1.3.1 Background
Event logs allow applications or the operating system to store historical information that is of interest to administrators. The information is organized in separate, discrete pieces of information, which are referred to as events. An example of an event is a user logging on to the computer.
The events represented in an event log are referred to as records. The records in a log are numbered. The first event written has its record number (that is, a field in the record) set to 1, the second event has its record number set to 2, and so on. Logs can be configured to be circular. A circular log is one in which the oldest records are overwritten once the logs reach some maximum size. Once a record is written, it is never again updated and is thereafter treated as read-only.
A computer can have several event logs. One log might be devoted to security events while another can be for general application use.
Applications or components that write to event logs are known as publishers. A single event log might contain events from many publishers. A single publisher can write to multiple logs. Publishers play the role played by event sources in the EventLog Remoting Protocol [MS-EVEN].
Publishers write several kinds of events. For example, a user logging on to the computer could be one kind of event while a user logging off would be another. When a publisher writes an event, it specifies an event descriptor, which indicates what kind of event is being written. Event descriptors (section 1.8.3) subsume the eventID and event category fields used in the EventLog Remoting Protocol. Publishers also specify message files that are used to define localized messages that can be used to display events using localized strings.
An event log can be either a live event log or a backup event log. A live event log is one that can be used for both reading and writing. A live event log can be used to create a backup event log, which is a read-only snapshot of a live event log. Backup event logs are typically used for archival purposes or are copied to another computer for use by support personnel.
Each live event log corresponds to a channel. A channel is a logical data stream of event records. Publishers write to channels, and each channel has a live event log as its physical backing store. Events can be read from either a backup event log or a channel corresponding to a live event log. A backup event log cannot be associated with a channel.