Added a new command to rpcclient: eventlog <log> where <log> is System,

Security or Application. That's a crude equivalent to the eventviewer.

	Jean Francois
(This used to be commit 66b4b896fbcabb964a427d0c0aa2f57997e0f6bb)

4 files changed, 664 insertions, 0 deletions

diff --git a/source3/include/rpc_eventlog.h b/source3/include/rpc_eventlog.h
new file mode 100644
index 0000000000..cc4d9fc62d
--- /dev/null
+++ b/source3/include/rpc_eventlog.h
@@ -0,0 +1,133 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   Interface header: Scheduler service
+   Copyright (C) Luke Kenneth Casson Leighton 1996-1999
+   Copyright (C) Andrew Tridgell 1992-1999
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef _RPC_EVENTLOG_H
+#define _RPC_EVENTLOG_H
+
+#define EVENTLOG_OPEN 0x07
+#define EVENTLOG_CLOSE 0x02
+#define EVENTLOG_NUMOFEVENTLOGRECORDS 0x04
+#define EVENTLOG_READEVENTLOG	0x0a
+
+#define EVENTLOG_READ_SEQUENTIAL	0x01
+#define EVENTLOG_READ_SEEK		0x02
+#define EVENTLOG_READ_FORWARD		0x04
+#define EVENTLOG_READ_BACKWARD		0x08
+
+#define EVENTLOG_OK			0X00
+#define EVENTLOG_ERROR			0x01
+#define EVENTLOG_WARNING		0x02
+#define EVENTLOG_INFORMATION		0x04
+#define EVENTLOG_AUDIT_OK		0x08
+#define EVENTLOG_AUDIT_ERROR		0x10
+
+typedef struct eventlogrecord
+{
+	uint32 size;
+	uint32 reserved;
+	uint32 recordnumber;
+	uint32 creationtime;
+	uint32 writetime;
+	uint32 eventnumber;
+	uint16 eventtype;
+	uint16 num_of_strings;
+	uint16 category;
+	uint16 reserved_flag;
+	uint32 closingrecord;
+	uint32 stringoffset;
+	uint32 sid_length;
+	uint32 sid_offset;
+	uint32 data_length;
+	uint32 data_offset;
+	UNISTR sourcename;
+	UNISTR computername;
+	UNISTR sid;
+	UNISTR strings;
+	UNISTR data;
+	uint32 size2;	
+} EVENTLOGRECORD;
+
+typedef struct eventlog_q_open
+{
+	uint32 ptr0;
+
+	uint16 unk0;
+	uint16 unk1;
+	uint16 unk2;
+	uint16 unk3;
+
+	uint32 ptr_source;	
+
+	UNISTR2 source;
+	
+	uint32 unk4;
+	uint32 unk5;
+	uint32 unk6;
+	uint32 unk7;
+} EVENTLOG_Q_OPEN;
+
+typedef struct eventlog_r_open
+{
+        POLICY_HND pol;
+        uint32 status;
+} EVENTLOG_R_OPEN;
+
+typedef struct eventlog_q_close
+{
+        POLICY_HND pol;
+} EVENTLOG_Q_CLOSE;
+
+typedef struct eventlog_r_close
+{
+        POLICY_HND pol;
+        uint32 status;
+} EVENTLOG_R_CLOSE;
+
+typedef struct eventlog_q_numofeventlogrec
+{
+        POLICY_HND pol;
+} EVENTLOG_Q_NUMOFEVENTLOGREC;
+
+typedef struct eventlog_r_numofeventlogrec
+{
+        uint32 number;
+        uint32 status;
+} EVENTLOG_R_NUMOFEVENTLOGREC;
+
+typedef struct eventlog_q_readeventlog
+{
+        POLICY_HND pol;
+	uint32 flags;
+	uint32 offset;
+	uint32 number_of_bytes;
+} EVENTLOG_Q_READEVENTLOG;
+
+typedef struct eventlog_r_readeventlog
+{
+	uint32 number_of_bytes;
+	EVENTLOGRECORD *event;
+	uint32 sent_size;
+	uint32 real_size;
+	uint32 status;
+} EVENTLOG_R_READEVENTLOG;
+
+#endif /* _RPC_EVENTLOG_H */
diff --git a/source3/rpc_client/cli_eventlog.c b/source3/rpc_client/cli_eventlog.c
new file mode 100644
index 0000000000..580f4f0dee
--- /dev/null
+++ b/source3/rpc_client/cli_eventlog.c
@@ -0,0 +1,201 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  Version 2.1.
