1.3.2 EventLog Remoting Protocol Version 6.0

The EventLog Remoting Protocol Version 6.0 provides a way to access event logs on remote computers.

For both live logs and backup logs, the protocol exposes RPC (as specified in [MS-RPCE]) methods for reading event and for getting basic information about the log, such as the number of records in the log, the oldest record in the log, and whether the log is full, and therefore can no longer accept additional events. When reading events, a filter can be specified so that only desired records are returned.

The EventLog Remoting Protocol Version 6.0 does not support writing events to either live event logs or backup event logs.

For live event logs only, the protocol also exposes RPC methods for subscriptions, clearing logs, and creating backup logs. Subscriptions are similar to normal reading except the subscription can be used to get events asynchronously as they arrive.

The protocol provides the methods for reading publisher and event logs settings and it also provides the methods to change the settings of event logs. Additionally, the protocol provides methods for converting events into localized messages suitable for display to users.

A query can be done in which a filter is applied. The result set is the set of records that satisfy the filter. The cursor is the location in the result set that is the last record retrieved by the caller. A filter is composed by using selectors and suppressors. A selector specifies records to include, while a suppressor specifies records to exclude. Suppressors override selectors.

For more information and an overview of methods used, see section 3.1.4.