126.96.36.199 ElfrGetLogInformation (Opnum 22)
The ElfrGetLogInformation (Opnum 22) method instructs the server to return information on an event log.
NTSTATUS ElfrGetLogInformation( [in] IELF_HANDLE LogHandle, [in] unsigned long InfoLevel, [out, size_is( cbBufSize )] unsigned char* lpBuffer, [in, range(0, 1024)] unsigned long cbBufSize, [out] unsigned long* pcbBytesNeeded );
LogHandle: Handle to an event log. This parameter is a server context handle, as specified in section 2.2.6.
InfoLevel: The level of event log information to return. This MUST be set to zero.
cbBufSize: The size in bytes of the buffer pointed to by the lpBuffer parameter.
pcbBytesNeeded: Number of bytes required for the requested information, regardless of if the function succeeds. This parameter MUST NOT be NULL.
In response to this request from the client, the server MUST first check that the handle is valid. In Windows-based server implementations, the server checks if the signature is the right value (as specified in section 188.8.131.52). The server MUST fail the operation with the error STATUS_INVALID_HANDLE (0xC0000008) if the handle is invalid.
If lpBuffer is not large enough to contain an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure (cbBufSize is less than the number of bytes needed for an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure), the server MUST set the pcbBytesNeeded parameter to the number of bytes needed to hold an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure, MUST fail the method, and MUST return STATUS_BUFFER_TOO_SMALL (0xC0000023).
If the above checks all succeed, the server MUST fill in an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure into the lpBuffer with the dwFull member of the structure being set to 1 if the event log is full, and set to zero if the event log is not full. In addition, the pcbBytesNeeded parameter MUST be set to the size of an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure. The server MUST then return success. Please note that the event log is treated as full when a new record cannot be appended to it. A new record cannot be appended when the maximum size limitation of the log has been reached and the existing records of the log cannot be overwritten. When this happens, a flag indicating that the event log is full is set in the log file. This method checks whether that flag is set or not.