+ *  RPC client routines: scheduler service
+ *  Copyright (C) Jean Francois Micouleau      1998-1999,
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-1999,
+ *  Copyright (C) Andrew Tridgell              1992-1999.
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+
+/****************************************************************************
+****************************************************************************/
+BOOL do_event_open(struct cli_state *cli, uint16 fnum, char *log, POLICY_HND *hnd)
+{
+	prs_struct rbuf;
+	prs_struct buf; 
+	EVENTLOG_Q_OPEN q;
+	BOOL p = False;
+	BOOL valid_pol = False;
+
+	prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
+	prs_init(&rbuf, 0   , 4, SAFETY_MARGIN, True );
+
+	/* store the parameters */
+	make_eventlog_q_open(&q, log);
+
+	/* turn parameters into data stream */
+	eventlog_io_q_open("", &q, &buf, 0);
+
+	/* send the data on \PIPE\ */
+	if (rpc_api_pipe_req(cli, fnum, EVENTLOG_OPEN, &buf, &rbuf))
+	{
+		EVENTLOG_R_OPEN r;
+
+		eventlog_io_r_open("", &r, &rbuf, 0);
+		p = rbuf.offset != 0;
+
+		if (p && r.status != 0)
+		{
+			/* report error code */
+			DEBUG(0,("do_event_open: %s\n", get_nt_error_msg(r.status)));
+			p = False;
+		}
+
+		if (p)
+		{
+			/*copy handle */
+			memcpy(hnd->data, r.pol.data, sizeof(hnd->data));
+			valid_pol = True;
+		}
+	}
+
+	prs_mem_free(&rbuf);
+	prs_mem_free(&buf );
+
+	return p;
+}
+
+/****************************************************************************
+****************************************************************************/
+BOOL do_event_close(struct cli_state *cli, uint16 fnum, POLICY_HND *hnd)
+{
+	prs_struct rbuf;
+	prs_struct buf; 
+	EVENTLOG_Q_CLOSE q;
+	BOOL p = False;
+
+	prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
+	prs_init(&rbuf, 0   , 4, SAFETY_MARGIN, True );
+
+	/* store the parameters */
+	make_eventlog_q_close(&q, hnd);
+
+	/* turn parameters into data stream */
+	eventlog_io_q_close("", &q, &buf, 0);
+
+	/* send the data on \PIPE\ */
+	if (rpc_api_pipe_req(cli, fnum, EVENTLOG_CLOSE, &buf, &rbuf))
+	{
+		EVENTLOG_R_CLOSE r;
+
+		eventlog_io_r_close("", &r, &rbuf, 0);
+		p = rbuf.offset != 0;
+
+		if (p && r.status != 0)
+		{
+			/* report error code */
+			DEBUG(0,("do_event_close: %s\n", get_nt_error_msg(r.status)));
+			p = False;
+		}
+
+	}
+
+	prs_mem_free(&rbuf);
+	prs_mem_free(&buf );
+
+	return p;
+}
+
+/****************************************************************************
+****************************************************************************/
+BOOL do_event_numofeventlogrec(struct cli_state *cli, uint16 fnum, POLICY_HND *hnd, uint32 *number)
+{
+	prs_struct rbuf;
+	prs_struct buf; 
+	EVENTLOG_Q_NUMOFEVENTLOGREC q;
+	BOOL p = False;
+
+	prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
+	prs_init(&rbuf, 0   , 4, SAFETY_MARGIN, True );
+
+	/* store the parameters */
+	make_eventlog_q_numofeventlogrec(&q, hnd);
+
+	/* turn parameters into data stream */
+	eventlog_io_q_numofeventlogrec("", &q, &buf, 0);
+
+	/* send the data on \PIPE\ */
+	if (rpc_api_pipe_req(cli, fnum, EVENTLOG_NUMOFEVENTLOGRECORDS, &buf, &rbuf))
+	{
+		EVENTLOG_R_NUMOFEVENTLOGREC r;
+
+		eventlog_io_r_numofeventlogrec("", &r, &rbuf, 0);
+		p = rbuf.offset != 0;
+
+		if (p && r.status != 0)
+		{
+			/* report error code */
+			DEBUG(0,("do_event_close: %s\n", get_nt_error_msg(r.status)));
+			p = False;
+		}
+
+		if (p)
+		{
+			*number=r.number;
+		}
+	}
+
+	prs_mem_free(&rbuf);
+	prs_mem_free(&buf );
