xref: /reactos/sdk/lib/evtlib/evtlib.h (revision 32c87503) 
1 /*
2  * PROJECT:         ReactOS EventLog File Library
3  * LICENSE:         GPL - See COPYING in the top level directory
4  * FILE:            sdk/lib/evtlib/evtlib.h
5  * PURPOSE:         Provides functionality for reading and writing
6  *                  EventLog files in the NT <= 5.2 (.evt) format.
7  * PROGRAMMERS:     Copyright 2005 Saveliy Tretiakov
8  *                  Michael Martin
9  *                  Hermes Belusca-Maito
10  */
11 
12 #ifndef __EVTLIB_H__
13 #define __EVTLIB_H__
14 
15 #pragma once
16 
17 #ifdef __cplusplus
18 extern "C" {
19 #endif
20 
21 /* PSDK/NDK Headers */
22 // #define WIN32_NO_STATUS
23 // #include <windef.h>
24 // #include <winbase.h>
25 // #include <winnt.h>
26 
27 #define NTOS_MODE_USER
28 #include <ndk/rtlfuncs.h>
29 
30 #ifndef ROUND_DOWN
31 #define ROUND_DOWN(n, align) (((ULONG)n) & ~((align) - 1l))
32 #endif
33 
34 #ifndef ROUND_UP
35 #define ROUND_UP(n, align) ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
36 #endif
37 
38 /*
39  * Our file format will be compatible with NT's
40  */
41 #define MAJORVER    1
42 #define MINORVER    1
43 #define LOGFILE_SIGNATURE   0x654c664c  // "LfLe"
44 
45 /*
46  * Flags used in the logfile header
47  */
48 #define ELF_LOGFILE_HEADER_DIRTY    1
49 #define ELF_LOGFILE_HEADER_WRAP     2
50 #define ELF_LOGFILE_LOGFULL_WRITTEN 4
51 #define ELF_LOGFILE_ARCHIVE_SET     8
52 
53 /*
54  * On-disk event log structures (log file header, event record and EOF record).
55  * NOTE: Contrary to what MSDN claims, both the EVENTLOGHEADER and EVENTLOGEOF
56  * structures are absent from winnt.h .
57  */
58 
59 #include <pshpack4.h> // pshpack1
60 
61 // ELF_LOGFILE_HEADER
62 typedef struct _EVENTLOGHEADER
63 {
64     ULONG HeaderSize;
65     ULONG Signature;
66     ULONG MajorVersion;
67     ULONG MinorVersion;
68     ULONG StartOffset;
69     ULONG EndOffset;
70     ULONG CurrentRecordNumber;
71     ULONG OldestRecordNumber;
72     ULONG MaxSize;
73     ULONG Flags;
74     ULONG Retention;
75     ULONG EndHeaderSize;
76 } EVENTLOGHEADER, *PEVENTLOGHEADER;
77 
78 
79 /* Those flags and structure are defined in winnt.h */
80 #ifndef _WINNT_
81 
82 /* EventType flags */
83 #define EVENTLOG_SUCCESS            0
84 #define EVENTLOG_ERROR_TYPE         1
85 #define EVENTLOG_WARNING_TYPE       2
86 #define EVENTLOG_INFORMATION_TYPE   4
87 #define EVENTLOG_AUDIT_SUCCESS      8
88 #define EVENTLOG_AUDIT_FAILURE      16
89 
90 typedef struct _EVENTLOGRECORD
91 {
92     ULONG  Length;              /* Length of full record, including the data portion */
93     ULONG  Reserved;
94     ULONG  RecordNumber;
95     ULONG  TimeGenerated;
96     ULONG  TimeWritten;
97     ULONG  EventID;
98     USHORT EventType;
99     USHORT NumStrings;          /* Number of strings in the 'Strings' array */
100     USHORT EventCategory;
101     USHORT ReservedFlags;
102     ULONG  ClosingRecordNumber;
103     ULONG  StringOffset;
104     ULONG  UserSidLength;
105     ULONG  UserSidOffset;
106     ULONG  DataLength;          /* Length of the data portion */
107     ULONG  DataOffset;          /* Offset from beginning of record */
108 /*
109  * Length-varying data:
110  *
111  *  WCHAR SourceName[];
112  *  WCHAR ComputerName[];
113  *  SID   UserSid;              // Must be aligned on a DWORD boundary
114  *  WCHAR Strings[];
115  *  BYTE  Data[];
116  *  CHAR  Pad[];                // Padding for DWORD boundary
117  *  ULONG Length;               // Same as the first 'Length' member at the beginning
118  */
119 } EVENTLOGRECORD, *PEVENTLOGRECORD;
120 
121 #endif // _WINNT_
122 
123 
124 // ELF_EOF_RECORD
125 typedef struct _EVENTLOGEOF
126 {
127     ULONG RecordSizeBeginning;
128     ULONG Ones;
129     ULONG Twos;
130     ULONG Threes;
131     ULONG Fours;
132     ULONG BeginRecord;
133     ULONG EndRecord;
134     ULONG CurrentRecordNumber;
135     ULONG OldestRecordNumber;
136     ULONG RecordSizeEnd;
137 } EVENTLOGEOF, *PEVENTLOGEOF;
