windows-nt/Source/XPSP1/NT/admin/wmi/wbem/providers/mofs/ntevt.mof

398 lines
13 KiB
Plaintext
Raw Normal View History

2020-09-26 03:20:57 -05:00
// (c) 1998-1999 Microsoft Corporation. All rights reserved.
#pragma autorecover
#pragma classflags("forceupdate")
Qualifier Description : ToSubClass Amended;
Qualifier Values : ToSubClass Amended;
Qualifier DisplayName : Amended;
Qualifier BitValues:ToSubClass Amended ;
Qualifier Aggregate : ToSubClass ;
Qualifier ValueMap : ToSubClass ;
Qualifier Aggregation : ToSubClass ;
Qualifier ArrayType : ToSubClass ;
Qualifier Association : ToInstance ToSubClass DisableOverride ;
Qualifier BitMap : ToSubClass ;
Qualifier CIM_Key : ToSubClass ;
Qualifier CIMTYPE : ToSubClass ;
Qualifier Deprecated : ToSubClass ;
Qualifier Enumeration : ToSubClass ;
Qualifier EnumPrivileges : ToSubClass ;
Qualifier Fixed : ToSubclass;
Qualifier ImplementationSource : ToSubClass ;
Qualifier Key : ToInstance ToSubClass DisableOverride ;
Qualifier Locale : ToInstance ;
Qualifier MappingStrings : ToSubClass ;
Qualifier Max : ToSubClass ;
Qualifier MaxLen : ToSubClass ;
Qualifier Min : ToSubClass ;
Qualifier ModelCorrespondence : ToSubClass ;
Qualifier Not_Null : ToSubClass ;
Qualifier Override : Restricted ;
Qualifier Privileges : ToSubClass ;
Qualifier Propagated : ToSubClass ;
Qualifier provider : ToInstance ;
Qualifier Range : ToSubClass ;
Qualifier Read : ToSubClass ;
Qualifier Schema : ToInstance ;
Qualifier Singleton : ToSubClass ToInstance ;
Qualifier SUBTYPE : ToSubClass ;
Qualifier Units : ToSubClass ;
Qualifier UUID : ToInstance ;
Qualifier Volatile : ToSubClass ;
Qualifier Weak : ToSubClass ;
Qualifier Write : ToSubClass ;
Qualifier WritePrivileges : ToSubClass ;
#pragma namespace ("\\\\.\\Root\\CIMV2")
[singleton,
Locale (0x409), UUID ("{8502C57A-5FBB-11D2-AAC1-006008C78BC7}")]
class NTEventlogProviderConfig
{
datetime LastBootUpTime;
};
instance of __Win32Provider as $DataProv
{
Name = "MS_NT_EVENTLOG_PROVIDER";
ClsId = "{FD4F53E0-65DC-11d1-AB64-00C04FD9159E}";
ImpersonationLevel = 1;
PerUserInitialization = "TRUE";
HostingModel = "NetworkServiceHost";
};
instance of __MethodProviderRegistration
{
Provider = $DataProv;
};
instance of __InstanceProviderRegistration
{
Provider = $DataProv;
SupportsPut = TRUE;
SupportsGet = TRUE;
SupportsDelete = FALSE;
SupportsEnumeration = TRUE;
QuerySupportLevels = {"WQL:UnarySelect"};
};
[dynamic,
provider("MS_NT_EVENTLOG_PROVIDER"), SupportsUpdate,
Locale (0x409), UUID ("{8502C57B-5FBB-11D2-AAC1-006008C78BC7}")]
class Win32_NTEventlogFile : CIM_DataFile
{
[Fixed, Description("The LogFileName property indicates name of the log file."),
read]
string LogfileName;
[Description("The MaxFileSize property indicates the maximum size "
"(in bytes) permitted for the log file. If "
"the file exceeds its maximum size, its contents are moved to "
"another file and the primary file is emptied. A value of zero "
"indicates no size limit. "),
read,
write]
uint32 MaxFileSize;
[Description("Number of records in the log file. This value is determined "
"by calling the Win32 function GetNumberOfEventLogRecords."),
read]
uint32 NumberOfRecords;
[Description("Current overwrite policy the Windows NT/Windows 2000 "
"Event Log service employs for this log file. The possible values "
"of the property are: \n"
"WhenNeeded - This corresponds to OverWriteOutdated = 0.\n"
"OutDated - This corresponds to OverWriteOutdated of 1 to 365.\n"
"Never - This corresponds to OverWriteOutdated = 4294967295. \n"
"There is an interdependence between the OverWriteOutDated property "
"(which is writable) value and the OverWritePolicy property "
"(which is not writable) value.\n"
"If one changes the OverWriteOutDated property value to 0, "
"the OverWritePolicy property value will be 'henNeeded' \n"
"If one changes the OverWriteOutDated property value to 1-365, "
"the OverWritePolicy property value will be 'outDated' \n"
"If one changes the OverWriteOutDated property value to 4294967295, "
"the OverWritePolicy property value will be 'Never'."),
read,
volatile,
ValueMap {"0", "1..365", "4294967295"} ,
Values {"WhenNeeded", "OutDated", "Never"} ]
string OverWritePolicy;
[Description("Number of days after which an event can be overwritten. "
"Values are:\n"
"0 = Any entry can be overwritten when necessary."
