reactos/sdk/lib/evtlib/evtlib.h

   1 /*
   2  * PROJECT:         ReactOS EventLog File Library
   3  * LICENSE:         GPL - See COPYING in the top level directory
   4  * FILE:            sdk/lib/evtlib/evtlib.h
   5  * PURPOSE:         Provides a library for reading and writing EventLog files
   6  *                  in the NT <= 5.2 (.evt) format.
   7  * PROGRAMMERS:     Copyright 2005 Saveliy Tretiakov
   8  *                  Michael Martin
   9  *                  Hermes Belusca-Maito
  10  */
  11
  12 #ifndef __EVTLIB_H__
  13 #define __EVTLIB_H__
  14
  15 /* PSDK/NDK Headers */
  16 // #define WIN32_NO_STATUS
  17 // #include <windef.h>
  18 // #include <winbase.h>
  19 // #include <winnt.h>
  20
  21 #define NTOS_MODE_USER
  22 #include <ndk/rtlfuncs.h>
  23
  24 #ifndef ROUND_DOWN
  25 #define ROUND_DOWN(n, align) (((ULONG)n) & ~((align) - 1l))
  26 #endif
  27
  28 #ifndef ROUND_UP
  29 #define ROUND_UP(n, align) ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
  30 #endif
  31
  32 /*
  33  * Our file format will be compatible with NT's
  34  */
  35 #define MAJORVER    1
  36 #define MINORVER    1
  37 #define LOGFILE_SIGNATURE   0x654c664c  // "LfLe"
  38
  39 /*
  40  * Flags used in the logfile header
  41  */
  42 #define ELF_LOGFILE_HEADER_DIRTY    1
  43 #define ELF_LOGFILE_HEADER_WRAP     2
  44 #define ELF_LOGFILE_LOGFULL_WRITTEN 4
  45 #define ELF_LOGFILE_ARCHIVE_SET     8
  46
  47 /*
  48  * On-disk event log structures (log file header, event record and EOF record).
  49  * NOTE: Contrary to what MSDN claims, both the EVENTLOGHEADER and EVENTLOGEOF
  50  * structures are absent from winnt.h .
  51  */
  52
  53 #include <pshpack4.h> // pshpack1
  54
  55 // ELF_LOGFILE_HEADER
  56 typedef struct _EVENTLOGHEADER
  57 {
  58     ULONG HeaderSize;
  59     ULONG Signature;
  60     ULONG MajorVersion;
  61     ULONG MinorVersion;
  62     ULONG StartOffset;
  63     ULONG EndOffset;
  64     ULONG CurrentRecordNumber;
  65     ULONG OldestRecordNumber;
  66     ULONG MaxSize;
  67     ULONG Flags;
  68     ULONG Retention;
  69     ULONG EndHeaderSize;
  70 } EVENTLOGHEADER, *PEVENTLOGHEADER;
  71
  72
  73 /* Those flags and structure are defined in winnt.h */
  74 #ifndef _WINNT_
  75
  76 /* EventType flags */
  77 #define EVENTLOG_SUCCESS            0
  78 #define EVENTLOG_ERROR_TYPE         1
  79 #define EVENTLOG_WARNING_TYPE       2
  80 #define EVENTLOG_INFORMATION_TYPE   4
  81 #define EVENTLOG_AUDIT_SUCCESS      8
  82 #define EVENTLOG_AUDIT_FAILURE      16
  83
  84 typedef struct _EVENTLOGRECORD
  85 {
  86     ULONG  Length;              /* Length of full record, including the data portion */
  87     ULONG  Reserved;
  88     ULONG  RecordNumber;