138 
139 #define EVENTLOGEOF_SIZE_FIXED  (5 * sizeof(ULONG))
140 C_ASSERT(EVENTLOGEOF_SIZE_FIXED == FIELD_OFFSET(EVENTLOGEOF, BeginRecord));
141 
142 #include <poppack.h>
143 
144 
145 typedef struct _EVENT_OFFSET_INFO
146 {
147     ULONG EventNumber;
148     ULONG EventOffset;
149 } EVENT_OFFSET_INFO, *PEVENT_OFFSET_INFO;
150 
151 #define TAG_ELF     ' flE'
152 #define TAG_ELF_BUF 'BflE'
153 
154 struct _EVTLOGFILE;
155 
156 typedef PVOID
157 (NTAPI *PELF_ALLOCATE_ROUTINE)(
158     IN SIZE_T Size,
159     IN ULONG Flags,
160     IN ULONG Tag
161 );
162 
163 typedef VOID
164 (NTAPI *PELF_FREE_ROUTINE)(
165     IN PVOID Ptr,
166     IN ULONG Flags,
167     IN ULONG Tag
168 );
169 
170 typedef NTSTATUS
171 (NTAPI *PELF_FILE_READ_ROUTINE)(
172     IN  struct _EVTLOGFILE* LogFile,
173     IN  PLARGE_INTEGER FileOffset,
174     OUT PVOID   Buffer,
175     IN  SIZE_T  Length,
176     OUT PSIZE_T ReadLength OPTIONAL
177 );
178 
179 typedef NTSTATUS
180 (NTAPI *PELF_FILE_WRITE_ROUTINE)(
181     IN  struct _EVTLOGFILE* LogFile,
182     IN  PLARGE_INTEGER FileOffset,
183     IN  PVOID   Buffer,
184     IN  SIZE_T  Length,
185     OUT PSIZE_T WrittenLength OPTIONAL
186 );
187 
188 typedef NTSTATUS
189 (NTAPI *PELF_FILE_SET_SIZE_ROUTINE)(
190     IN struct _EVTLOGFILE* LogFile,
191     IN ULONG FileSize,
192     IN ULONG OldFileSize
193 );
194 
195 typedef NTSTATUS
196 (NTAPI *PELF_FILE_FLUSH_ROUTINE)(
197     IN struct _EVTLOGFILE* LogFile,
198     IN PLARGE_INTEGER FileOffset,
199     IN ULONG Length
200 );
201 
202 typedef struct _EVTLOGFILE
203 {
204     PELF_ALLOCATE_ROUTINE   Allocate;
205     PELF_FREE_ROUTINE       Free;
206     PELF_FILE_SET_SIZE_ROUTINE FileSetSize;
207     PELF_FILE_WRITE_ROUTINE FileWrite;
208     PELF_FILE_READ_ROUTINE  FileRead;
209     PELF_FILE_FLUSH_ROUTINE FileFlush;
210 
211     EVENTLOGHEADER Header;
212     ULONG CurrentSize;  /* Equivalent to the file size, is <= MaxSize and can be extended to MaxSize if needed */
213     UNICODE_STRING FileName;
214     PEVENT_OFFSET_INFO OffsetInfo;
215     ULONG OffsetInfoSize;
216     ULONG OffsetInfoNext;
217     BOOLEAN ReadOnly;
218 } EVTLOGFILE, *PEVTLOGFILE;
219 
220 
221 NTSTATUS
222 NTAPI
223 ElfCreateFile(
224     IN OUT PEVTLOGFILE LogFile,
225     IN PUNICODE_STRING FileName OPTIONAL,
226     IN ULONG    FileSize,
227     IN ULONG    MaxSize,
228     IN ULONG    Retention,
229     IN BOOLEAN  CreateNew,
230     IN BOOLEAN  ReadOnly,
231     IN PELF_ALLOCATE_ROUTINE   Allocate,
232     IN PELF_FREE_ROUTINE       Free,
233     IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize,
234     IN PELF_FILE_WRITE_ROUTINE FileWrite,
235     IN PELF_FILE_READ_ROUTINE  FileRead,
236     IN PELF_FILE_FLUSH_ROUTINE FileFlush); // What about Seek ??
237 
238 NTSTATUS
239 NTAPI
240 ElfReCreateFile(
241     IN PEVTLOGFILE LogFile);
242 
243 // NTSTATUS
244 // ElfClearFile(PEVTLOGFILE LogFile);
245 
246 NTSTATUS
247 NTAPI
248 ElfBackupFile(
249     IN PEVTLOGFILE LogFile,
250     IN PEVTLOGFILE BackupLogFile);
251 
252 NTSTATUS
253 NTAPI
254 ElfFlushFile(
255     IN PEVTLOGFILE LogFile);
256 
257 VOID
258 NTAPI
259 ElfCloseFile(  // ElfFree
260     IN PEVTLOGFILE LogFile);
261 
262 NTSTATUS
263 NTAPI
264 ElfReadRecord(
265     IN  PEVTLOGFILE LogFile,
266     IN  ULONG RecordNumber,
267     OUT PEVENTLOGRECORD Record,
268     IN  SIZE_T  BufSize, // Length
269     OUT PSIZE_T BytesRead OPTIONAL,
270     OUT PSIZE_T BytesNeeded OPTIONAL);
271 
272 NTSTATUS
273 NTAPI
274 ElfWriteRecord(
275     IN PEVTLOGFILE LogFile,
276     IN PEVENTLOGRECORD Record,
277     IN SIZE_T BufSize);
278 
279 ULONG
280 NTAPI
281 ElfGetOldestRecord(
282     IN PEVTLOGFILE LogFile);
283 
284 ULONG
285 NTAPI
286 ElfGetCurrentRecord(
287     IN PEVTLOGFILE LogFile);
288 
289 ULONG
290 NTAPI
291 ElfGetFlags(
292     IN PEVTLOGFILE LogFile);
293 
294 #if DBG
295 VOID PRINT_HEADER(PEVENTLOGHEADER Header);
296 #endif
297 
298 #ifdef __cplusplus
299 }
300 #endif
301 #endif  /* __EVTLIB_H__ */
302