4.2 Get Log Information Example

In this example, the client wants to get information about a channel or log file.

This involves the following steps:

  1. The client registers with RPC to obtain an RPC binding handle to the service based on the endpoint information specified in section 2.1. For information on how to get the RPC binding handle, see [MSDN-BNDHNDLS].

  2. The client calls the EvtRpcOpenLogHandle (as specified in section 3.1.4.19) method to open the log handle from which it wants to get information.

     error_status_t 
     EvtRpcOpenLogHandle(
       [in, range(1, MAX_RPC_CHANNEL_PATH_LENGTH), string] 
         LPCWSTR channel = "Application",
       [in] DWORD flags = 1,
       [out, context_handle] PCONTEXT_HANDLE_LOG_HANDLE* handle,
       [out] RpcInfo* error
     );
      
    

    After this function returns successfully, the client receives the log context handle.  As mentioned in section 3.1.1.11, the context handle is a log information object. For this example, its content is:

    • LogType = {A value which means it is a channel}

    • Channel = {Pointer to the "application" entry in the channel table}

  3. The client then calls the EvtRpcGetLogFileInfo (as specified in section 3.1.4.12) method to get the necessary information. For the following example, assume the client wants to know the number of events in the channel.

     error_status_t 
     EvtRpcGetLogFileInfo(
       [in, context_handle] PCONTEXT_HANDLE_LOG_HANDLE logHandle = {The handle received above},
       [in] DWORD propertyId = 0x00000005(EvtLogNumberOfLogRecords),
       [in, range(0, MAX_RPC_PROPERTY_BUFFER_SIZE)] 
         DWORD propertyValueBufferSize = sizeof(BinXmlVariant),
       [out, size_is(propertyValueBufferSize)] 
         BYTE* propertyValueBuffer = {The pointer which points to the result buffer},
       [out] DWORD* propertyValueBufferLength
     );
    
      
    

    After the method returns successfully, the propertyValueBuffer contains the required value and is packed in the following data format:

     0x0000000000000020 -------- There are 32 records totally.
     0x0001                       -------- There is only one result in the returned data 
     0x000A                       -------- The data type is BinXmlVarUInt64.
    
      
    
Show: