DB2 UDB Access Recording

Product Summary


UDBAR is a software tool that records how users and programs access sensitive corporate data in designated DB2 tables. UDBAR provides collecting, archiving and scanning services for the audit data produced by DB2 LUW, operating in the zLinux environment. UDBAR services execute partly in the zLinux and partly in z/VM virtual machines. 

These functions process the output files produced by the DB2AUDIT EXTRACT command and forward the processed output using FTP to the UDBAR server UDBARP, executing in the z/VM environment.

The software components executing in the z/VM environment provide following functions:

Audit Log

For each access to an audited table, the UDBAR Processor writes a record in a CMS file, called the UDBAR audit log. An audit record contains:

Log Archiving

The UDBAR archiving function transfers the audit log to cartridge or tape, so that auditing results can be kept for a longer period of time. Archiving may be scheduled explicitly. It may also occur implicitly when the audit log is full or when a defined number of audit requests have been stored.

Inspecting the Audit Log

A part of the UDBAR user interface, the Logscan program interactively searches the audit log or an audit archive tape for specific audit events. When performing the log scan, the user can formulate following search criteria:

One or more audit record fields

This provides for requests such as:

  • Search all accesses made by a named user to a named table during a specified period.
  • Search all updates made by a named program to a named table on a specified date.

Table column names used in the text of an audited SQL statement

This scan method selects statements that reference a named table-column, for example:

  • Search all statements that selected the column SALARY in the employee table.
  • Search all changes to the column BALANCE in the customer table, performed by a named user on a given date.

Table column values used in the text of an audited SQL statement

This scan method selects statements that reference a named table-column with a specified value. It can be used to trace all audit events for a given table "key", for example:

  • Search all accesses made to the EMPLOYEE table for EMPNO = 100 during a specified period.
  • Search all updates that made the column BALANCE in the customer table negative.

Customizing UDBAR

An installation may provide an audit user exit to be invoked by the Audit Processor for every audit log record written. The exit is written as a REXX program.

Sample Logscan