Hello,

We are currently evaluating the Microsoft SQL Server App and none of our Security Dashboards are populating. We have been investigating this for a few days now and I believe we have narrowed down to the field extractions in props.conf not returning any data both within Splunk, and also when I run through a regular expression tester.

For example:

EXTRACT-mssql_33205_class_type=(?ms)EventCode=33205\n.\nclass_type:(?.?)\n

when put against my audit log file (I omitted lines for security related purposes)

SidType=1
TaskCategory=Failover
OpCode=None
RecordNumber=3393348
Keywords=Audit Success, Classic
Message=Audit event: event_time:2014-03-28 14:36:09.0903622
sequence_number:2
action_id:VSST
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:59
server_principal_id:2
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:0
class_type:SR

We do know however that all eventtypes are working properly and going into their proper Indexes because I consistently see EventCode 33205 being brought into our Splunk Indexer Development environment based on the sample from my Splunk event below:

03/28/2014 10:36:09 AM
LogName=Security
SourceName=MSSQLSERVER$AUDIT
EventCode=33205
EventType=0
Type=Information

I'm extremely puzzled that the props.conf that came with the app would have Regular Expressions that do not work but as I mentioned both when I run them within Splunk or through an online RegEx tested and my sample data I never see any matches, hence we go to use the eventtype=mssql-audit and process it through the transforms.conf file against the lookups, we never return any data which explains why the dashboards do not populate.

Any help on this appreciated because rather than write our own RegEx's we want to see where the error might be at.

Thank you in advance.