The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

ReadEventLog function

Reads the specified number of entries from the specified event log. The function can be used to read log entries in chronological or reverse chronological order.

Syntax

C++


BOOL ReadEventLog(
  _In_  HANDLE hEventLog,
  _In_  DWORD  dwReadFlags,
  _In_  DWORD  dwRecordOffset,
  _Out_ LPVOID lpBuffer,
  _In_  DWORD  nNumberOfBytesToRead,
  _Out_ DWORD  *pnBytesRead,
  _Out_ DWORD  *pnMinNumberOfBytesNeeded
);

Parameters

hEventLog [in]

A handle to the event log to be read. The OpenEventLog function returns this handle.

dwReadFlags [in]

Use the following flag values to indicate how to read the log file. This parameter must include one of the following values (the flags are mutually exclusive).

Value	Meaning
EVENTLOG_SEEK_READ 0x0002	Begin reading from the record specified in the dwRecordOffset parameter. This option may not work with large log files if the function cannot determine the log file's size. For details, see Knowledge Base article, 177199.
EVENTLOG_SEQUENTIAL_READ 0x0001	Read the records sequentially. If this is the first read operation, the EVENTLOG_FORWARDS_READ EVENTLOG_BACKWARDS_READ flags determines which record is read first.

Value

Meaning

EVENTLOG_SEEK_READ
0x0002

Begin reading from the record specified in the dwRecordOffset parameter.

This option may not work with large log files if the function cannot determine the log file's size. For details, see Knowledge Base article, 177199.

EVENTLOG_SEQUENTIAL_READ
0x0001

Read the records sequentially. If this is the first read operation, the EVENTLOG_FORWARDS_READ EVENTLOG_BACKWARDS_READ flags determines which record is read first.

You must specify one of the following flags to indicate the direction for successive read operations (the flags are mutually exclusive).

Value	Meaning
EVENTLOG_FORWARDS_READ 0x0004	The log is read in chronological order (oldest to newest). The default.
EVENTLOG_BACKWARDS_READ 0x0008	The log is read in reverse chronological order (newest to oldest).

dwRecordOffset [in]

The record number of the log-entry at which the read operation should start. This parameter is ignored unless dwReadFlags includes the EVENTLOG_SEEK_READ flag.

lpBuffer [out]

An application-allocated buffer that will receive one or more EVENTLOGRECORD structures. This parameter cannot be NULL, even if the nNumberOfBytesToRead parameter is zero.

The maximum size of this buffer is 0x7ffff bytes.

nNumberOfBytesToRead [in]

The size of the lpBuffer buffer, in bytes. This function will read as many log entries as will fit in the buffer; the function will not return partial entries.

pnBytesRead [out]

A pointer to a variable that receives the number of bytes read by the function.

pnMinNumberOfBytesNeeded [out]

A pointer to a variable that receives the required size of the lpBuffer buffer. This value is valid only this function returns zero and GetLastError returns ERROR_INSUFFICIENT_BUFFER.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

When this function returns successfully, the read position in the event log is adjusted by the number of records read.

Note The configured file name for this source may also be the configured file name for other sources (several sources can exist as subkeys under a single log). Therefore, this function may return events that were logged by more than one source.

Examples

For an example, see Querying for Event Information.

Requirements

Minimum supported client	Windows 2000 Professional [desktop apps only]
Minimum supported server	Windows 2000 Server [desktop apps only]
Header	Winbase.h (include Windows.h)
Library	Advapi32.lib
DLL	Advapi32.dll
Unicode and ANSI names	ReadEventLogW (Unicode) and ReadEventLogA (ANSI)

Deutsch	English	Español	Français
Italiano	日本語	한국어	Português
Pусский	简体中文	繁體中文