Partager via


2.2.3 EVENTLOGRECORD

The EVENTLOGRECORD structure contains information on a single event. This structure is transferred as a set of bytes in the buffer passed in the ElfrReadELW (section 3.1.4.7) and ElfrReadELA (section 3.1.4.8) methods.

All integer fields in the EVENTLOGRECORD structure MUST be in little-endian byte order (that is, least significant byte first).

The string fields in this structure MUST be ANSI strings when this structure is used with ElfrReadELA (section 3.1.4.8) methods, and Unicode strings when this structure is used with ElfrReadELW (section 3.1.4.7) methods.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Length

Reserved

RecordNumber

TimeGenerated

TimeWritten

EventID

EventType

NumStrings

EventCategory

ReservedFlags

ClosingRecordNumber

StringOffset

UserSidLength

UserSidOffset

DataLength

DataOffset

SourceName (variable)

...

Computername (variable)

...

UserSidPadding (variable)

...

UserSid (variable)

...

Strings (variable)

...

Data (variable)

...

Padding (variable)

...

Length2

Length (4 bytes): Size in bytes of the structure. The size varies depending on the variable-length fields at the end of the structure.

Reserved (4 bytes): MUST be set to 0x654c664C (which is ASCII for eLfL). This serves as a signature for the structure.

RecordNumber (4 bytes): The record number, as defined in section 1.3.1. The RecordNumber is mapped directly from the record ID. The record ID is an unsigned int64 (an 8 byte number) that the server reads from the file and converts to an unsigned integer (a 4 byte number) when assigning the value to the RecordNumber field in the EVENTLOGRECORD structure. The conversion simply discards the higher 32 bits of Record ID and assigns the lower 32 bits of record ID to the RecordNumber.

TimeGenerated (4 bytes): Time when the event was generated. The time MUST be expressed as the number of seconds since 00:00:00 on January 1, 1970 (UTC). This value is supplied by the event source.

TimeWritten (4 bytes): Time when the event was written. The time MUST be expressed as the number of seconds since 00:00:00 on January 1, 1970 (UTC). This value is the time the event was written to the event log.

EventID (4 bytes): EventID generated by the event source, as specified in section 1.8.4.

EventType (2 bytes): Type of the event, as specified in section 1.3.1.

NumStrings (2 bytes): Number of strings in the Strings field. This MUST be between 0 and 256, inclusive. A value of zero indicates that no strings are present.

EventCategory (2 bytes): Event category, as specified in section 1.8.5.

ReservedFlags (2 bytes): Specifies whether or not the last string in the Strings field contains well-formed XML, as specified in [XML]. This MUST be one of the following two values.

Value

Meaning

0x0000

The event does not contain XML.

0x8000

The event contains XML.

ClosingRecordNumber (4 bytes): MUST be set to zero when sent and MUST be ignored on receipt.

StringOffset (4 bytes): This MUST be the offset in bytes from the beginning of the structure to the Strings field. If the Strings field is not present (NumStrings is zero), this can be set to any arbitrary value when sent and MUST be ignored on receipt by the client.

UserSidLength (4 bytes): Size in bytes of the user's security identifier, which is located within the UserSid field. If there is no UserSid field for this event, this field MUST be set to zero.

UserSidOffset (4 bytes): This MUST be the offset in bytes from the beginning of the structure to the UserSid field. If the UserSid field is not present (that is, if UserSidLength is zero), this can be set to any arbitrary value when sent and MUST be ignored by on receipt the client.

DataLength (4 bytes): This MUST be the size in bytes of the Data field. If the Data field is not used, this field MUST be set to zero.

DataOffset (4 bytes): This MUST be the offset in bytes from the beginning of the structure to the Data field. If the Data field is not present (that is, if DataLength is zero), this can be set to any arbitrary value when sent and MUST be ignored on receipt by the client.

SourceName (variable): Variable-length null-terminated string that specifies the name of the source that generated the event, as defined in section 1.8.2. The length of this field is calculated by seeking the NULL that terminates the string.

Computername (variable): Variable-length null-terminated string that assists in identifying the machine that generated the event. This string MUST NOT<8> be interpreted by the protocol, and can be in an arbitrary format.

In practice, the name of the computer. There are no character restrictions on this field's content (for example, a fully qualified domain name (FQDN) can be used).

The length of this field is calculated by seeking the NULL that terminates the string.

UserSidPadding (variable): MUST be zero or more bytes of padding, where the choice of length is implementation dependent. The padding can have any value, and MUST be ignored on receipt.<9>

UserSid (variable): Current user's security identifier, as defined by the RPC_SID structure. This parameter can be NULL if the security identifier is not required.

Strings (variable): Zero or more null-terminated strings containing information on the event. The NumStrings field contains the number of items in this field.

Data (variable): Event-specific binary data. This is supplied by the event source, and MUST NOT be interpreted by the protocol. This data is not always present. The DataLength field contains the length of this field. The DataOffset field contains the start of this field.

Padding (variable): The SourceName, ComputerName, UserSid, Strings, and Data fields can all vary in length. The UserSid, Strings, and Data fields MAY be zero bytes in length. The length of the entire structure up to this point, including these fields, MUST be divisible by 4. Therefore, up to 3 bytes of padding MUST be added to bring the length to a multiple of 4. The padding can have any value, and MUST be ignored on receipt.

Length2 (4 bytes): Same value as the Length field specified as the first member. By having two copies, a buffer containing many events can easily be navigated in both directions.