"1..365 = Events that have been in the log file for one "
"year (365 days) or less can be overwritten."
"4294967295 = Nothing can be ever be overwritten. \n"
"There is an interdependence between the OverWriteOutDated property "
"(which is writable) value and the OverWritePolicy property "
"(which is not writable) value.\n"
"If one changes the OverWriteOutDated property value to 0, "
"the OverWritePolicy property value will be 'henNeeded' \n"
"If one changes the OverWriteOutDated property value to 1-365, "
"the OverWritePolicy property value will be 'outDated' \n"
"If one changes the OverWriteOutDated property value to 4294967295, "
"the OverWritePolicy property value will be 'Never'."),
read,
write,
Units("Days"),
Range("0-365 | 4294967295")]
uint32 OverwriteOutDated;
[Description("The Sources property indicates the applications "
"that are registered to log into this log file."),
read]
string Sources[];
//Methods
[Description("Clears the specified event log, and optionally "
"saves the current copy of the logfile to a backup file. "
"The method returns an integer value that can be "
"interpretted as follows: \n"
"0 - Successful completion.\n"
"8 - The user does not have adequate privileges.\n"
"21 - Invalid parameter.\n"
"Other - For integer values other than those listed above, "
"refer to Win32 error code documentation."): ToSubClass,
Values{ "Success",
"Privilege missing",
"Invalid parameter",
"Other" },
ValueMap{ "0", "8", "21", ".." },
implemented,
Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}]
uint32 ClearEventlog(
[Description("String specifying the name of a "
"file in which a current copy of the event logfile will be placed. "
"If this file already exists, the function fails. "),
in]
string ArchiveFileName
);
[Description("Saves the specified event log to a backup file. "
"The method returns an integer value that can be "
"interpretted as follows: \n"
"0 - Successful completion.\n"
"8 - The user does not have adequate privileges.\n"
"21 - Invalid parameter.\n"
"183 - Archive file name already exists. Cannot create file. \n"
"Other - For integer values other than those listed above, "
"refer to Win32 error code documentation."): ToSubClass,
Values{ "Success",
"Privilege missing",
"Invalid parameter",
"Archive file name already exists.",
"Other" },
ValueMap{ "0", "8", "21", "183", ".." },
implemented,
Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}]
uint32 BackupEventlog(
[Description("String specifying the name of the backup file."),
in]
string ArchiveFileName
);
};
[DisplayName("NT Log Events"),
Dynamic, Provider("MS_NT_EVENTLOG_PROVIDER"), EnumPrivileges{"SeSecurityPrivilege"},
Description("This class is used to translate instances from the NT Eventlog."),
Locale (0x409), UUID ("{8502C57C-5FBB-11D2-AAC1-006008C78BC7}")]
class Win32_NTLogEvent
{
[DisplayName ("Record Number"), Key,
Description ("Identifies the event within the NT Eventlog logfile. This "
"is specific to the logfile and is used together with the logfile name to "
"uniquely identify an instance of this class.")
]
uint32 RecordNumber;
[DisplayName ("Log File"), Key,
Description ("The name of NT Eventlog logfile. This is used together with "
"the RecordNumber to uniquely identify an instance of this class.")
]
string Logfile;
[Fixed, DisplayName("Event Identifier"), Description("Identifies the event. "
"This is specific to the source that generated the event log entry, and "
"is used, together with SourceName, to uniquely identify an NT event type.")
]
uint32 EventIdentifier;
[DisplayName("Event Code"), Description("This property has the value of "
"the lower 16-bits of the EventIdentifier property. It is present to match "
"the value displayed in the NT Event Viewer. NOTE: Two events from the same "
"source may have the same value for this property but may have different "
"severity and EventIdentifier values")
]
uint16 EventCode;
[Fixed, DisplayName("Source Name"), Description("The variable-length null-terminated "
"string specifying the name of the source (application, service, driver, "
"subsystem) that generated the entry. It is used, together with the "
"EventIdentifier, to uniquely identify an NT event type.")
