3.1.4.8 ElfrReadELA (Opnum 17)

Article
07/26/2021

The ElfrReadELA (Opnum 17) method reads events from the event log; the server transmits these events to the client and advances the reader's position within the event log associated with the server context handle that is passed in the LogHandle parameter. The strings in the returned events MUST be ANSI.

 NTSTATUS ElfrReadELA(
   [in] IELF_HANDLE LogHandle,
   [in] unsigned long ReadFlags,
   [in] unsigned long RecordOffset,
   [in] RULONG NumberOfBytesToRead,
   [out, size_is(NumberOfBytesToRead)] 
     unsigned char* Buffer,
   [out] unsigned long* NumberOfBytesRead,
   [out] unsigned long* MinNumberOfBytesNeeded
 );

LogHandle: Handle to an event log to read. This parameter is a server context handle, as specified in section 2.2.6.

ReadFlags: The caller MUST specify if the read is to start at a specific record, or is to proceed from the last record read. The value MUST be one and only one of the following flags.

Value	Meaning
EVENTLOG_SEQUENTIAL_READ 0x00000001	Read operation proceeds sequentially from the last call to the ElfrReadELA (section 3.1.4.8) method or the ElfrReadELW (section 3.1.4.7) method, using this handle. This flag cannot be used with EVENTLOG_SEEK_READ.
EVENTLOG_SEEK_READ 0x00000002	Read operation proceeds from the record specified by the RecordOffset parameter. This flag cannot be used with EVENTLOG_SEQUENTIAL_READ.

Value

Meaning

EVENTLOG_SEQUENTIAL_READ

0x00000001

Read operation proceeds sequentially from the last call to the ElfrReadELA (section 3.1.4.8) method or the ElfrReadELW (section 3.1.4.7) method, using this handle. This flag cannot be used with EVENTLOG_SEEK_READ.

EVENTLOG_SEEK_READ

0x00000002

Read operation proceeds from the record specified by the RecordOffset parameter. This flag cannot be used with EVENTLOG_SEQUENTIAL_READ.

Because the method reads as many records as can fit in the buffer, the caller MUST also set one and only one of the following flags to indicate the direction for successive read operations.

Value	Meaning
EVENTLOG_FORWARDS_READ 0x00000004	Log is read in chronological order. This flag cannot be used with EVENTLOG_BACKWARDS_READ.
EVENTLOG_BACKWARDS_READ 0x00000008	Log is read in reverse chronological order. This flag cannot be used with EVENTLOG_FORWARDS_READ.

Value

Meaning

EVENTLOG_FORWARDS_READ

0x00000004

Log is read in chronological order. This flag cannot be used with EVENTLOG_BACKWARDS_READ.

EVENTLOG_BACKWARDS_READ

0x00000008

Log is read in reverse chronological order. This flag cannot be used with EVENTLOG_FORWARDS_READ.

RecordOffset: Log entry record number at which the read operation is to start. Each event in a log has a record number. This parameter MUST be ignored unless the EVENTLOG_SEEK_READ bit is set in the ReadFlags parameter.

NumberOfBytesToRead: Size of the buffer in bytes. This is the maximum amount of data that can be read.

Buffer: Data read from the event log.

NumberOfBytesRead: Number of bytes read by the method.

MinNumberOfBytesNeeded: If the method fails because the buffer is too small to fit even a single record, this MUST be set to the minimum number of bytes needed to fit the next record. Otherwise, this MUST NOT be set, and MUST be ignored by the caller.

Return Values: The method MUST return STATUS_SUCCESS (0x00000000) on success. The method MUST return STATUS_BUFFER_TOO_SMALL (0xC0000023) if the buffer is too small to fit even one record. Otherwise, it MUST return any other implementation-based, nonzero NTSTATUS value specified in [MS-ERREF].

This is identical to the ElfrReadELW (section 3.1.4.7) method except that the events placed in the buffer MUST be ANSI strings rather than [UNICODE] strings.

3.1.4.8 ElfrReadELA (Opnum 17)

Additional resources