Checkeventlog : monitoring specifique ID



I have a question, I want to try monitoring the Windows Eventlog and monitoring a specifique ID and specific event

for exemple I want to monitoring specific GPO. I used this command

./check_nrpe -H -p 5666 -c CheckEventLog -a file=system MaxWarn=1 MaxCrit=1 "filter=generated > -24h AND severity = ‘error’ AND id=%ID-event% "

but i’m no sure about my result. which filter I need to used to check the value and how to do that ?

for example I have a specifique GPO who name " TOTO", and i want to verify that this GPO is applied on the system.

I used Nagios core 4.0.7 and NSclient 4.1.105


I find how to use Check event log I find how to use CheckEventLog however I want to monitoring GPO EventLog, I try to used file=‘Microsoft-Windows-GroupPolicy/Opérationnel’

mais la commande ./check_nrpe -H -p 5666 -c CheckEventLog -a file=‘Microsoft-Windows-GroupPolicy/Opérationnel’ MaxWarn=1 MaxCrit=1 "filter=generated gt -1h AND id NOT IN (‘7017’) " truncate=1000 unique descriptions “syntax=%severity%: %source%: %message% (%count%)”

But the command send a result irrelevent. for exemple when I check the log I have 7 errror with 7017 and the command return 0. and when i do IN NOT (‘7017’) the commend send other error came other eventLOG.

What is the best solution to monitoring the GPO EventLOG