Question & Answer
Question
What must I do to see failed access negative SQL returned codes from zOS/DB2 in Guardium report ? How to send these error codes to SIEM ?
Cause
Starting v10 of STAP on system Z we now are able to collect negative SQL codes. This list of error codes is configured via DB2 collection rule and Failure Code field. The field is only visible if you choose db type as "DB2 Collection Profile". Only error codes listed will be collected.
To display specific error like -551, you will enter "-551" in Failure Code field.
If the policy rule uses Command field, you enter "ALL FAILED AUTHORIZATIONS" or "FAILED AUTHID CHANGES" then negative SQLCODE -551, -552 and -553 will be collected.
To collect all types of SQLCODE, you should check "NOT" and enter "-1" in Failure Code field.
These error codes will reflected in Guardium Exception Report.
Answer
To see all negative SQL returned codes in Guardium report, create the following policy rule:
Policy Rule: Access type rule to capture all zOS SQL Errors
Specify Net-Protocol, Command and Object settings as appropriate
DB Type: db2 collection profile
NOT Failure Codes set to "-1" (or any negative SQL code you specifically want to capture)
Actions: Z/OS AUDIT
If you wish to see all error codes sent to SIEM, make sure remote syslog is configured to receive alerts. As before create policy rule #1 (as above) then create second policy rule #2 to send alerts to SIEM.
Policy Rule #2: Exception type rule to send exceptions to SIEM
Server IP: 1.2.3.4 (optional - set to LPAR IP-Address - only required if you want to limit the exception alerting from this specific LPAR. There could multiple STAPs on this LPAR)
DB Type: db2
Actions: Alert Per Match
Notification: SYSLOG
Was this topic helpful?
Document Information
Modified date:
27 September 2018
UID
ibm10733205