3.1.1.2 Event Logs

The log is a persistent store of event log records. Event logs are of two types: live event logs, which can be written to and read from, and backup event logs, which can only be read from. The backup logs are created using the methods that back up (or copy) a live log to a backup log.

The logs are registered by creating registry entries. For how to create these entries, see [MS-RRP]. These registry entries will have to be added manually by the server administrator or by running registry scripts. This is because the methods described in section 3.1.4 never write information to the registry.

The client MUST NOT modify event log registry entries. The server MUST configure those event log registry entries. The server configures the log entries by adding a subkey under HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventlog that results in an event log. The name of the log is the same as the subkey. The log subkey also specifies log attributes such as its maximum size and its retention settings. The retention settings determine how the server handles events after the log reaches its maximum size. The retention can be set either to fail all new writes, or to start overwriting the oldest records. In the latter case, the log is treated as a circular log. The Eventlog Remoting Protocol does not support any RPC methods for getting or setting the maximum event log size or its retention policy. For more information, see [MSDN-EVENTS].

Each log can contain the following registry values.

Registry value

Description

CustomSD

Restricts access to the event log. This value is of type REG_SZ. The format used is Security Descriptor Definition Language (SDDL) as specified in [MS-DTYP] section 2.5.1. Construct an ACL, as specified in [MS-DTYP] section 2.4.5, that grants one or more of the following rights:

  • Clear (0x0004)

  • Read (0x0001)

  • Write (0x0002)

If CustomSD is set to a wrong value, an event is fired in the System event log when the event log service starts, and the event log gets a default security descriptor which is identical to the original CustomSD value for the application log.<12>

DisplayNameFile

The name of the file that stores the localized name of the event log. If this entry does not appear in the registry for an event log, the name of the registry subkey is the log name. This value is of type REG_EXPAND_SZ.

DisplayNameID

The message identification number of the log name string. This number indicates the message in which the localized display name appears. The message is stored in the file specified by the DisplayNameFile value. This value is of type REG_DWORD.

File

This value defaults to "%SystemRoot%\system32\config\" followed by a file name that is based on the event log registry key name. If the File setting is set to an invalid value, the log will either not be initialized properly, or all requests will silently go to the default application log.

MaxSize

The maximum size, in bytes, of the log file. This value is of type REG_DWORD. The value is limited to 0xFFFFFFFF, and the default value is 512K.

PrimaryModule

This value is the name of the subkey that contains the default values for the entries in the subkey for the event source. This value is of type REG_SZ.

Retention

This value is of type REG_DWORD. This value is the time interval, in seconds, in which records of events are protected from being overwritten. When the age of an event reaches or exceeds this value, it can be overwritten. This value is used to configure the circular log. If the value is a nonzero value, the event log server cannot overwrite any record until the record's age passes that value. By default, this value is 0.

Sources

The names of the applications, services, or groups of applications that write events to this log. This value is only read and not altered. The event log service maintains the list based on each program listed in a subkey under the log. This value is of type REG_MULTI_SZ.

AutoBackupLogFiles

This value is of type REG_DWORD, Retention needs to be 0xFFFFFFFF for AutoBackupLogFiles to work, and it is ignored otherwise.

When set to 0xFFFFFFFF, the event log file is closed as soon as it reaches the maximum size specified by the MaxSize property, and a new file is opened to accept new events. If the new file reaches maximum size, another new file will be generated and the previous new file will be backed up. The events in backup files cannot be queried directly in the server unless the client specifies the backup log file names in a separate query. When not set to 0xFFFFFFFF, there will be no backup.

RestrictGuestAccess

This value is of type REG_DWORD, and the default value is 1. When the value is set to 1, it restricts the Guest and Anonymous account access to the event log, and when this value is 0, it allows Guest account access to the event log.