+
+	return p;
+}
+
+/****************************************************************************
+****************************************************************************/
+BOOL do_event_readeventlog(struct cli_state *cli, uint16 fnum, POLICY_HND *hnd, 
+                           uint32 number, uint32 flags, uint32 offset, 
+			   uint32 *number_of_bytes, EVENTLOGRECORD *ev)
+{
+	prs_struct rbuf;
+	prs_struct buf; 
+	EVENTLOG_Q_READEVENTLOG q;
+	EVENTLOG_R_READEVENTLOG r;
+	BOOL p = False;
+
+	prs_init(&buf , 1024, 4, SAFETY_MARGIN, False);
+	prs_init(&rbuf, 0   , 4, SAFETY_MARGIN, True );
+
+	/* store the parameters */
+	make_eventlog_q_readeventlog(&q, hnd, flags, offset, *number_of_bytes);
+
+	/* turn parameters into data stream */
+	eventlog_io_q_readeventlog("", &q, &buf, 0);
+
+	/* send the data on \PIPE\ */
+	if (rpc_api_pipe_req(cli, fnum, EVENTLOG_READEVENTLOG, &buf, &rbuf))
+	{
+		r.event=ev;
+		eventlog_io_r_readeventlog("", &r, &rbuf, 0);
+		p = rbuf.offset != 0;
+
+		if (p)
+		{
+			*number_of_bytes=r.real_size;		
+		}
+	}
+
+	prs_mem_free(&rbuf);
+	prs_mem_free(&buf );
+
+	return p;
+}
+
diff --git a/source3/rpc_parse/parse_eventlog.c b/source3/rpc_parse/parse_eventlog.c
new file mode 100644
index 0000000000..5173bd2cad
--- /dev/null
+++ b/source3/rpc_parse/parse_eventlog.c
@@ -0,0 +1,236 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  Version 1.9.
+ *  RPC Pipe client / server routines
+ *  Copyright (C) Andrew Tridgell              1992-1998,
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
+ *  Copyright (C) Jean François Micouleau      1998-1999.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+ 
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+
+/*******************************************************************
+********************************************************************/  
+void make_eventlog_q_open(EVENTLOG_Q_OPEN *q_u, char *journal)
+{
+	q_u->ptr0=0x1;
+
+	q_u->unk0=0x5c;
+	q_u->unk1=0x01;
+
+	q_u->unk2=2*(strlen(journal)+1);
+	q_u->unk3=2*(strlen(journal)+1);
+
+	q_u->ptr_source=0x01;	
+	make_buf_unistr2(&(q_u->source), &(q_u->ptr_source), journal);
+	
+	q_u->unk4=0x00;
+	q_u->unk5=0x00;
+	q_u->unk6=0x01;
+	q_u->unk7=0x01;
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_q_open(char *desc, EVENTLOG_Q_OPEN *q_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_q_open");
+	depth++;
+
+	prs_align(ps);
+
+	prs_uint32("ptr0", ps, depth, &(q_u->ptr0));
+
+	prs_uint16("unk0", ps, depth, &(q_u->unk0));
+	prs_uint16("unk1", ps, depth, &(q_u->unk1));
+	prs_uint16("unk2", ps, depth, &(q_u->unk2));
+	prs_uint16("unk3", ps, depth, &(q_u->unk3));
+
+	prs_uint32("ptr_source", ps, depth, &(q_u->ptr_source));	
+
+	smb_io_unistr2("", &(q_u->source), q_u->ptr_source, ps, depth);
+	prs_align(ps);
+
+	prs_uint32("unk4", ps, depth, &(q_u->unk4));	
+	prs_uint32("unk5", ps, depth, &(q_u->unk5));
+	prs_uint32("unk6", ps, depth, &(q_u->unk6));
+	prs_uint32("unk7", ps, depth, &(q_u->unk7));
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_r_open(char *desc, EVENTLOG_R_OPEN *r_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_r_open");
+	depth++;
+
+	prs_align(ps);
+	smb_io_pol_hnd("", &(r_u->pol), ps, depth);
+	prs_uint32("status", ps, depth, &(r_u->status));
+}
+
+/*******************************************************************
+********************************************************************/  
+void make_eventlog_q_close(EVENTLOG_Q_CLOSE *q_u, POLICY_HND *pol)
+{
