eventlog: add w32 on-disc EVENTLOG structures (*evt files).

Guenther

diff --git a/librpc/idl/eventlog.idl b/librpc/idl/eventlog.idl
index 0826f59ed86ac79e1835b88fa3c73afaf5b7c9a0..c0230f369326b4c371409acba069e624b8a23817 100644 (file)
--- a/librpc/idl/eventlog.idl
+++ b/librpc/idl/eventlog.idl
@@ -90,6 +90,76 @@ import "lsa.idl", "security.idl";
                uint32 padding;
        } eventlog_Record_tdb;
 
+       typedef [v1_enum] enum {
+               ELF_LOGFILE_HEADER_DIRTY        = 0x0001,
+               ELF_LOGFILE_HEADER_WRAP         = 0x0002,
+               ELF_LOGFILE_LOGFULL_WRITTEN     = 0x0004,
+               ELF_LOGFILE_ARCHIVE_SET         = 0x0008
+       } EVENTLOG_HEADER_FLAGS;
+
+       typedef [public] struct {
+               [value(0x30)] uint32 HeaderSize;
+               [charset(DOS),value("LfLe")] uint8 Signature[4];
+               [value(1)] uint32 MajorVersion;
+               [value(1)] uint32 MinorVersion;
+               uint32 StartOffset;
+               uint32 EndOffset;
+               uint32 CurrentRecordNumber;
+               uint32 OldestRecordNumber;
+               uint32 MaxSize;
+               EVENTLOG_HEADER_FLAGS Flags;
+               uint32 Retention;
+               [value(0x30)] uint32 EndHeaderSize;
+       } EVENTLOGHEADER;
+
+       typedef [public,gensize] struct {
+               uint32 Length;
+               [charset(DOS),value("LfLe")] uint8 Reserved[4];
+               uint32 RecordNumber;
+               time_t TimeGenerated;
+               time_t TimeWritten;
+               uint32 EventID;
+               eventlogEventTypes EventType;
+               uint16 NumStrings;
+               uint16 EventCategory;
+               uint16 ReservedFlags;
+               uint32 ClosingRecordNumber;
+               uint32 StringOffset;
+               [value(ndr_size_dom_sid0(&UserSid, ndr->flags))] uint32 UserSidLength;
+               uint32 UserSidOffset;
+               uint32 DataLength;
+               uint32 DataOffset;
+               nstring SourceName;
+               nstring Computername;
+               [flag(NDR_ALIGN4),subcontext(0),subcontext_size(UserSidLength)] dom_sid0 UserSid;
+               nstring Strings[NumStrings];
+               [flag(NDR_PAHEX)] uint8 Data[DataLength];
+               astring Pad;
+               [value(Length)] uint32 Length2;
+       } EVENTLOGRECORD;
+
+       typedef [public] struct {
+               [value(0x28)] uint32 RecordSizeBeginning;
+               [value(0x11111111)] uint32 One;
+               [value(0x22222222)] uint32 Two;
+               [value(0x33333333)] uint32 Three;
+               [value(0x44444444)] uint32 Four;
+               uint32 BeginRecord;
+               uint32 EndRecord;
+               uint32 CurrentRecordNumber;
+               uint32 OldestRecordNumber;
+               [value(0x28)] uint32 RecordSizeEnd;
+       } EVENTLOGEOF;
+
+       /* the following is true for a non-wrapped evt file (e.g. backups
+        * generated and viewed with eventvwr) */
+
+       typedef [public] struct {
+               EVENTLOGHEADER hdr;
+               EVENTLOGRECORD records[hdr.CurrentRecordNumber-hdr.OldestRecordNumber];
+               EVENTLOGEOF eof;
+       } EVENTLOG_EVT_FILE;
+
        /******************/
        /* Function: 0x00 */
        NTSTATUS eventlog_ClearEventLogW(