We want monitor specific eventid. We are use: -H $HOSTADDRESS$ -c nsc_checkeventlog -a 'filter=new file=application filter+generated=<1h filter+severity==info filter=in filter=all truncate=1023 descriptions unique MaxCrit=1 filter+eventID==12345'.
The result we are receive is OK, but its wrong. The result should be Critical.
There is 'שד no event id with this id=12345 in the last hour.
When we use filter-eventID==12345 instead filter+eventID==12345, we are receive OK result, with all info events that were happaned in the last hours. Its OK, becouse the "-" mean exlude all events like "12345".
The question is - why "+" not work.
We tried all options from "http://nsclient.org/nscp/wiki/CheckEventLog/CheckEventLog/old".