// (c) 1998-1999 Microsoft Corporation. All rights reserved. #pragma autorecover #pragma classflags("forceupdate") Qualifier Description : ToSubClass Amended; Qualifier Values : ToSubClass Amended; Qualifier DisplayName : Amended; Qualifier BitValues:ToSubClass Amended ; Qualifier Aggregate : ToSubClass ; Qualifier ValueMap : ToSubClass ; Qualifier Aggregation : ToSubClass ; Qualifier ArrayType : ToSubClass ; Qualifier Association : ToInstance ToSubClass DisableOverride ; Qualifier BitMap : ToSubClass ; Qualifier CIM_Key : ToSubClass ; Qualifier CIMTYPE : ToSubClass ; Qualifier Deprecated : ToSubClass ; Qualifier Enumeration : ToSubClass ; Qualifier EnumPrivileges : ToSubClass ; Qualifier Fixed : ToSubclass; Qualifier ImplementationSource : ToSubClass ; Qualifier Key : ToInstance ToSubClass DisableOverride ; Qualifier Locale : ToInstance ; Qualifier MappingStrings : ToSubClass ; Qualifier Max : ToSubClass ; Qualifier MaxLen : ToSubClass ; Qualifier Min : ToSubClass ; Qualifier ModelCorrespondence : ToSubClass ; Qualifier Not_Null : ToSubClass ; Qualifier Override : Restricted ; Qualifier Privileges : ToSubClass ; Qualifier Propagated : ToSubClass ; Qualifier provider : ToInstance ; Qualifier Range : ToSubClass ; Qualifier Read : ToSubClass ; Qualifier Schema : ToInstance ; Qualifier Singleton : ToSubClass ToInstance ; Qualifier SUBTYPE : ToSubClass ; Qualifier Units : ToSubClass ; Qualifier UUID : ToInstance ; Qualifier Volatile : ToSubClass ; Qualifier Weak : ToSubClass ; Qualifier Write : ToSubClass ; Qualifier WritePrivileges : ToSubClass ; #pragma namespace ("\\\\.\\Root\\CIMV2") [singleton, Locale (0x409), UUID ("{8502C57A-5FBB-11D2-AAC1-006008C78BC7}")] class NTEventlogProviderConfig { datetime LastBootUpTime; }; instance of __Win32Provider as $DataProv { Name = "MS_NT_EVENTLOG_PROVIDER"; ClsId = "{FD4F53E0-65DC-11d1-AB64-00C04FD9159E}"; ImpersonationLevel = 1; PerUserInitialization = "TRUE"; HostingModel = "NetworkServiceHost"; }; instance of __MethodProviderRegistration { Provider = $DataProv; }; instance of __InstanceProviderRegistration { Provider = $DataProv; SupportsPut = TRUE; SupportsGet = TRUE; SupportsDelete = FALSE; SupportsEnumeration = TRUE; QuerySupportLevels = {"WQL:UnarySelect"}; }; [dynamic, provider("MS_NT_EVENTLOG_PROVIDER"), SupportsUpdate, Locale (0x409), UUID ("{8502C57B-5FBB-11D2-AAC1-006008C78BC7}")] class Win32_NTEventlogFile : CIM_DataFile { [Fixed, Description("The LogFileName property indicates name of the log file."), read] string LogfileName; [Description("The MaxFileSize property indicates the maximum size " "(in bytes) permitted for the log file. If " "the file exceeds its maximum size, its contents are moved to " "another file and the primary file is emptied. A value of zero " "indicates no size limit. "), read, write] uint32 MaxFileSize; [Description("Number of records in the log file. This value is determined " "by calling the Win32 function GetNumberOfEventLogRecords."), read] uint32 NumberOfRecords; [Description("Current overwrite policy the Windows NT/Windows 2000 " "Event Log service employs for this log file. The possible values " "of the property are: \n" "WhenNeeded - This corresponds to OverWriteOutdated = 0.\n" "OutDated - This corresponds to OverWriteOutdated of 1 to 365.\n" "Never - This corresponds to OverWriteOutdated = 4294967295. \n" "There is an interdependence between the OverWriteOutDated property " "(which is writable) value and the OverWritePolicy property " "(which is not writable) value.\n" "If one changes the OverWriteOutDated property value to 0, " "the OverWritePolicy property value will be 'henNeeded' \n" "If one changes the OverWriteOutDated property value to 1-365, " "the OverWritePolicy property value will be 'outDated' \n" "If one changes the OverWriteOutDated property value to 4294967295, " "the OverWritePolicy property value will be 'Never'."), read, volatile, ValueMap {"0", "1..365", "4294967295"} , Values {"WhenNeeded", "OutDated", "Never"} ] string OverWritePolicy; [Description("Number of days after which an event can be overwritten. " "Values are:\n" "0 = Any entry can be overwritten when necessary." "1..365 = Events that have been in the log file for one " "year (365 days) or less can be overwritten." "4294967295 = Nothing can be ever be overwritten. \n" "There is an interdependence between the OverWriteOutDated property " "(which is writable) value and the OverWritePolicy property " "(which is not writable) value.