Hi,

thank you for your feedback. 

The add-on is installed on indexer, searchheads and universal forwarder. However fields like below are not beeing mapped

00/00/0000 00:00:00 PM
LogName=Application
EventCode=33205
EventType=0
ComputerName=
SourceName=MSSQLSERVER
Type=Information
RecordNumber=123456
Keywords=Audit Failure, Classic
TaskCategory=Logon
OpCode=None
Message=Audit event: audit_schema_version:1
event_time:2023-00-00 00:00:00.000000
sequence_number:1
action_id:LGIF
succeeded:false
is_column_permission:false
session_id:0
server_principal_id:0
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:0
class_type:LX
permission_bitmask:00000000000000000000000000000000
sequence_group_id:
session_server_principal_name:
server_principal_name:
server_principal_sid:
database_principal_name:
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:XXXXXXXXXX
database_name:
schema_name:
object_name:
statement:
additional_information:
user_defined_information:

Should all fields not be extracted, as the add-on has these field extractions. Or does it only work with dbconnect?

Hopefully somebody can support and advise before I start working on a customized solution which I am trying to avoid.