ELF_LOGFILE_HEADER structure
Contains information that is included at the beginning of an event log.
The ELF_LOGFILE_HEADER structure is used at the beginning of an event log to define information about the event log. The event-logging service must add the ELF_LOGFILE_HEADER to the event log. For more information about how the ELF_LOGFILE_HEADER is used, see Event Log File Format.
Syntax
typedef struct _EVENTLOGHEADER {
ULONG HeaderSize;
ULONG Signature;
ULONG MajorVersion;
ULONG MinorVersion;
ULONG StartOffset;
ULONG EndOffset;
ULONG CurrentRecordNumber;
ULONG OldestRecordNumber;
ULONG MaxSize;
ULONG Flags;
ULONG Retention;
ULONG EndHeaderSize;
} EVENTLOGHEADER, *PEVENTLOGHEADER;
Members
HeaderSize
The size of the header structure. The size is always 0x30.Signature
The signature is always 0x654c664c, which is ASCII for eLfL.MajorVersion
The major version number of the event log. The major version number is always set to 1.MinorVersion
The minor version number of the event log. The minor version number is always set to 1.StartOffset
The offset to the oldest record in the event log.EndOffset
The offset to the ELF_EOF_RECORD in the event log.CurrentRecordNumber
The number of the next record that will be added to the event log.OldestRecordNumber
The number of the oldest record in the event log. For an empty file, the oldest record number is set to 0.MaxSize
The maximum size, in bytes, of the event log. The maximum size is defined when the event log is created. The event-logging service does not typically update this value, it relies on the registry configuration. The reader of the event log can use normal file APIs to determine the size of the file. For more information about registry configuration values, see Eventlog Key.Flags
The status of the event log. This member can be one of the following values:Value Meaning ELF_LOGFILE_HEADER_DIRTY 0x0001 Indicates that records have been written to an event log, but the event log file has not been properly closed. For more information about this flag, see the Remarks section.
ELF_LOGFILE_HEADER_WRAP 0x0002 Indicates that records in the event log have wrapped.
ELF_LOGFILE_LOGFULL_WRITTEN 0x0004 Indicates that the most recent write attempt failed due to insufficient space.
ELF_LOGFILE_ARCHIVE_SET 0x0008 Indicates that the archive attribute has been set for the file. Normal file APIs can also be used to determine the value of this flag.
Retention
The retention value of the file when it is created. The event-logging service does not typically update this value, it relies on the registry configuration. For more information about registry configuration values, see Eventlog Key.EndHeaderSize
The ending size of the header structure. The size is always 0x30.
Remarks
Before the first event is written to the event log, the event-logging service sets the ELF_LOGFILE_HEADER_DIRTY flag and writes the header to the file. When the event-logging service shuts down, it updates the header information, clears the ELF_LOGFILE_HEADER_DIRTY flag and then writes the header to the event log. The ELF_LOGFILE_HEADER_DIRTY flag can be used by the event-logging service to detect if the event log was not properly closed.
Note There are two ways to classify event logs: live event logs and backup event logs. A live event log is used by the system for writing records and possibly reading records. A backup event log is a copy of a live log, but can only be used for reading.
If the event-logging service starts and opens a live event log with the ELF_LOGFILE_HEADER_DIRTY flag set, it will resynchronize the header and event records. If the event-logging service attempts to open a backup event log and the ELF_LOGFILE_HEADER_DIRTY flag is set, the service will handle the event log as corrupt and will not open it.
Requirements
Minimum supported client |
Windows 2000 Professional [desktop apps only] |
Minimum supported server |
Windows 2000 Server [desktop apps only] |
Header |
Winnt.h (include Windows.h) |