3.1.1.4 Channels

  • Article

A channel is a named stream of events. It serves as a logical pathway for transporting events from the event publisher to a log file and possibly a subscriber. It is a sink that collects events.

Publishers declare the channels they are going to generate events into. The channels they declare MUST have an identifier and that identifier MUST be unique. The publishers can also import the existing channels in the server simply by referencing the channel identifier. Each channel MUST have a unique name (also called a Channel Path). The name of the channel is a string and the server SHOULD register the channel with the identifier and its name. The server keeps the table of registered channels.

A channel name can be obtained through the protocol method EvtRpcGetChannelList as specified in section 3.1.4.20 and from events that conform to event schema, as specified in section 2.2.13.

Channels have a set of configurable properties (as specified in section 3.1.4.21) that affect the behavior of the channel within the system. The configurable properties are the channel interface to the client. The channel data structure SHOULD contain these properties as internal data fields so that the server can track the changes of the value of these properties and adjust the behavior based on the latest property values. The required channel properties are specified in the following table:

Name

Meaning

Enabled

If true, the channel can accept new events. If false, any attempts to write events into this channel are automatically dropped.

Channel Isolation

One of three values:

0: Application. Use security setting (channel access property) of Application channel.

1: System. Use security setting (channel access property) of System channel.

2: Custom. The channel has its own explicit security settings.

type

One of four values:

0: Admin

1: Operational

2: Analytic

3: Debug

For more information, see [MSDN-EVTLGCHWINEVTLG].

OwningPublisher

Name of the publisher that defines and registers the channel with the system.

Classic

If true, the channel represents an event log created according to the EventLog Remoting Protocol, not this protocol (EventLog Remoting Protocol Version 6.0).

Access

A Security Descriptor Description Language (SDDL) string, as specified in [MS-DTYP], which represents access permissions to the channels. The server uses the Access Check algorithm (as specified in [MS-DTYP] section 2.5.3.2) to perform the access control.

A client with read access to the channel can read the properties of the channel and read the events from the channel. A client with write access to the channel can change the properties of the channel and write the events into the channel. A client with clear access to the channel can perform the clear log operation toward the channel. Note that the only access permissions defined for channels are read, write, and clear.

Retention

If set to true, events can never be overwritten unless explicitly cleared. If set to false, events are overwritten as needed when the event log is full.

AutoBackup

When set to true, the event log file associated with the channel is closed as soon as it reaches the maximum size specified by the MaxSize property, and a new file is opened to accept new events. If the new file reaches maximum size, another new file will be generated and the previous new file will be backed up. The events in backed up files cannot be queried from this channel in the server unless the client specifies the backup log file names in a separate query.

MaxSize

The value that indicates at which point the size (in bytes) of the event log file stops increasing. When the size is greater than or equal to this value, the file growth stops.

LogFilePath

File path to the event log file for the channel.

Level

Events with a level property less than or equal to this specified value are logged to the channel.

Keywords

Events with a keyword bit contained in the Keywords bitmask set are logged to the channel.

ControlGuid

A GUID value. For more information on the server behavior for this property, see section 3.1.4.22

BufferSize

Size of the events buffer (in kilobytes) used for asynchronous event delivery. This property is for providing events. Typically the events generated by a publisher are first written to memory buffers on the server. Once the buffer used is full, that buffer is written to a disk file. The BufferSize is used to specify the size of the buffer. The server allocates buffers according to the BufferSize value. The number of buffers the server can allocate is controlled by the MinBuffers and MaxBuffers properties. The server's specific implementation can allocate any number of buffers between MinBuffers and MaxBuffers.

MinBuffers

The minimum number of buffers used for asynchronous event delivery. For more information, see the preceding BufferSize description.

MaxBuffers

The maximum number of buffers used for asynchronous event delivery. For more information, see the preceding BufferSize description.

Latency

The number of seconds of inactivity (if events are delivered asynchronously and no new events are arriving) after which the event buffers MUST be flushed to the server. As specified in the description for BufferSize property, the server keeps a number of buffers when writing events. If the buffers are full, the server writes the buffers to disk file. However, if a certain amount of time elapses and the buffers are still not full, the server SHOULD write the buffers to disk. That certain amount of time is the latency property.

ClockType

One of two values:

  • 0: SystemTime. Use the system time. When set to this value, the server uses the system time type (which is low-resolution on most platforms) for a time stamp field of any event it writes into this channel.

  • 1: Query Performance Counter. The server uses a high-resolution time type for the time stamp field of any event it writes into this channel.

SIDType

One of two values:

  • 0: The events written by the server to this channel will not include the publisher's SID.

  • 1: The events written by the server to this channel will include the publisher's SID.

PublisherList

List of publishers that can raise events into the channel. For more information on this field, see section 3.1.4.24.

FileMax

Maximum number of log files associated with an analytic or debug channel. When the number of logs reaches the specified maximum, the system begins to overwrite the logs, beginning with the oldest. A FileMax value of 0 or 1 indicates that only one file is associated with this channel. A FileMax of 0 is default.

These properties can be observed or modified through this protocol. The methods to observe and modify the channel properties are EvtRpcGetChannelConfig (as specified in section 3.1.4.21) and EvtRpcPutChannelConfig (as specified in section 3.1.4.22).