Industries “particularly plagued by regulations” are currently confronted by a challenging overall task in the area of DB2:
a) Activation of the audit traces; for many it is even a “dreaded first activation after decades,”
b) Monitoring of access to chosen critical tables through the activation of table auditing, although the number of accesses and thus of SMF records can potentially be high and cannot be exactly foreseeable in advance, and
c) a real-time delivery of the SIEMs with the corresponding events.
Large installations that fulfill their regulatory tasks with efficiency with SF-Sherlock have influenced the current further development of SF-Sherlock in the context of these requirements. It was a clear goal to do away with or remove special DB2 add-ons in the form of additional products and thus to be able to further reduce the total cost of the auditing and event monitoring.
The order is now fulfilled, and the result lies in SF-Sherlock’s functional, sustainably expanded real-time sniffer: 1) Chosen SMF records can now be excluded from recording in the SMF archiving as desired; that means that the event reaches SF-Sherlock and thus the event monitoring or SIEM, but is no longer written in the SMF file or the SMF log stream. 2) In the case of DB2 SMF records 100 to 102, high-volume events, such as IFCID 143 (table-update audit) and 144 (table-read audit), can now be excluded from the SMF archiving analog to the exclusion of entire record types, and “only” reach SF-Sherlock’s event monitoring. In total, all involved parties are satisfied, because everything is audited, the SIEM with events is provided, but the SMF archiving medium is not further “distended.”
That means that, thanks to SF-Sherlock, regulatory conditions in the area of DB2 can now be fulfilled cost-neutral with “standard tools.”