3.1.1.6 Logs
A log is a file system file containing events. Any channel has a log associated with it. In this case, the log is identified by using the channel identifier and is a live event log.
A log can also exist as a standalone file. In this case, the log is identified by using the file system path of that log file, which has no associated channel.
Logs have a set of properties which can be retrieved through the protocol method EvtGetLogFileInfo (as specified in section 3.1.4.15). Such properties are log creation time, last access time, last written time, log file size, extra attributes of the log, number of events in the log, oldest event record in the log, and the log full flag.
A log file usually consists of file header and file body. The header SHOULD contain metadata information of the event log itself. A recommended header SHOULD at least contain the following:
BOOL isLogFull: This flag indicates the log is full.
unsigned__int64 oldestRecordNumber: The oldest event log record ID in the log file.
unsigned__int64 numberOfRecords: The number of event log records in the log file.
unsigned__int64 curPhysicalRecordNumber: The physical record number of the latest record in the log file.
The server does not maintain these fields. These fields are maintained by publishers as events are added to the log file.
The log body consists of all the event records in binXML format (as specified in section 3.1.4.7).
The log file associated with a channel is maintained and updated by the server. This protocol assumes that the log files associated with channels are in the format described above. Note that rules for creating such files are out of scope for this protocol.
Through this protocol, the events in a channel (which are stored in a live event log file) can be exported into a standalone log file by the method EvtRpcExportLog as specified in section 3.1.4.17. This protocol defines other methods by which clients can manage log files and obtain information about them.
Note A subset of the log files is logically shared with the abstract data model of the obsolete Eventlog Remote Protocol (as specified in [MS-EVEN]), if it is also supported. That is, all log files accessible with the original Eventlog Remote Protocol (as specified in [MS-EVEN]) are also accessible via this protocol (Eventlog Remote Protocol Version 6.0), but not necessarily vice versa.