Db2 audit trace

The audit trace enables you to trace different events or categories of events by authorization IDs, object ownership, and so on.

When started, the audit trace records certain types of actions and sends the report to a named destination. The trace reports can indicate who has accessed data.

As with other types of Db2 traces, you can choose the following options for the audit trace:

  • Categories of events
  • Particular authorization IDs or plan IDs
  • Methods to start and stop the audit trace
  • Destinations for audit records

You can choose whether to audit the activity on a table by specifying an option of the CREATE and ALTER statements.

Audit trace classes

The following table shows the IFCIDs that are activated for each audit trace class.

Tip: Start of changeIFCID numbers are often presented in Db2 and its documentation with three or four digits and leading zeros. For example, you might find: "IFCID 1," "IFCID 001," or "IFCID 0001." However, you can assume that these references each have the same meaning.End of change
Table 1. Classes for Db2 audit trace
Class Description of class Activated IFCIDs
1 Access attempts denied due to inadequate authorization. Class 1 is also activated when you omit the CLASS keyword from the START TRACE command when you start the audit trace. 140
2 Explicit GRANT and REVOKE. 141
3 CREATE, ALTER, and DROP operations against audited tables. 142
4 First change of audited object. 143
5 First read of audited object. 144
6 Bind time information about SQL statements that involve audited objects. 145
7 Assignment or change of authorization ID. 55, 83, 87, 169, 319
8 Utilities. 23, 24, 25, 219, 220
9 Installation-defined audit record. Start of change146, 392End of change
10 Trusted context information. 269, 270
11 Audits of successful access. 3611
12–29 Reserved.  
30–32   Available for local use.  
Notes:
  1. If IFCID 361 is started through START TRACE, all successful access is traced. If IFCID 361 is started because audit policy category SYSADMIN is on, only successful access using the SYSADMIN administrative authority is traced. If IFCID 361 is started because audit policy category DBADMIN is on, only successful access using the DBADMIN administrative authority is traced.
Start of change

Audit trace field (IFCID) descriptions

You can find descriptions of trace records in the IFCID flat file (DSNWMSGS). The most current version of DSNWMSGS is available only for clients who have Db2 12 for z/OS® licenses. The information is in a PDF file. To locate this information, see Db2 12 for z/OS IFCID flat file (DSNWMSGS).

End of change