\n" "If one changes the OverWriteOutDated property value to 0, " "the OverWritePolicy property value will be 'henNeeded' \n" "If one changes the OverWriteOutDated property value to 1-365, " "the OverWritePolicy property value will be 'outDated' \n" "If one changes the OverWriteOutDated property value to 4294967295, " "the OverWritePolicy property value will be 'Never'."), read, write, Units("Days"), Range("0-365 | 4294967295")] uint32 OverwriteOutDated; [Description("The Sources property indicates the applications " "that are registered to log into this log file."), read] string Sources[]; //Methods [Description("Clears the specified event log, and optionally " "saves the current copy of the logfile to a backup file. " "The method returns an integer value that can be " "interpretted as follows: \n" "0 - Successful completion.\n" "8 - The user does not have adequate privileges.\n" "21 - Invalid parameter.\n" "Other - For integer values other than those listed above, " "refer to Win32 error code documentation."): ToSubClass, Values{ "Success", "Privilege missing", "Invalid parameter", "Other" }, ValueMap{ "0", "8", "21", ".." }, implemented, Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}] uint32 ClearEventlog( [Description("String specifying the name of a " "file in which a current copy of the event logfile will be placed. " "If this file already exists, the function fails. "), in] string ArchiveFileName ); [Description("Saves the specified event log to a backup file. " "The method returns an integer value that can be " "interpretted as follows: \n" "0 - Successful completion.\n" "8 - The user does not have adequate privileges.\n" "21 - Invalid parameter.\n" "183 - Archive file name already exists. Cannot create file. \n" "Other - For integer values other than those listed above, " "refer to Win32 error code documentation."): ToSubClass, Values{ "Success", "Privilege missing", "Invalid parameter", "Archive file name already exists.", "Other" }, ValueMap{ "0", "8", "21", "183", ".." }, implemented, Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}] uint32 BackupEventlog( [Description("String specifying the name of the backup file."), in] string ArchiveFileName ); }; [DisplayName("NT Log Events"), Dynamic, Provider("MS_NT_EVENTLOG_PROVIDER"), EnumPrivileges{"SeSecurityPrivilege"}, Description("This class is used to translate instances from the NT Eventlog."), Locale (0x409), UUID ("{8502C57C-5FBB-11D2-AAC1-006008C78BC7}")] class Win32_NTLogEvent { [DisplayName ("Record Number"), Key, Description ("Identifies the event within the NT Eventlog logfile. This " "is specific to the logfile and is used together with the logfile name to " "uniquely identify an instance of this class.") ] uint32 RecordNumber; [DisplayName ("Log File"), Key, Description ("The name of NT Eventlog logfile. This is used together with " "the RecordNumber to uniquely identify an instance of this class.") ] string Logfile; [Fixed, DisplayName("Event Identifier"), Description("Identifies the event. " "This is specific to the source that generated the event log entry, and " "is used, together with SourceName, to uniquely identify an NT event type.") ] uint32 EventIdentifier; [DisplayName("Event Code"), Description("This property has the value of " "the lower 16-bits of the EventIdentifier property. It is present to match " "the value displayed in the NT Event Viewer. NOTE: Two events from the same " "source may have the same value for this property but may have different " "severity and EventIdentifier values") ] uint16 EventCode; [Fixed, DisplayName("Source Name"), Description("The variable-length null-terminated " "string specifying the name of the source (application, service, driver, " "subsystem) that generated the entry. It is used, together with the " "EventIdentifier, to uniquely identify an NT event type.") ] string SourceName; [Fixed, DisplayName("Type"), Description("Specifies the type of event. This " "is an enumerated string"), ValueMap {"1", "2", "4", "8", "16"}, Values {"error", "warning", "information", "audit success", "audit failure"} ] string Type; [DisplayName("Category"), Description("Specifies a