4.9.6. eventlog interface

4.9.6. eventlog interface
Prev	4.9. Windows core MSRPC interfaces	Next

The eventlog interface can be used to access to Windows NT eventlogs.

IDL (Interface Definition Language) for the eventlog interface is available in Samba 4 [57].

Table 4.20. eventlog operations

Interface	Operation number	Operation name	Windows API
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0: eventlog
	0x00	ElfrClearELFW	ClearEventLog
	0x01	ElfrBackupELFW	BackupEventLog
	0x02	ElfrCloseEL	CloseEventLog
	0x03	ElfrDeregisterEventSource	DeregisterEventSource
	0x04	ElfrNumberOfRecords	GetNumberOfEventLogRecords
	0x05	ElfrOldestRecord	GetOldestEventLogRecord
	0x06	ElfrChangeNotify	NofifyChangeEventLog
	0x07	ElfrOpenELW	OpenEventLog
	0x08	ElfrRegisterEventSourceW	RegisterEventSource
	0x09	ElfrOpenBELW	OpenBackupEventlog
	0x0a	ElfrReadELW	ReadEventLog
	0x0b	ElfrReportEventW	ReportEvent
	0x0c	ElfrClearELFA	ClearEventLog
	0x0d	ElfrBackupELFA	BackupEventLog
	0x0e	ElfrOpenELA	OpenEventLog
	0x0f	ElfrRegisterEventSourceA	RegisterEventSource
	0x10	ElfrOpenBELA	OpenBackupEventlog
> Windows 2000	0x11	ElfrReadELA	ReadEventLog
-	0x12	ElfrReportEventA	ReportEvent
-	0x13	ElfrRegisterClusterSvc
-	0x14	ElfrDeregisterClusterSvc
-	0x15	ElfrWriteClusterEvents
-	0x16	ElfrGetLogInformation	GetEventLogInformation
> Windows XP	0x17	ElfrFlushEL
> Windows Server 2003	0x18	ElfrReportEventAndSourceW

Operations in the eventlog interface that take Unicode strings as parameters end with W and operations that take ASCII strings as parameters end with A.

Opening an eventlog:

ElfrOpenELW (0x07)
ElfrOpenELA (0x0e)

Obtaining general information about an opened eventlog:

ElfrGetLogInformation (0x16)

Opening the backup of an eventlog:

ElfrOpenBELW (0x09)
ElfrOpenBELA (0x10)

Obtaining the number of records in an opened eventlog:

ElfrNumberOfRecords (0x04)

Obtaining the oldest record number in an opened eventlog:

ElfrOldestRecord (0x05)

Reading records stored in an opened eventlog, the following operations are used:

ElfrReadELW (0x0a)
ElfrReadELA (0x11)

Backing up an opened eventlog:

ElfrBackupELFW (0x01)
ElfrBackupELFA (0x0d)

Clearing the content of an opened eventlog:

ElfrClearELFW (0x00)
ElfrClearELFA (0x0c)

Registering an event source (in the registry):

ElfrRegisterEventSourceW (0x08)
ElfrRegisterEventSourceA (0x0f)

Reporting an event in an opened eventlog:

ElfrReportEventW (0x0b)
ElfrReportEventA (0x12)

Flushing an opened eventlog:

ElfrFlushEL (0x17)

Closing an opened eventlog:

ElfrCloseEL (0x02)

Prev	Up	Next
4.9.5. dssetup interface	Home	4.9.7. pnp interface