  89     ULONG  TimeGenerated;
  90     ULONG  TimeWritten;
  91     ULONG  EventID;
  92     USHORT EventType;
  93     USHORT NumStrings;          /* Number of strings in the 'Strings' array */
  94     USHORT EventCategory;
  95     USHORT ReservedFlags;
  96     ULONG  ClosingRecordNumber;
  97     ULONG  StringOffset;
  98     ULONG  UserSidLength;
  99     ULONG  UserSidOffset;
 100     ULONG  DataLength;          /* Length of the data portion */
 101     ULONG  DataOffset;          /* Offset from beginning of record */
 102 /*
 103  * Length-varying data:
 104  *
 105  *  WCHAR SourceName[];
 106  *  WCHAR ComputerName[];
 107  *  SID   UserSid;              // Must be aligned on a DWORD boundary
 108  *  WCHAR Strings[];
 109  *  BYTE  Data[];
 110  *  CHAR  Pad[];                // Padding for DWORD boundary
 111  *  ULONG Length;               // Same as the first 'Length' member at the beginning
 112  */
 113 } EVENTLOGRECORD, *PEVENTLOGRECORD;
 114
 115 #endif // _WINNT_
 116
 117
 118 // ELF_EOF_RECORD
 119 typedef struct _EVENTLOGEOF
 120 {
 121     ULONG RecordSizeBeginning;
 122     ULONG Ones;
 123     ULONG Twos;
 124     ULONG Threes;
 125     ULONG Fours;
 126     ULONG BeginRecord;
 127     ULONG EndRecord;
 128     ULONG CurrentRecordNumber;
 129     ULONG OldestRecordNumber;
 130     ULONG RecordSizeEnd;
 131 } EVENTLOGEOF, *PEVENTLOGEOF;
 132
 133 #define EVENTLOGEOF_SIZE_FIXED  (5 * sizeof(ULONG))
 134 C_ASSERT(EVENTLOGEOF_SIZE_FIXED == FIELD_OFFSET(EVENTLOGEOF, BeginRecord));
 135
 136 #include <poppack.h>
 137
 138
 139 typedef struct _EVENT_OFFSET_INFO
 140 {
 141     ULONG EventNumber;
 142     ULONG EventOffset;
 143 } EVENT_OFFSET_INFO, *PEVENT_OFFSET_INFO;
 144
 145 #define TAG_ELF     ' flE'
 146 #define TAG_ELF_BUF 'BflE'
 147
 148 struct _EVTLOGFILE;
 149
 150 typedef PVOID
 151 (NTAPI *PELF_ALLOCATE_ROUTINE)(
 152     IN SIZE_T Size,
 153     IN ULONG Flags,
 154     IN ULONG Tag
 155 );
 156
 157 typedef VOID
 158 (NTAPI *PELF_FREE_ROUTINE)(
 159     IN PVOID Ptr,
 160     IN ULONG Flags
 161 );
 162
 163 typedef NTSTATUS
 164 (NTAPI *PELF_FILE_READ_ROUTINE)(
 165     IN  struct _EVTLOGFILE* LogFile,
 166     IN  PLARGE_INTEGER FileOffset,
 167     OUT PVOID   Buffer,
 168     IN  SIZE_T  Length,
 169     OUT PSIZE_T ReadLength OPTIONAL
 170 );
 171
 172 typedef NTSTATUS
 173 (NTAPI *PELF_FILE_WRITE_ROUTINE)(
 174     IN  struct _EVTLOGFILE* LogFile,
 175     IN  PLARGE_INTEGER FileOffset,
 176     IN  PVOID   Buffer,
 177     IN  SIZE_T  Length,
 178     OUT PSIZE_T WrittenLength OPTIONAL
 179 );
 180
 181 typedef NTSTATUS
 182 (NTAPI *PELF_FILE_SET_SIZE_ROUTINE)(
 183     IN struct _EVTLOGFILE* LogFile,
 184     IN ULONG FileSize,
