4.9.6. eventlog interface

The eventlog interface can be used to access to Windows NT eventlogs.

IDL (Interface Definition Language) for the eventlog interface is available in Samba 4 [57].

Table 4.20. eventlog operations

InterfaceOperation numberOperation nameWindows API
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0: eventlog   
 0x00ElfrClearELFWClearEventLog
 0x01ElfrBackupELFWBackupEventLog
 0x02ElfrCloseELCloseEventLog
 0x03ElfrDeregisterEventSourceDeregisterEventSource
 0x04ElfrNumberOfRecordsGetNumberOfEventLogRecords
 0x05ElfrOldestRecordGetOldestEventLogRecord
 0x06ElfrChangeNotifyNofifyChangeEventLog
 0x07ElfrOpenELWOpenEventLog
 0x08ElfrRegisterEventSourceWRegisterEventSource
 0x09ElfrOpenBELWOpenBackupEventlog
 0x0aElfrReadELWReadEventLog
 0x0bElfrReportEventWReportEvent
 0x0cElfrClearELFAClearEventLog
 0x0dElfrBackupELFABackupEventLog
 0x0eElfrOpenELAOpenEventLog
 0x0fElfrRegisterEventSourceARegisterEventSource
 0x10ElfrOpenBELAOpenBackupEventlog
> Windows 20000x11ElfrReadELAReadEventLog
-0x12ElfrReportEventAReportEvent
-0x13ElfrRegisterClusterSvc 
-0x14ElfrDeregisterClusterSvc 
-0x15ElfrWriteClusterEvents 
-0x16ElfrGetLogInformationGetEventLogInformation
> Windows XP0x17ElfrFlushEL 
> Windows Server 20030x18ElfrReportEventAndSourceW 

Operations in the eventlog interface that take Unicode strings as parameters end with W and operations that take ASCII strings as parameters end with A.

Opening an eventlog:

Obtaining general information about an opened eventlog:

Opening the backup of an eventlog:

Obtaining the number of records in an opened eventlog:

Obtaining the oldest record number in an opened eventlog:

Reading records stored in an opened eventlog, the following operations are used:

Backing up an opened eventlog:

Clearing the content of an opened eventlog:

Registering an event source (in the registry):

Reporting an event in an opened eventlog:

Flushing an opened eventlog:

Closing an opened eventlog: