This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.
This is how I achieved the CIM compliance for the DB2 audit logs that are dumped to the filesystem by the DBA (not read in via the DB Connect application).
Please see the answer for the solution information.
props.conf
[DB2:audit]
EVAL-instance_name = replace(source, "/[^-]+-([^.]+).log$", "\1")
EVAL-status = if(category=="SECMAINT",if(eventstatus==0,"success","failure"),null())
FIELDALIAS-DB2:audit_aliases = eventstatus AS result_id grantee AS object granteetype AS object_category host AS dest
EXTRACT-db2src = (?ms)applicationid=(?P.*?)(.[^.]+){2};
EVAL-user = coalesce(grantor,userid)
EVAL-action = if(category=="VALIDATE",if(eventstatus==0,"success","failure"),null())
eventtypes.conf
[db2_audit_change]
search = sourcetype=DB2:audit category=SECMAINT
[db2_audit_auth]
search = sourcetype=DB2:audit category=VALIDATE
tags.conf
[eventtype=db2_audit_change]
change = enabled
[eventtype=db2_audit_auth]
authentication = enabled
You may need to change this depending on your exact requirements but hopefully it helps someone...
props.conf
[DB2:audit]
EVAL-instance_name = replace(source, "/[^-]+-([^.]+).log$", "\1")
EVAL-status = if(category=="SECMAINT",if(eventstatus==0,"success","failure"),null())
FIELDALIAS-DB2:audit_aliases = eventstatus AS result_id grantee AS object granteetype AS object_category host AS dest
EXTRACT-db2src = (?ms)applicationid=(?P.*?)(.[^.]+){2};
EVAL-user = coalesce(grantor,userid)
EVAL-action = if(category=="VALIDATE",if(eventstatus==0,"success","failure"),null())
eventtypes.conf
[db2_audit_change]
search = sourcetype=DB2:audit category=SECMAINT
[db2_audit_auth]
search = sourcetype=DB2:audit category=VALIDATE
tags.conf
[eventtype=db2_audit_change]
change = enabled
[eventtype=db2_audit_auth]
authentication = enabled
You may need to change this depending on your exact requirements but hopefully it helps someone...