ossec 2.8.3 : getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents.

These events are shown in the clients event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational for example with eventID 1149

I have in my windows agents conf file

  <localfile>
    <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>

on the server in my local_rules.xml I have

<group name="rdesktop">
<rule id="100888" level="1">
<match>Remote Desktop Services</match>
<description>Remote Desktop Connection Established</description>
</rule>
</group>

I get no messages from the remote client (that sends alerts if I use Security )

I see some traffic from client to server with tcpdump if I generate 1149 logon events But no evidence even with yes in ossec server.

Anyone can share some insight?

Many thanks г.