Export (0) Print
Expand All

ELF_LOGFILE_HEADER structure

Contains information that is included at the beginning of an event log.

The ELF_LOGFILE_HEADER structure is used at the beginning of an event log to define information about the event log. The event-logging service must add the ELF_LOGFILE_HEADER to the event log. For more information about how the ELF_LOGFILE_HEADER is used, see Event Log File Format.

Syntax


typedef struct _EVENTLOGHEADER {
  ULONG HeaderSize;
  ULONG Signature;
  ULONG MajorVersion;
  ULONG MinorVersion;
  ULONG StartOffset;
  ULONG EndOffset;
  ULONG CurrentRecordNumber;
  ULONG OldestRecordNumber;
  ULONG MaxSize;
  ULONG Flags;
  ULONG Retention;
  ULONG EndHeaderSize;
} EVENTLOGHEADER, *PEVENTLOGHEADER;

Members

HeaderSize

The size of the header structure. The size is always 0x30.

Signature

The signature is always 0x654c664c, which is ASCII for eLfL.

MajorVersion

The major version number of the event log. The major version number is always set to 1.

MinorVersion

The minor version number of the event log. The minor version number is always set to 1.

StartOffset

The offset to the oldest record in the event log.

EndOffset

The offset to the ELF_EOF_RECORD in the event log.

CurrentRecordNumber

The number of the next record that will be added to the event log.

OldestRecordNumber

The number of the oldest record in the event log. For an empty file, the oldest record number is set to 0.

MaxSize

The maximum size, in bytes, of the event log. The maximum size is defined when the event log is created. The event-logging service does not typically update this value, it relies on the registry configuration. The reader of the event log can use normal file APIs to determine the size of the file. For more information about registry configuration values, see Eventlog Key.

Flags

The status of the event log. This member can be one of the following values:

ValueMeaning
ELF_LOGFILE_HEADER_DIRTY
0x0001

Indicates that records have been written to an event log, but the event log file has not been properly closed. For more information about this flag, see the Remarks section.

ELF_LOGFILE_HEADER_WRAP
0x0002

Indicates that records in the event log have wrapped.

ELF_LOGFILE_LOGFULL_WRITTEN
0x0004

Indicates that the most recent write attempt failed due to insufficient space.

ELF_LOGFILE_ARCHIVE_SET
0x0008

Indicates that the archive attribute has been set for the file. Normal file APIs can also be used to determine the value of this flag.

 

Retention

The retention value of the file when it is created. The event-logging service does not typically update this value, it relies on the registry configuration. For more information about registry configuration values, see Eventlog Key.

EndHeaderSize

The ending size of the header structure. The size is always 0x30.

Remarks

Before the first event is written to the event log, the event-logging service sets the ELF_LOGFILE_HEADER_DIRTY flag and writes the header to the file. When the event-logging service shuts down, it updates the header information, clears the ELF_LOGFILE_HEADER_DIRTY flag and then writes the header to the event log. The ELF_LOGFILE_HEADER_DIRTY flag can be used by the event-logging service to detect if the event log was not properly closed.

Note  There are two ways to classify event logs: live event logs and backup event logs. A live event log is used by the system for writing records and possibly reading records. A backup event log is a copy of a live log, but can only be used for reading.

If the event-logging service starts and opens a live event log with the ELF_LOGFILE_HEADER_DIRTY flag set, it will resynchronize the header and event records. If the event-logging service attempts to open a backup event log and the ELF_LOGFILE_HEADER_DIRTY flag is set, the service will handle the event log as corrupt and will not open it.

Requirements

Minimum supported client

Windows 2000 Professional [desktop apps only]

Minimum supported server

Windows 2000 Server [desktop apps only]

Header

Winnt.h (include Windows.h)

See also

ELF_EOF_RECORD
EVENTLOGRECORD
Event Log File Format

 

 

Community Additions

ADD
Show:
© 2014 Microsoft