3.1.4.20 ElfrGetLogInformation (Opnum 22)

  • Article

The ElfrGetLogInformation (Opnum 22) method instructs the server to return information on an event log.

 NTSTATUS ElfrGetLogInformation(
   [in] IELF_HANDLE LogHandle,
   [in] unsigned long InfoLevel,
   [out, size_is(cbBufSize)] unsigned char* lpBuffer,
   [in, range(0, 1024)] unsigned long cbBufSize,
   [out] unsigned long* pcbBytesNeeded
 );

LogHandle: Handle to an event log. This parameter is a server context handle, as specified in section 2.2.6.

InfoLevel: The level of event log information to return. This MUST be set to zero.

lpBuffer: The event log information. This MUST point to either an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure or be NULL.

cbBufSize: The size in bytes of the buffer pointed to by the lpBuffer parameter.

pcbBytesNeeded: Number of bytes required for the requested information, regardless of if the function succeeds. This parameter MUST NOT be NULL.

Return Values: The method MUST return STATUS_SUCCESS (0x00000000) on success. The method MUST return STATUS_BUFFER_TOO_SMALL (0xC0000023) if the buffer is too small to fit even one record. Otherwise, it MUST return an implementation-based, nonzero NTSTATUS value specified in [MS-ERREF].

In response to this request from the client, the server MUST first check that the handle is valid. The server MUST fail the operation with the error STATUS_INVALID_HANDLE (0xC0000008) if the handle is invalid.

If lpBuffer is not large enough to contain an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure (cbBufSize is less than the number of bytes needed for an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure), the server MUST set the pcbBytesNeeded parameter to the number of bytes needed to hold an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure, MUST fail the method, and MUST return STATUS_BUFFER_TOO_SMALL (0xC0000023).

If the above checks all succeed, the server MUST fill in an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure into the lpBuffer with the dwFull member of the structure being set to 1 if the event log is full, and set to zero if the event log is not full. In addition, the pcbBytesNeeded parameter MUST be set to the size of an EVENTLOG_FULL_INFORMATION (section 2.2.4) structure. The server MUST then return success. Note that the event log is treated as full when a new record cannot be appended to it. A new record cannot be appended when the maximum size limitation of the log has been reached and the existing records of the log cannot be overwritten. When this happens, a flag indicating that the event log is full is set in the log file. This method checks whether that flag is set or not.