]
string SourceName;
[Fixed, DisplayName("Type"), Description("Specifies the type of event. This "
"is an enumerated string"),
ValueMap {"1", "2", "4", "8", "16"},
Values {"error", "warning", "information", "audit success", "audit failure"}
]
string Type;
[DisplayName("Category"), Description("Specifies a subcategory for "
"this event. This subcategory is source specific.")
]
uint16 Category;
[DisplayName("Category String"), Description("Specifies the translation "
"of the subcategory. The translation is source specific.")
]
string CategoryString;
[Fixed, DisplayName("Time Generated"), Description("Specifies the time at "
"which the source generated the event.")
]
datetime TimeGenerated;
[Fixed, DisplayName("Time Written"), Description("Specifies the time at which "
"the event was written to the logfile.")
]
datetime TimeWritten;
[Fixed, DisplayName("Computer Name"), Description("The variable-length "
"null-terminated string specifying the name of the computer that "
"generated this event.")
]
string ComputerName;
[DisplayName("User Name"), Description("The user name of the logged on "
"user when the event ocurred. If the user name cannot be determined "
"this will be NULL")
]
string User;
[DisplayName("Message"), Description("The event message as it appears "
"in the NT Eventlog. This is a standard message with zero or more "
"insertion strings supplied by the source of the NT event. The "
"insertion strings are inserted into the standard message in a "
"predefined format. If there are no insertion strings or there is a "
"problem inserting the insertion strings, only the standard message "
"will be present in this field.")
]
string Message;
[DisplayName("Insertion Strings"), Description("The insertion strings "
"that accompanied the report of the NT event.")
]
string InsertionStrings[ ];
[DisplayName("Binary Data"), Description("The binary data that "
"accompanied the report of the NT event.")
]
Uint8 Data[ ];
[Fixed, Description ("The Type property specifies the type of event."),
DisplayName("Type Event"),
ValueMap {"1", "2", "3","4","5"},
Values {"error", "warning", "information",
"security audit success","security audit failure"}]
uint8 EventType;
};
// RuleBased("Select * From "
// "Win32_NTLogEvent As A "
// "Join "
// "Win32_NTEventLogFile As B "
// "On A.LogFile = B.LogFileName")
[Description("The Win32_NTLogEventLog class represents an association "
"between an NT log event and the log file that contains the event."),
dynamic,
provider("MS_NT_EVENTLOG_PROVIDER"),
EnumPrivileges{"SeSecurityPrivilege"},
Locale (0x409),
UUID ("{8502C57D-5FBB-11D2-AAC1-006008C78BC7}"),
Association: ToInstance]
class Win32_NTLogEventLog
{
[Description("The Log property references the log file that "
"contains the NT log event."),
Key,
read]
Win32_NTEventlogFile ref Log;
[Description("The Record property references an NT log event."),
Key,
read]
Win32_NTLogEvent ref Record;
};
[Description("The Win32_NTLogEventUser class represents an association "
"between an NT log event and the active user at the time the "
"event was logged. "),
dynamic,
provider("MS_NT_EVENTLOG_PROVIDER"),
EnumPrivileges{"SeSecurityPrivilege"},
Locale (0x409),
UUID ("{8502C57E-5FBB-11D2-AAC1-006008C78BC7}"),
Association: ToInstance]
class Win32_NTLogEventUser
{
[Description("The User property references the active user "
"at the time the event was logged."),
Key,
read]
Win32_UserAccount ref User;
[Description("The Record property references an NT log event."),
Key,
read]
Win32_NTLogEvent ref Record;
};
//RuleBased("Select * From "
// "Win32_ComputerSystem As A "
// "Join "
// "Win32_NTLogEvent As B "
// "On A.Name = B.ComputerName")
[Description("The Win32_NTLogEventComputer class represents an association "
"between an NT log event and the computer from which the event "
"was generated."),
dynamic,
provider("MS_NT_EVENTLOG_PROVIDER"),
EnumPrivileges{"SeSecurityPrivilege"},
Locale (0x409),
UUID ("{8502C57F-5FBB-11D2-AAC1-006008C78BC7}"),
Association: ToInstance]
class Win32_NTLogEventComputer
{
[Description("The Computer property references the computer from which "
"the event was generated."),
Key,
read]
Win32_ComputerSystem ref Computer;
[Description("The Record property references an NT log event."),
Key,
read]
Win32_NTLogEvent ref Record;
};
instance of __Win32Provider as $EventProv
{
Name = "MS_NT_EVENTLOG_EVENT_PROVIDER";
ClsId = "{F55C5B4C-517D-11d1-AB57-00C04FD9159E}";
HostingModel = "LocalSystemHost";
};
instance of __EventProviderRegistration
{
Provider = $EventProv;
EventQueryList = {"select * from __InstanceCreationEvent where TargetInstance isa \"Win32_NTLogEvent\""};
};