From a5597d75d218bff810928d618f4ea41277e554a9 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Fri, 23 Jan 2009 14:58:27 +0100
Subject: eventlog: add w32 on-disc EVENTLOG structures (*evt files).

Guenther
---
 librpc/idl/eventlog.idl | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

(limited to 'librpc/idl')

diff --git a/librpc/idl/eventlog.idl b/librpc/idl/eventlog.idl
index 0826f59ed8..c0230f3693 100644
--- a/librpc/idl/eventlog.idl
+++ b/librpc/idl/eventlog.idl
@@ -90,6 +90,76 @@ import "lsa.idl", "security.idl";
 		uint32 padding;
 	} eventlog_Record_tdb;
 
+	typedef [v1_enum] enum {
+		ELF_LOGFILE_HEADER_DIRTY	= 0x0001,
+		ELF_LOGFILE_HEADER_WRAP		= 0x0002,
+		ELF_LOGFILE_LOGFULL_WRITTEN	= 0x0004,
+		ELF_LOGFILE_ARCHIVE_SET		= 0x0008
+	} EVENTLOG_HEADER_FLAGS;
+
+	typedef [public] struct {
+		[value(0x30)] uint32 HeaderSize;
+		[charset(DOS),value("LfLe")] uint8 Signature[4];
+		[value(1)] uint32 MajorVersion;
+		[value(1)] uint32 MinorVersion;
+		uint32 StartOffset;
+		uint32 EndOffset;
+		uint32 CurrentRecordNumber;
+		uint32 OldestRecordNumber;
+		uint32 MaxSize;
+		EVENTLOG_HEADER_FLAGS Flags;
+		uint32 Retention;
+		[value(0x30)] uint32 EndHeaderSize;
+	} EVENTLOGHEADER;
+
+	typedef [public,gensize] struct {
+		uint32 Length;
+		[charset(DOS),value("LfLe")] uint8 Reserved[4];
+		uint32 RecordNumber;
+		time_t TimeGenerated;
+		time_t TimeWritten;
+		uint32 EventID;
+		eventlogEventTypes EventType;
+		uint16 NumStrings;
+		uint16 EventCategory;
+		uint16 ReservedFlags;
+		uint32 ClosingRecordNumber;
+		uint32 StringOffset;
+		[value(ndr_size_dom_sid0(&UserSid, ndr->flags))] uint32 UserSidLength;
+		uint32 UserSidOffset;
+		uint32 DataLength;
+		uint32 DataOffset;
+		nstring SourceName;
+		nstring Computername;
+		[flag(NDR_ALIGN4),subcontext(0),subcontext_size(UserSidLength)] dom_sid0 UserSid;
+		nstring Strings[NumStrings];
+		[flag(NDR_PAHEX)] uint8 Data[DataLength];
+		astring Pad;
+		[value(Length)] uint32 Length2;
+	} EVENTLOGRECORD;
+
+	typedef [public] struct {
+		[value(0x28)] uint32 RecordSizeBeginning;
+		[value(0x11111111)] uint32 One;
+		[value(0x22222222)] uint32 Two;
+		[value(0x33333333)] uint32 Three;
+		[value(0x44444444)] uint32 Four;
+		uint32 BeginRecord;
+		uint32 EndRecord;
+		uint32 CurrentRecordNumber;
+		uint32 OldestRecordNumber;
+		[value(0x28)] uint32 RecordSizeEnd;
+	} EVENTLOGEOF;
+
+	/* the following is true for a non-wrapped evt file (e.g. backups
+	 * generated and viewed with eventvwr) */
+
+	typedef [public] struct {
+		EVENTLOGHEADER hdr;
+		EVENTLOGRECORD records[hdr.CurrentRecordNumber-hdr.OldestRecordNumber];
+		EVENTLOGEOF eof;
+	} EVENTLOG_EVT_FILE;
+
 	/******************/
 	/* Function: 0x00 */
 	NTSTATUS eventlog_ClearEventLogW(
-- 
cgit