#include "idl_types.h" /* eventlog interface definition */ import "lsa.idl", "security.idl"; [ uuid("82273fdc-e32a-18c3-3f78-827929dc23ea"), version(0.0), helpstring("Event Logger") ] interface eventlog { typedef [bitmap32bit] bitmap { EVENTLOG_SEQUENTIAL_READ = 0x0001, EVENTLOG_SEEK_READ = 0x0002, EVENTLOG_FORWARDS_READ = 0x0004, EVENTLOG_BACKWARDS_READ = 0x0008 } eventlogReadFlags; typedef [public] enum { EVENTLOG_SUCCESS = 0x0000, EVENTLOG_ERROR_TYPE = 0x0001, EVENTLOG_WARNING_TYPE = 0x0002, EVENTLOG_INFORMATION_TYPE = 0x0004, EVENTLOG_AUDIT_SUCCESS = 0x0008, EVENTLOG_AUDIT_FAILURE = 0x0010 } eventlogEventTypes; typedef struct { uint16 unknown0; uint16 unknown1; } eventlog_OpenUnknown0; /* compat structure for samba3 on-disc eventlog format, this is *NOT* used on the wire. - gd */ typedef [flag(NDR_NOALIGN|NDR_PAHEX),public] struct { uint32 size; [charset(DOS),value("eLfL")] uint8 reserved[4]; uint32 record_number; time_t time_generated; time_t time_written; uint32 event_id; eventlogEventTypes event_type; [range(0,256)] uint16 num_of_strings; uint16 event_category; uint16 reserved_flags; uint32 closing_record_number; uint32 stringoffset; [value(sid.length)] uint32 sid_length; uint32 sid_offset; [value(data.length)] uint32 data_length; uint32 data_offset; [value(2*strlen_m_term(source_name))] uint32 source_name_len; nstring source_name; [value(2*strlen_m_term(computer_name))] uint32 computer_name_len; nstring computer_name; uint32 sid_padding; DATA_BLOB sid; [value(2*ndr_size_string_array(strings, num_of_strings, STR_NULLTERM))] uint32 strings_len; nstring strings[num_of_strings]; DATA_BLOB data; uint32 padding; } eventlog_Record_tdb; typedef [v1_enum] enum { ELF_LOGFILE_HEADER_DIRTY = 0x0001, ELF_LOGFILE_HEADER_WRAP = 0x0002, ELF_LOGFILE_LOGFULL_WRITTEN = 0x0004, ELF_LOGFILE_ARCHIVE_SET = 0x0008 } EVENTLOG_HEADER_FLAGS; typedef [public] struct { [value(0x30)] uint32 HeaderSize; [charset(DOS),value("LfLe")] uint8 Signature[4]; [value(1)] uint32 MajorVersion; [value(1)] uint32 MinorVersion; uint32 StartOffset; uint32 EndOffset; uint32 CurrentRecordNumber; uint32 OldestRecordNumber; uint32 MaxSize; EVENTLOG_HEADER_FLAGS Flags; uint32 Retention; [value(0x30)] uint32 EndHeaderSize; } EVENTLOGHEADER; typedef [public,gensize] struct { uint32 Length; [charset(DOS),value("LfLe")] uint8 Reserved[4]; uint32 RecordNumber; time_t TimeGenerated; time_t TimeWritten; uint32 EventID; eventlogEventTypes EventType; uint16 NumStrings; uint16 EventCategory; uint16 ReservedFlags; uint32 ClosingRecordNumber; [value(56+2*(strlen_m_term(SourceName)+strlen_m_term(Computername))+UserSidLength)] uint32 StringOffset; [value(ndr_size_dom_sid0(&UserSid, ndr->flags))] uint32 UserSidLength; [value(56+2*(strlen_m_term(SourceName)+strlen_m_term(Computername)))] uint32 UserSidOffset; uint32 DataLength; [value(56+2*(strlen_m_term(SourceName)+strlen_m_term(Computername))+UserSidLength+(2*ndr_size_string_array(Strings, NumStrings, STR_NULLTERM)))] uint32 DataOffset; nstring SourceName; nstring Computername; [flag(NDR_ALIGN4),subcontext(0),subcontext_size(UserSidLength)] dom_sid0 UserSid; nstring Strings[NumStrings]; [flag(NDR_PAHEX)] uint8 Data[DataLength]; astring Pad; [value(Length)] uint32 Length2; } EVENTLOGRECORD; typedef [public] struct { [value(0x28)] uint32 RecordSizeBeginning; [value(0x11111111)] uint32 One; [value(0x22222222)] uint32 Two; [value(0x33333333)] uint32 Three; [value(0x44444444)] uint32 Four; uint32 BeginRecord; uint32 EndRecord; uint32 CurrentRecordNumber; uint32 OldestRecordNumber; [value(0x28)] uint32 RecordSizeEnd; } EVENTLOGEOF; /* the following is true for a non-wrapped evt file (e.g. backups * generated and viewed with eventvwr) */ typedef [public] struct { EVENTLOGHEADER hdr; EVENTLOGRECORD records[hdr.CurrentRecordNumber-hdr.OldestRecordNumber]; EVENTLOGEOF eof; } EVENTLOG_EVT_FILE; /******************/ /* Function: 0x00 */ NTSTATUS eventlog_ClearEventLogW( [in] policy_handle *handle, [in,unique] lsa_String *backupfile ); /******************/ /* Function: 0x01 */ NTSTATUS eventlog_BackupEventLogW( [in] policy_handle *handle, [in,ref] lsa_String *backup_filename ); /******************/ /* Function: 0x02 */ NTSTATUS eventlog_CloseEventLog( [in,out] policy_handle *handle ); /******************/ /* Function: 0x03 */ NTSTATUS eventlog_DeregisterEventSource( [in,out] policy_handle *handle ); /******************/ /* Function: 0x04 */ NTSTATUS eventlog_GetNumRecords( [in] policy_handle *handle, [out,ref] uint32 *number ); /******************/ /* Function: 0x05 */ NTSTATUS eventlog_GetOldestRecord( [in] policy_handle *handle, [out,ref] uint32 *oldest_entry ); /******************/ /* Function: 0x06 */ [todo] NTSTATUS eventlog_ChangeNotify(); /******************/ /* Function: 0x07 */ NTSTATUS eventlog_OpenEventLogW( [in,unique] eventlog_OpenUnknown0 *unknown0, [in,ref] lsa_String *logname, [in,ref] lsa_String *servername, [in] uint32 major_version, [in] uint32 minor_version, [out] policy_handle *handle ); /******************/ /* Function: 0x08 */ NTSTATUS eventlog_RegisterEventSourceW( [in,unique] eventlog_OpenUnknown0 *unknown0, [in,ref] lsa_String *module_name, [in,ref] lsa_String *reg_module_name, [in] uint32 major_version, [in] uint32 minor_version, [out] policy_handle *log_handle ); /******************/ /* Function: 0x09 */ NTSTATUS eventlog_OpenBackupEventLogW( [in,unique] eventlog_OpenUnknown0 *unknown0, [in,ref] lsa_String *backup_logname, [in] uint32 major_version, [in] uint32 minor_version, [out] policy_handle *handle ); /******************/ /* Function: 0x0a */ NTSTATUS eventlog_ReadEventLogW( [in] policy_handle *handle, [in] eventlogReadFlags flags, [in] uint32 offset, [in] [range(0,0x7FFFF)] uint32 number_of_bytes, [out,ref,size_is(number_of_bytes)] uint8 *data, [out,ref] uint32 *sent_size, [out,ref] uint32 *real_size ); /*****************/ /* Function 0x0b */ NTSTATUS eventlog_ReportEventW( [in] policy_handle *handle, [in] time_t timestamp, [in] eventlogEventTypes event_type, [in] uint16 event_category, [in] uint32 event_id, [in] [range(0,256)] uint16 num_of_strings, [in] [range(0,0x3FFFF)] uint32 data_size, [in,ref] lsa_String *servername, [in,unique] dom_sid *user_sid, [in,unique] [size_is(num_of_strings)] lsa_String **strings, [in,unique] [size_is(data_size)] uint8 *data, [in] uint16 flags, [in,out,unique] uint32 *record_number, [in,out,unique] time_t *time_written ); /*****************/ /* Function 0x0c */ [todo] NTSTATUS eventlog_ClearEventLogA(); /******************/ /* Function: 0x0d */ [todo] NTSTATUS eventlog_BackupEventLogA(); /*****************/ /* Function 0x0e */ [todo] NTSTATUS eventlog_OpenEventLogA(); /*****************/ /* Function 0x0f */ [todo] NTSTATUS eventlog_RegisterEventSourceA(); /*****************/ /* Function 0x10 */ [todo] NTSTATUS eventlog_OpenBackupEventLogA(); /*****************/ /* Function 0x11 */ [todo] NTSTATUS eventlog_ReadEventLogA(); /*****************/ /* Function 0x12 */ [todo] NTSTATUS eventlog_ReportEventA(); /*****************/ /* Function 0x13 */ [todo] NTSTATUS eventlog_RegisterClusterSvc(); /*****************/ /* Function 0x14 */ [todo] NTSTATUS eventlog_DeregisterClusterSvc(); /*****************/ /* Function 0x15 */ [todo] NTSTATUS eventlog_WriteClusterEvents(); /*****************/ /* Function 0x16 */ typedef [public] struct { boolean32 full; } EVENTLOG_FULL_INFORMATION; NTSTATUS eventlog_GetLogInformation( [in] policy_handle *handle, [in] uint32 level, [out,ref] [size_is(buf_size)] uint8 *buffer, [in] [range(0,1024)] uint32 buf_size, [out,ref] uint32 *bytes_needed ); /*****************/ /* Function 0x17 */ NTSTATUS eventlog_FlushEventLog( [in] policy_handle *handle ); /*****************/ /* Function 0x18 */ NTSTATUS eventlog_ReportEventAndSourceW( [in] policy_handle *handle, [in] time_t timestamp, [in] eventlogEventTypes event_type, [in] uint16 event_category, [in] uint32 event_id, [in,ref] lsa_String *sourcename, [in] [range(0,256)] uint16 num_of_strings, [in] [range(0,0x3FFFF)] uint32 data_size, [in,ref] lsa_String *servername, [in,unique] dom_sid *user_sid, [in,unique] [size_is(num_of_strings)] lsa_String **strings, [in,unique] [size_is(data_size)] uint8 *data, [in] uint16 flags, [in,out,unique] uint32 *record_number, [in,out,unique] time_t *time_written ); }