Windows NT Event Log Provider

[This is preliminary documentation and subject to change.]

The Windows NT Event Log Provider functions as both an instance provider and an event provider. As an instance provider, the Event Log Provider returns data that describes events that have been logged to the Windows NT Event Log service and stored as formatted records in a log file. Typically, three log files reside on every machine: application, system, and security; Windows NT 5.0 has a fourth for directory events. The format for events is defined in the Win32 EVENTLOGRECORD data structure. The Event Log Provider maps each field in the EVENTLOGRECORD to a property in an instance of the Win32_NTLogEvent class. The Event Log Provider supports the Win32_NTLogEvent class for describing Windows NT events.

Windows NT events are written to a log file in the order in which they are received. Because log files are restricted to a particular size and events are frequently sent, the Event Log service must adopt a strategy for maintaining the size. Log files can either refuse to accept new events, remove events that are older than a specified age, or replace old events with new events as necessary. A log file can also be cleared or archived. The Event Log Provider also supports a class named Win32_NTLogFile which represents the Windows NT log. This class allows the overwrite policy and max file size to be set. Also allows the clear and archive operations to be performed.

he Event Log instance Provider exposes an implementation of the IWbemProviderInit interface for initialization and implementations of the following methods of the IWbemServices interface:

• GetObjectAsync
• ExecMethodAsync
• ExecQueryAsync
• CreateInstanceEnumAsync
• PutInstanceAsync
• EnumInstanceAsync

Clients of the Event Log Provider can call either the asychronous or synchronous version of these methods. However, because all WBEM providers only implement the asynchronous IWbemServices methods, it is up to CIMOM to pass all client requests asynchronously.

As an event provider, the Event Log Provider registers with the NT Event Log service to receive notifications of new NT events. For each notification that it receives, the Event Log Provider generates a corresponding WBEM event by creating an instance of the __InstanceCreationEvent class. The Event Log Provider embeds an instance of Win32_NTLogEvent class as the TargetInstance property with the data taken from the logged event. CIMOM sends the instance creation event to all consumers that have registered to receive events of type __InstanceCreationEvent with an embedded Win32_NTLogEvent.

The Win32_EventlogFile and Win32_NTLogEvent classes and related association classes are included as part of the Win32 schema. The Event Log Provider is supported only in the \Root\Cimv2 namespace.

The Event Log Provider consists of a COM server implemented as a dynamic link library (DLL) and a MOF file. The DLL is loaded by CIMOM when it is needed to handle a client request. The MOF file contains definitions of the classes that the Event Log Provider supports as an instance provider, an event provider, and for registration. However, because the Event Log Provider is automatically registered when the WBEM SDK is installed, registration by a client is unnecessary.