+	memcpy(&(q_u->pol.data), pol->data, sizeof(q_u->pol.data));
+
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_q_close(char *desc, EVENTLOG_Q_CLOSE *q_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_q_close");
+	depth++;
+
+	prs_align(ps);
+	smb_io_pol_hnd("", &(q_u->pol), ps, depth);
+
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_r_close(char *desc, EVENTLOG_R_CLOSE *r_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_r_close");
+	depth++;
+
+	prs_align(ps);
+	smb_io_pol_hnd("", &(r_u->pol), ps, depth);
+	prs_uint32("status", ps, depth, &(r_u->status));
+}
+
+/*******************************************************************
+********************************************************************/  
+void make_eventlog_q_numofeventlogrec(EVENTLOG_Q_NUMOFEVENTLOGREC *q_u, POLICY_HND *pol)
+{
+	memcpy(&(q_u->pol.data), pol->data, sizeof(q_u->pol.data));
+
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_q_numofeventlogrec(char *desc,EVENTLOG_Q_NUMOFEVENTLOGREC  *q_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_q_numofeventlogrec");
+	depth++;
+
+	prs_align(ps);
+	smb_io_pol_hnd("", &(q_u->pol), ps, depth);
+
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_r_numofeventlogrec(char *desc, EVENTLOG_R_NUMOFEVENTLOGREC *r_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_r_numofeventlogrec");
+	depth++;
+
+	prs_align(ps);
+	prs_uint32("number", ps, depth, &(r_u->number));
+	prs_uint32("status", ps, depth, &(r_u->status));
+}
+
+/*******************************************************************
+********************************************************************/  
+void make_eventlog_q_readeventlog(EVENTLOG_Q_READEVENTLOG *q_u, POLICY_HND *pol,
+                                  uint32 flags, uint32 offset, uint32 number_of_bytes)
+{
+	memcpy(&(q_u->pol.data), pol->data, sizeof(q_u->pol.data));
+	q_u->flags=flags;
+	q_u->offset=offset;
+	q_u->number_of_bytes=number_of_bytes;
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_q_readeventlog(char *desc, EVENTLOG_Q_READEVENTLOG *q_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_q_readeventlog");
+	depth++;
+
+	prs_align(ps);
+	smb_io_pol_hnd("", &(q_u->pol), ps, depth);
+	prs_uint32("flags",           ps, depth, &(q_u->flags));
+	prs_uint32("offset",          ps, depth, &(q_u->offset));
+	prs_uint32("number_of_bytes", ps, depth, &(q_u->number_of_bytes));
+}
+
+/*******************************************************************
+********************************************************************/  
+static void eventlog_io_eventlog(char *desc, EVENTLOGRECORD *ev, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_eventlog");
+	depth++;
+
+	prs_align(ps);
+	prs_uint32("size", ps, depth, &(ev->size));	
+	prs_uint32("reserved", ps, depth, &(ev->reserved));
+	prs_uint32("recordnumber", ps, depth, &(ev->recordnumber));
+	prs_uint32("creationtime", ps, depth, &(ev->creationtime));
+	prs_uint32("writetime", ps, depth, &(ev->writetime));
+	prs_uint32("eventnumber", ps, depth, &(ev->eventnumber));
+	
+	prs_uint16("eventtype", ps, depth, &(ev->eventtype));
+	prs_uint16("num_of_strings", ps, depth, &(ev->num_of_strings));
+	prs_uint16("category", ps, depth, &(ev->category));
+	prs_uint16("reserved_flag", ps, depth, &(ev->reserved_flag));
+
+	prs_uint32("closingrecord", ps, depth, &(ev->closingrecord));
+	prs_uint32("stringoffset", ps, depth, &(ev->stringoffset));
+	prs_uint32("sid_length", ps, depth, &(ev->sid_length));
+	prs_uint32("sid_offset", ps, depth, &(ev->sid_offset));