 185     IN ULONG OldFileSize
 186 );
 187
 188 typedef NTSTATUS
 189 (NTAPI *PELF_FILE_FLUSH_ROUTINE)(
 190     IN struct _EVTLOGFILE* LogFile,
 191     IN PLARGE_INTEGER FileOffset,
 192     IN ULONG Length
 193 );
 194
 195 typedef struct _EVTLOGFILE
 196 {
 197     PELF_ALLOCATE_ROUTINE   Allocate;
 198     PELF_FREE_ROUTINE       Free;
 199     PELF_FILE_SET_SIZE_ROUTINE FileSetSize;
 200     PELF_FILE_WRITE_ROUTINE FileWrite;
 201     PELF_FILE_READ_ROUTINE  FileRead;
 202     PELF_FILE_FLUSH_ROUTINE FileFlush;
 203
 204     EVENTLOGHEADER Header;
 205     ULONG CurrentSize;  /* Equivalent to the file size, is <= MaxSize and can be extended to MaxSize if needed */
 206     UNICODE_STRING FileName;
 207     PEVENT_OFFSET_INFO OffsetInfo;
 208     ULONG OffsetInfoSize;
 209     ULONG OffsetInfoNext;
 210     BOOLEAN ReadOnly;
 211 } EVTLOGFILE, *PEVTLOGFILE;
 212
 213
 214 NTSTATUS
 215 NTAPI
 216 ElfCreateFile(
 217     IN PEVTLOGFILE LogFile,
 218     IN PUNICODE_STRING FileName OPTIONAL,
 219     IN ULONG    FileSize,
 220     IN ULONG    MaxSize,
 221     IN ULONG    Retention,
 222     IN BOOLEAN  CreateNew,
 223     IN BOOLEAN  ReadOnly,
 224     IN PELF_ALLOCATE_ROUTINE   Allocate,
 225     IN PELF_FREE_ROUTINE       Free,
 226     IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize,
 227     IN PELF_FILE_WRITE_ROUTINE FileWrite,
 228     IN PELF_FILE_READ_ROUTINE  FileRead,
 229     IN PELF_FILE_FLUSH_ROUTINE FileFlush); // What about Seek ??
 230
 231 NTSTATUS
 232 NTAPI
 233 ElfReCreateFile(
 234     IN PEVTLOGFILE LogFile);
 235
 236 // NTSTATUS
 237 // ElfClearFile(PEVTLOGFILE LogFile);
 238
 239 NTSTATUS
 240 NTAPI
 241 ElfBackupFile(
 242     IN PEVTLOGFILE LogFile,
 243     IN PEVTLOGFILE BackupLogFile);
 244
 245 NTSTATUS
 246 NTAPI
 247 ElfFlushFile(
 248     IN PEVTLOGFILE LogFile);
 249
 250 VOID
 251 NTAPI
 252 ElfCloseFile(  // ElfFree
 253     IN PEVTLOGFILE LogFile);
 254
 255 NTSTATUS
 256 NTAPI
 257 ElfReadRecord(
 258     IN  PEVTLOGFILE LogFile,
 259     IN  ULONG RecordNumber,
 260     OUT PEVENTLOGRECORD Record,
 261     IN  SIZE_T  BufSize, // Length
 262     OUT PSIZE_T BytesRead OPTIONAL,
 263     OUT PSIZE_T BytesNeeded OPTIONAL);
 264
 265 NTSTATUS
 266 NTAPI
 267 ElfWriteRecord(
 268     IN PEVTLOGFILE LogFile,
 269     IN PEVENTLOGRECORD Record,
 270     IN SIZE_T BufSize);
 271
 272 ULONG
 273 NTAPI
 274 ElfGetOldestRecord(
 275     IN PEVTLOGFILE LogFile);
 276
 277 ULONG
 278 NTAPI
 279 ElfGetCurrentRecord(
 280     IN PEVTLOGFILE LogFile);
 281
 282 ULONG
 283 NTAPI
 284 ElfGetFlags(
 285     IN PEVTLOGFILE LogFile);
 286
 287 #if DBG
 288 VOID PRINT_HEADER(PEVENTLOGHEADER Header);
 289 #endif
 290
 291 #endif  /* __EVTLIB_H__ */