Export (0) Print
Expand All

ReadEventLog function

Reads the specified number of entries from the specified event log. The function can be used to read log entries in chronological or reverse chronological order.

Syntax


BOOL ReadEventLog(
  _In_   HANDLE hEventLog,
  _In_   DWORD dwReadFlags,
  _In_   DWORD dwRecordOffset,
  _Out_  LPVOID lpBuffer,
  _In_   DWORD nNumberOfBytesToRead,
  _Out_  DWORD *pnBytesRead,
  _Out_  DWORD *pnMinNumberOfBytesNeeded
);

Parameters

hEventLog [in]

A handle to the event log to be read. The OpenEventLog function returns this handle.

dwReadFlags [in]

Use the following flag values to indicate how to read the log file. This parameter must include one of the following values (the flags are mutually exclusive).

ValueMeaning
EVENTLOG_SEEK_READ
0x0002

Begin reading from the record specified in the dwRecordOffset parameter.

This option may not work with large log files if the function cannot determine the log file's size. For details, see Knowledge Base article, 177199.

EVENTLOG_SEQUENTIAL_READ
0x0001

Read the records sequentially. If this is the first read operation, the EVENTLOG_FORWARDS_READ EVENTLOG_BACKWARDS_READ flags determines which record is read first.

 

You must specify one of the following flags to indicate the direction for successive read operations (the flags are mutually exclusive).

ValueMeaning
EVENTLOG_FORWARDS_READ
0x0004

The log is read in chronological order (oldest to newest). The default.

EVENTLOG_BACKWARDS_READ
0x0008

The log is read in reverse chronological order (newest to oldest).

 

dwRecordOffset [in]

The record number of the log-entry at which the read operation should start. This parameter is ignored unless dwReadFlags includes the EVENTLOG_SEEK_READ flag.

lpBuffer [out]

An application-allocated buffer that will receive one or more EVENTLOGRECORD structures. This parameter cannot be NULL, even if the nNumberOfBytesToRead parameter is zero.

The maximum size of this buffer is 0x7ffff bytes.

nNumberOfBytesToRead [in]

The size of the lpBuffer buffer, in bytes. This function will read as many log entries as will fit in the buffer; the function will not return partial entries.

pnBytesRead [out]

A pointer to a variable that receives the number of bytes read by the function.

pnMinNumberOfBytesNeeded [out]

A pointer to a variable that receives the required size of the lpBuffer buffer. This value is valid only this function returns zero and GetLastError returns ERROR_INSUFFICIENT_BUFFER.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

When this function returns successfully, the read position in the event log is adjusted by the number of records read.

Note  The configured file name for this source may also be the configured file name for other sources (several sources can exist as subkeys under a single log). Therefore, this function may return events that were logged by more than one source.

Examples

For an example, see Querying for Event Information.

Requirements

Minimum supported client

Windows 2000 Professional [desktop apps only]

Minimum supported server

Windows 2000 Server [desktop apps only]

Header

Winbase.h (include Windows.h)

Library

Advapi32.lib

DLL

Advapi32.dll

Unicode and ANSI names

ReadEventLogW (Unicode) and ReadEventLogA (ANSI)

See also

Event Logging Functions
ClearEventLog
CloseEventLog
EVENTLOGRECORD
OpenEventLog
ReportEvent

 

 

Community Additions

ADD
Show:
© 2014 Microsoft