create decoder

[Aj Navarro]

I need help to create a decoder with this events:

Sep  5 10:13:37 colector1mf guard_sender[7627]: LEEF:1.0|IBM|Guardium|11.0|Log Full Details|ruleID=20174|ruleDesc=Log Full Details|severity=INFO|devTime=2023-09-05 10:10:48.077000|serverType=DB2|classification=|category=|dbProtocolVersion=|usrName=PLAN=D2NUTIL ; SQLID= ; PROG=|sourceProgram=:IR0400J|start=1693930248077|dbUser=PRODESP|dst=192.9.1.6|dstPort=0|src=127.0.0.1|srcPort=0|protocol=UTIL:UTILITY|type=SQL_GPB|violationID=383807026768197355|sql=DB2_UTILITY REPAIR SET TABLESPACE MOBDBPMN.TSSUSEVA NOCOPYPEND|error= 

Sep  5 10:13:37 colector1mf guard_sender[7627]: LEEF:1.0|IBM|Guardium|11.0|Log Full Details|ruleID=20174|ruleDesc=Log Full Details|severity=INFO|devTime=2023-09-05 10:10:45.889000|serverType=DB2|classification=|category=|dbProtocolVersion=|usrName=PLAN=DISTSERV ; SQLID= ; PROG=|sourceProgram=:IR0500J|start=1693930245889|dbUser=DBADMIN|dst=192.9.18.5|dstPort=0|src=0.0.0.0|srcPort=0|protocol=CALL:DB2CALL|type=SQL_GPB|violationID=383807026768197342|sql=DB2_COMMAND -DISPLAY DB(MOBDBP5M)|error=

Sep  5 10:13:37 colector1mf guard_sender[7627]: LEEF:1.0|IBM|Guardium|11.0|Log Full Details|ruleID=20174|ruleDesc=Log Full Details|severity=INFO|devTime=2023-09-05 10:10:44.582000|serverType=DB2|classification=|category=|dbProtocolVersion=|usrName=PLAN=DISTSERV ; SQLID= ; PROG=|sourceProgram=:IR0400J|start=1693930244582|dbUser=DBADMIN|dst=192.9.198.65|dstPort=0|src=0.0.0.0|srcPort=0|protocol=CALL:DB2CALL|type=SQL_GPB|violationID=383807026768197336|sql=DB2_COMMAND -DISPLAY DB(MOBDBPMN)|error=

Sep  5 10:13:37 colector1mf guard_sender[7627]: LEEF:1.0|IBM|Guardium|11.0|Log Full Details|ruleID=20174|ruleDesc=Log Full Details|severity=INFO|devTime=2023-09-05 10:10:27.553000|serverType=DB2|classification=|category=|dbProtocolVersion=|usrName=PLAN=DISTSERV ; SQLID=SVCAB8F ; PROG=ICCPC02|sourceProgram=10.119.79.157:DB2JCC_APPLI|start=1693930227553|dbUser=SVCAB8F|dst=192.9.198.65|dstPort=5021|src=10.119.137.201|srcPort=0|protocol=DRDA:SERVER|type=SQL_GPB|violationID=383807026768197333|sql=SET CURRENT SQLID = USER|error=

Sep  5 10:13:37 colector1mf guard_sender[7627]: LEEF:1.0|IBM|Guardium|11.0|Log Full Details|ruleID=20174|ruleDesc=Log Full Details|severity=INFO|devTime=2023-09-05 10:10:17.187000|serverType=DB2|classification=|category=|dbProtocolVersion=|usrName=PLAN=DISTSERV ; SQLID=SVCAB8F ; PROG=ICCPC02|sourceProgram=10.11.7.15:DB2JCC_APPLI|start=1693930217187|dbUser=SVCAB8F|dst=192.9.198.65|dstPort=5021|src=10.11.13.01|srcPort=0|protocol=DRDA:SERVER|type=SQL_GPB|violationID=383807026768197329|sql=SET CURRENT SQLID = USER|error=

Sep  5 10:21:37 colector1mf guard_sender[7627]: LEEF:1.0|IBM|Guardium|11.0|Log Full Details|ruleID=20174|ruleDesc=Log Full Details|severity=INFO|devTime=2023-09-05 10:18:59.614000|serverType=DB2|classification=|category=|dbProtocolVersion=|usrName=PLAN=DISTSERV ; SQLID=SVCAB8F ; PROG=ICCPC02|sourceProgram=10.11.7.1:DB2JCC_APPLI|start=1693930739614|dbUser=SVCAB8F|dst=192.9.198.65|dstPort=5021|src=10.11.3.0|srcPort=0|protocol=DRDA:SERVER|type=SQL_GPB|violationID=383807026768197605|sql=SET CURRENT SQLID = USER|error=

[Fabian Ruiz]

Hi Aj Navarro,

To make your custom decoders and rules, you can take a look at the following documentation about it: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Thanks for using Wazuh

Regards.