Forward scheduled tasks Event Viewer logs using Infrastructure agent

In the Windows Event Viewer, logs are available under Applications and Services Logs/Microsoft/Windows/TaskScheduler/Operational . I’m looking to forward only events under this with particular Event IDs, e.g. 322.

How should this be defined in the logging.yml file? I’ve looked at the example here and in the winlog.yml.example file without any success.

 # entries for the application, system, powershell, and SCOM channels
  - name: windows-application
       channel: Application
  - name: windows-system
       channel: System
  - name: windows-pshell
       channel: Windows Powershell
  - name: scom
       channel: Operations Manager

Also, what are the implications of unintentionally forwarding a large number of events?

Hi @RunRun there are some helpful examples in our documentation.

Doing something like the Windows Defender example coupled with the examples for collecting event-ids should get you what you need.

Unintentionally forwarding a large number of logs would count towards the among of data ingested by New Relic which could result in higher charges.

It’s possible that with a large enough amount of events you could see some rate limits as well which you can read about here.

Hope that helps!

Hi @troycox ,

I attempted the following in my C:\Program Files\New Relic\newrelic-infra\logging.d\logs.yml file but these events are not being forwarded even though I purposely generated scheduled task errors with those specific event IDs:

#  - name: windows-security
#    winlog:
#      channel: Security
#      collect-eventids:
#      - 4740
#      - 4728
#      - 4732
#      - 4756
#      - 4735
#      - 4624
#      - 4625
#      - 4648

#  - name: windows-application
#    winlog:
#      channel: Application

#  - name: newrelic-cli.log
#    file: C:\Users\Administrator.THEHOUSERULES\.newrelic\newrelic-cli.log
#    attributes:
#      newrelic-cli: true

  # Entry for Windows Task Scheduler Logs
  - name: windows-taskscheduler
      channel: Microsoft-Windows-TaskScheduler/Operational
        - 101
        - 103
        - 203
        - 322
        - 329

Is there any other way to forward scheduled task run errors?

I noticed that removing the collect-eventids filtering from the above configuration results in some empty events appearing in New Relic > Logs but without the event messages, so just date and time.

I think there is a problem with Fluent-Bit as per this issue:

@troycox Do you have any information about the Fluent Bit v1.9.0.rc1?

Hi @RunRun you are correct there is a bug currently with Fluent Bit.

The Fluent Bit log forwarder is an open source project that is not directly handled by New Relic. We assume the fix will be included in the next Fluent Bit release. A summary of the issue is below.

Classic Windows EventLog channels are handled correctly.
But it looks like Microsoft-Windows-TaskScheduler/Operational is not one of the classic EventLog channels. “New” EventLog channels are stored with evtx format that is not handled correctly by winlog plugin and Fluent Bit.

The progress on this Issue and pull request can be tracked via the following links:

1 Like

The issue has been fixed in fluent-bit since version 1.9.0, by the introduction of a new plugin - winevtlog: add new winevtlog input plugin (#4179)

winevtlog: Implement winevtlog plugin by cosmo0920 · Pull Request #4179 · fluent/fluent-bit (

The latest version of the infrastructure agent (1.24.2) includes fluent-bit 1.9.1, but unfortunately you are still using the old plugin, e.g. winlog, so the issue still exists.

Are you able to confirm that you are working on an update to the infrastructure agent to call the new plugin, e.g. winevtlog?

Hi @Mark.Davies1

Thank you for reaching back out. Currently @troycox is out of office, I will loop him in and request he reply via this post to your update.

Hi @Mark.Davies1, while I can’t speak for the particular team working on that product or their road-map we are always working to improve our platforms.

Since this particular change is tied to the fluentbit version I would recommend keeping an eye on our release notes for changes to the underlying version of fluentbit.


Hi, does this problem persist? There is a way to read those events by another means and for new relic to count those that are errors.

Hi, @Nicole_Pina: You might try the Windows Event Log integration and see if it does what you need.

I need to read the logs of Microsoft-Windows-TaskScheduler/Operational

You will have to try it and see if it works.

If that link you give me is blocked because it is a github. And my question was in relation to FluentBit.

Hey @Nicole_Pina,

Were you ever able to access the page that was linked above? I am not having issues with accessing this and I want to make sure you are not having troubles still.

The error persist:


Hello @Nicole_Pina,

Do you have the updated agent version, and fluent bit packaged by our agent?

Best Regards
Yasahswi verma

The server have the 1.27.1 Infraestructure Agent Version, and the fluent-bit yes is the original:



Hi, Update the agent version but the error remains. Even for other channels, how can the bug be reported to New Relic?


Thank you for the additional context here.

I have gone head and looped in the support engineer here for logs, as I can not pinpoint why this is still persisting.

The tricky part is fluentbit is 3rd party but I must admit it usually works. Its possible the logs format is off which could be causing the issue. Can you send a direct message to me with a sample of the logs formatting. As it may aid the support engineer here.

What format of the log do you need? Event Viewer, Task scheduler or New Relic