subcategory for " "this event. This subcategory is source specific.") ] uint16 Category; [DisplayName("Category String"), Description("Specifies the translation " "of the subcategory. The translation is source specific.") ] string CategoryString; [Fixed, DisplayName("Time Generated"), Description("Specifies the time at " "which the source generated the event.") ] datetime TimeGenerated; [Fixed, DisplayName("Time Written"), Description("Specifies the time at which " "the event was written to the logfile.") ] datetime TimeWritten; [Fixed, DisplayName("Computer Name"), Description("The variable-length " "null-terminated string specifying the name of the computer that " "generated this event.") ] string ComputerName; [DisplayName("User Name"), Description("The user name of the logged on " "user when the event ocurred. If the user name cannot be determined " "this will be NULL") ] string User; [DisplayName("Message"), Description("The event message as it appears " "in the NT Eventlog. This is a standard message with zero or more " "insertion strings supplied by the source of the NT event. The " "insertion strings are inserted into the standard message in a " "predefined format. If there are no insertion strings or there is a " "problem inserting the insertion strings, only the standard message " "will be present in this field.") ] string Message; [DisplayName("Insertion Strings"), Description("The insertion strings " "that accompanied the report of the NT event.") ] string InsertionStrings[ ]; [DisplayName("Binary Data"), Description("The binary data that " "accompanied the report of the NT event.") ] Uint8 Data[ ]; [Fixed, Description ("The Type property specifies the type of event."), DisplayName("Type Event"), ValueMap {"1", "2", "3","4","5"}, Values {"error", "warning", "information", "security audit success","security audit failure"}] uint8 EventType; }; // RuleBased("Select * From " // "Win32_NTLogEvent As A " // "Join " // "Win32_NTEventLogFile As B " // "On A.LogFile = B.LogFileName") [Description("The Win32_NTLogEventLog class represents an association " "between an NT log event and the log file that contains the event."), dynamic, provider("MS_NT_EVENTLOG_PROVIDER"), EnumPrivileges{"SeSecurityPrivilege"}, Locale (0x409), UUID ("{8502C57D-5FBB-11D2-AAC1-006008C78BC7}"), Association: ToInstance] class Win32_NTLogEventLog { [Description("The Log property references the log file that " "contains the NT log event."), Key, read] Win32_NTEventlogFile ref Log; [Description("The Record property references an NT log event."), Key, read] Win32_NTLogEvent ref Record; }; [Description("The Win32_NTLogEventUser class represents an association " "between an NT log event and the active user at the time the " "event was logged. "), dynamic, provider("MS_NT_EVENTLOG_PROVIDER"), EnumPrivileges{"SeSecurityPrivilege"}, Locale (0x409), UUID ("{8502C57E-5FBB-11D2-AAC1-006008C78BC7}"), Association: ToInstance] class Win32_NTLogEventUser { [Description("The User property references the active user " "at the time the event was logged."), Key, read] Win32_UserAccount ref User; [Description("The Record property references an NT log event."), Key, read] Win32_NTLogEvent ref Record; }; //RuleBased("Select * From " // "Win32_ComputerSystem As A " // "Join " // "Win32_NTLogEvent As B " // "On A.Name = B.ComputerName") [Description("The Win32_NTLogEventComputer class represents an association " "between an NT log event and the computer from which the event " "was generated."), dynamic, provider("MS_NT_EVENTLOG_PROVIDER"), EnumPrivileges{"SeSecurityPrivilege"}, Locale (0x409), UUID ("{8502C57F-5FBB-11D2-AAC1-006008C78BC7}"), Association: ToInstance] class Win32_NTLogEventComputer { [Description("The Computer property references the computer from which " "the event was generated."), Key, read] Win32_ComputerSystem ref Computer; [Description("The Record property references an NT log event."), Key, read] Win32_NTLogEvent ref Record; }; instance of __Win32Provider as $EventProv { Name = "MS_NT_EVENTLOG_EVENT_PROVIDER"; ClsId = "{F55C5B4C-517D-11d1-AB57-00C04FD9159E}"; HostingModel = "LocalSystemHost"; }; instance of __EventProviderRegistration { Provider = $EventProv; EventQueryList = {"select * from __InstanceCreationEvent where TargetInstance isa \"Win32_NTLogEvent\""}; };