Check_eventlog Filters not working for ID's

[mdollemore]

Issue and Steps to Reproduce

Check_eventlog filters using 'in' and 'regexp' not producing expected results when filtering on ID.

Filter using 'in' expression does not work when multiple id's are supplied

Filter using 'regexp' does not work on id

Working with id = '35264'
./check_nsc_web -u https://10.241.175.12:18443/ -p 'xxxxxxxx' -k -t 30 check_eventlog "filter=log = 'Application' and source regexp 'MSSQL.*' and id = '35264'" scan-range=-2w show-all "warn=count gt 0" "critical=written > -5m" "unique=1"
WARNING: 1 message(s) warning(Application MSSQL$APP2 (Always On Availability Groups data movement for database 'uniflow' has been suspended for the following reason: "system" (Source ID 4; Source string: 'SUSPEND_FROM_APPLY'). To resume data movement on the database, you will need to resume the database manually. For information about how to resume an availability database, see SQL Server Books Online.)), Application MSSQL$APP2 (Always On Availability Groups data movement for database 'uniflow' has been suspended for the following reason: "system" (Source ID 4; Source string: 'SUSPEND_FROM_APPLY'). To resume data movement on the database, you will need to resume the database manually. For information about how to resume an availability database, see SQL Server Books Online.) |'Application_MSSQL$APP2_written'=1643871303;0;1644406903;; 'count'=1;0;0;;

Not working with id regexp '35264'
./check_nsc_web -u https://10.241.175.12:18443/ -p 'xxxxxxxxx' -k -t 30 check_eventlog "filter=log = 'Application' and source regexp 'MSSQL.*' and id regexp '35264'" scan-range=-2w show-all "warn=count gt 0" "critical=written > -5m" "unique=1"
OK: No entries found |'count'=0;0;0;;

Working with id in ('35264')
./check_nsc_web -u https://10.241.175.12:18443 -p 'xxxxxxxxx' -k -t 30 check_eventlog "filter=log = 'Application' and source regexp 'MSSQL.*' and id in ('35264')" scan-range=-2w show-all "warn=count gt 0" "critical=written > -5m" "unique=1"
WARNING: 1 message(s) warning(Application MSSQL$APP2 (Always On Availability Groups data movement for database 'uniflow' has been suspended for the following reason: "system" (Source ID 4; Source string: 'SUSPEND_FROM_APPLY'). To resume data movement on the database, you will need to resume the database manually. For information about how to resume an availability database, see SQL Server Books Online.)), Application MSSQL$APP2 (Always On Availability Groups data movement for database 'uniflow' has been suspended for the following reason: "system" (Source ID 4; Source string: 'SUSPEND_FROM_APPLY'). To resume data movement on the database, you will need to resume the database manually. For information about how to resume an availability database, see SQL Server Books Online.) |'Application_MSSQL$APP2_written'=1643871303;0;1644846132;; 'count'=1;0;0;;

Not working with id in ('893,'35264')
./check_nsc_web -u https://10.241.175.12:18443 -p 'xxxxxxx' -k -t 30 check_eventlog "filter=log = 'Application' and source regexp 'MSSQL.*' and id in ('893','35264')" scan-range=-2w show-all "warn=count gt 0" "critical=written > -5m" "unique=1"
OK: No entries found |'count'=0;0;0;;

Expected Behavior

Each of the above filters should return the EventID '35264'

Actual Behavior

Regexp filter returns no events when '35264' is specified
In filter only works with a single ID in the filter, adding a second ID to the Filter list returns no events

Details

• NSClient++ version: 0.5.2.38
• OS and Version: Windows Server 2019
• Checking from: Naemon
• Checking with: check_nsc_web and check_eventlog

Additional Details

NSClient++ log:

PLEASE PASTE LOG HERE