Hello together,

i have to arc enabled on-prem windows server VMs and have a DCR configured for collecting specific Eventlogs:

"dataSources": {
            "performanceCounters": [
                {
                    "streams": [
                        "Microsoft-Perf",
                        "Microsoft-InsightsMetrics"
                    ],
                    "samplingFrequencyInSeconds": 10,
                    "counterSpecifiers": [
                        "\\Processor Information(_Total)\\% Processor Time",
                        "\\System\\System Up Time",
                        "\\Memory\\Available Bytes",
                        "\\LogicalDisk(*)\\% Free Space"
                    ],
                    "name": "perfCounterDataSource10"
                }
            ],
            "windowsEventLogs": [
                {
                    "streams": [
                        "Microsoft-Event"
                    ],
                    "xPathQueries": [
                        "Veeam Backup!*[System[EventID=190]]",
                        "System!*[System[EventID=7036] and System/Provider[@Name='Service Control Manager'] and EventData/Data[@Name='param1']='Themes' or EventData/Data[@Name='param1']='Windows Update']"
                    ],
                    "name": "eventLogsDataSource"
                }
            ]
        },

For testing purpose, i want the event logs regarding Windows Update Service and Themes Service. (and Veeam Backup)

But doesn't receive any eventlogs? I would need some help to troubleshoot a scenario like this.

Thank you very much in advance!