+	prs_uint32("data_length", ps, depth, &(ev->data_length));
+	prs_uint32("data_offset", ps, depth, &(ev->data_offset));
+	
+	smb_io_unistr("", &(ev->sourcename), ps, depth);	
+	smb_io_unistr("", &(ev->computername), ps, depth);
+	
+	if (ev->sid_length!=0)
+		smb_io_unistr("", &(ev->sid), ps, depth);
+	
+	if (ev->num_of_strings!=0)
+		smb_io_unistr("", &(ev->strings),ps, depth);
+	
+	if (ev->data_length)
+		smb_io_unistr("", &(ev->data), ps, depth);
+
+	prs_uint32("size2", ps, depth, &(ev->size2));	
+}
+
+/*******************************************************************
+********************************************************************/  
+void eventlog_io_r_readeventlog(char *desc, EVENTLOG_R_READEVENTLOG *r_u, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "eventlog_io_r_readeventlog");
+	depth++;
+
+	prs_align(ps);
+	prs_uint32("number_of_bytes", ps, depth, &(r_u->number_of_bytes));
+
+	if (r_u->number_of_bytes!= 0)
+		eventlog_io_eventlog("", r_u->event, ps, depth);
+
+	prs_uint32("sent_size", ps, depth, &(r_u->sent_size));		
+	prs_uint32("real_size", ps, depth, &(r_u->real_size));
+	prs_uint32("status", ps, depth, &(r_u->status));	
+}
+
diff --git a/source3/rpcclient/cmd_eventlog.c b/source3/rpcclient/cmd_eventlog.c
new file mode 100644
index 0000000000..e6e10c44eb
--- /dev/null
+++ b/source3/rpcclient/cmd_eventlog.c
@@ -0,0 +1,94 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 2.1.
+   Copyright (C) Luke Kenneth Casson Leighton 1996-1999,
+   Copyright (C) Andrew Tridgell              1994-1999,
+   Copyright (C) Jean Francois Micouleau      1998-1999.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+#ifdef SYSLOG
+#undef SYSLOG
+#endif
+
+#include "includes.h"
+#include "nterr.h"
+
+extern int DEBUGLEVEL;
+
+#define DEBUG_TESTING
+
+extern struct cli_state *smb_cli;
+extern FILE* out_hnd;
+
+
+/****************************************************************************
+****************************************************************************/
+void cmd_eventlog(struct client_info *info)
+{
+	uint16 nt_pipe_fnum;
+	BOOL res = True;
+	POLICY_HND hnd;
+	uint32 number;
+	uint32 flags;
+	uint32 offset;
+	uint32 num_of_bytes;
+	EVENTLOGRECORD ev;
+	
+	fstring journal;
+	fstring temp;
+	
+	flags=EVENTLOG_READ_SEQUENTIAL|EVENTLOG_READ_BACKWARD;
+
+	while (next_token(NULL, temp, NULL, sizeof(temp)))
+	{
+		fstrcpy(journal, temp);
+	}
+
+	/* open scheduler session. */
+	res = res ? cli_nt_session_open(smb_cli, PIPE_EVENTLOG, &nt_pipe_fnum) : False;
+
+	res = res ? do_event_open(smb_cli, nt_pipe_fnum, journal, &hnd) : False;
+
+	res = res ? do_event_numofeventlogrec(smb_cli, nt_pipe_fnum, &hnd, &number) : False;
+	
+	fprintf(out_hnd, "Number of events: %d\n", number);
+
+	display_eventlog_eventrecord(out_hnd, ACTION_HEADER, &ev);
+
+	for (offset=0; offset<number; offset++)
+	{
+		num_of_bytes=0;
+	
+		/* try once with a empty buffer */
+		res = res ? do_event_readeventlog(smb_cli, nt_pipe_fnum, &hnd, number, 
+						  flags, offset, &num_of_bytes, &ev) : False;
+	
+		/* and try again with the correct size */
+		res = res ? do_event_readeventlog(smb_cli, nt_pipe_fnum, &hnd, number, 
+						  flags, offset, &num_of_bytes, &ev) : False;
+
+		display_eventlog_eventrecord(out_hnd, ACTION_ENUMERATE, &ev);
+	}
+
+	display_eventlog_eventrecord(out_hnd, ACTION_FOOTER, &ev);
+			
+	res = res ? do_event_close(smb_cli, nt_pipe_fnum, &hnd): False;
+
+	/* close the session */
+	cli_nt_session_close(smb_cli, nt_pipe_fnum);
+}