" flag is included in the message if the attempt to delete a user failed. |
<service_id>.database-connection.list |
Lists active database connections. A "-failure" flag is included in the message if the attempt to delete a user failed. |
<service_id>.database-connection.stop |
Terminates a database connection. A "-failure" flag is included in the message if the attempt to delete a user failed. |
The <service_id> field indicates the type of Cloud Databases deployment. For example, db2 or dashdb-for-transactions or messages-for-rabbitmq.
Viewing events
You can access Activity Tracker with LogDNA through the Observability tab of your deployment's Manage page. The Manage Activity Tracker button links to the main list of all Activity Tracker instances in your IBM Cloud account. Select the instance where you set your database logs to be forwarded. IBM Cloud Activity Tracker can have only one instance per location. Click View Activity Tracker to view the events.
After the event activity is forwarded to the service, each event can be expanded to a detailed view by clicking the arrow to the left of the time stamp.
The Activity Tracker with LogDNA service offers searching, filtering, and export of events so you can customize retention for your use case. You can also use it to configure alerts.
Database Auditing
You can monitor data access in your IBM® Db2® on Cloud instance with the built-in Db2 audit facility. Use the Db2 audit facility to generate and maintain an audit trail for a series of predefined database events, including attempts to access or manipulate database objects, user authentication, SQL statement execution, and even access to the audit log. Use the audit log to reveal usage patterns that would identify system misuse, and in turn, take action to eliminate such misuse.
For more information about auditing for Db2 on Cloud, see Audit policy guidelines.
You can also audit and track changes to your database by using the following method:
- By creating a
CHANGE HISTORYevent monitor, you can query the event monitor table to determine what was done within the database and by whom. For more information, seeCHANGE HISTORYevent monitor.
Access to SYSCAT.AUDITPOLICIES, SYSIBMADM.PRIVILEGES, and SYSCAT.AUDITUSE will be revoked for PUBLIC. This only impacts clients who have explicitly assigned these privileges to PUBLIC. A client can choose to re-add the privileges to PUBLIC.
For more information about auditing and tracking database changes, see: How do I audit or track changes?.