Monitoring specific windows event logs

CMK version: 2.2.0p10.cee
OS version: Ubuntu 22.04.3 LTS

So I’m currently trying to monitor and forward events from the windows eventlog under microsoft-windows-terminalservices-remoteconnectionmanager/operational.
Therefore I created a agent rule for finetuning windows eventlog monitoring and added “microsoft-windows-terminalservices-remoteconnectionmanager/operational” with warn/crit and with context.

After updating the agent on the windows server the following message appears for service “Log Forwarding”:

Missing logfiles: WARN , Newly appeared logfiles: *, microsoft-windows-terminalservices-remoteconnectionmanager/operationalWARN* , Forwarded 0 messages

On the client side if I’m running cmk-agent-ctl.exe dump I get the following output:

[[[HardwareEvents]]]
[[[Internet Explorer]]]
[[[Key Management Service]]]
[[[microsoft-windows-terminalservices-remoteconnectionmanager/operational]]]
[[[Parameters]]]
[[[Security]]]
[[[State]]]
[[[System]]]

I’m not quite sure what I’m missing. Any help is appreciated

Upper / Lower Casesensitve ?

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

Regards

Claus

hey,
it is added as upper case in the Finetune Windows Eventlog monitoring rule, and from the agent it is changed to lower case.
So I’m not quite sure how I could affect this behaviour.
Regards,
n3m0

Only if I add the name of the log (microsoft-windows-terminalservices-remoteconnectionmanager/operational) in the check_mk.yml the log forwarding for these events is working. Via the Finetune Windows Eventlog monitoring it isn’t working.
Do I have to add these lines manually on each monitored Windows server? Or is there a way to control this from the web console?

The eventlog for rdp connections contains barely logs with state warning or critical. Therefore there were no events to be forwarded. After changing the setting to all the forwarding rule works as expected.