398 lines
13 KiB
Plaintext
398 lines
13 KiB
Plaintext
|
|
|
|
// (c) 1998-1999 Microsoft Corporation. All rights reserved.
|
|
|
|
#pragma autorecover
|
|
#pragma classflags("forceupdate")
|
|
|
|
Qualifier Description : ToSubClass Amended;
|
|
Qualifier Values : ToSubClass Amended;
|
|
Qualifier DisplayName : Amended;
|
|
Qualifier BitValues:ToSubClass Amended ;
|
|
|
|
Qualifier Aggregate : ToSubClass ;
|
|
Qualifier ValueMap : ToSubClass ;
|
|
Qualifier Aggregation : ToSubClass ;
|
|
Qualifier ArrayType : ToSubClass ;
|
|
Qualifier Association : ToInstance ToSubClass DisableOverride ;
|
|
Qualifier BitMap : ToSubClass ;
|
|
Qualifier CIM_Key : ToSubClass ;
|
|
Qualifier CIMTYPE : ToSubClass ;
|
|
Qualifier Deprecated : ToSubClass ;
|
|
Qualifier Enumeration : ToSubClass ;
|
|
Qualifier EnumPrivileges : ToSubClass ;
|
|
Qualifier Fixed : ToSubclass;
|
|
Qualifier ImplementationSource : ToSubClass ;
|
|
Qualifier Key : ToInstance ToSubClass DisableOverride ;
|
|
Qualifier Locale : ToInstance ;
|
|
Qualifier MappingStrings : ToSubClass ;
|
|
Qualifier Max : ToSubClass ;
|
|
Qualifier MaxLen : ToSubClass ;
|
|
Qualifier Min : ToSubClass ;
|
|
Qualifier ModelCorrespondence : ToSubClass ;
|
|
Qualifier Not_Null : ToSubClass ;
|
|
Qualifier Override : Restricted ;
|
|
Qualifier Privileges : ToSubClass ;
|
|
Qualifier Propagated : ToSubClass ;
|
|
Qualifier provider : ToInstance ;
|
|
Qualifier Range : ToSubClass ;
|
|
Qualifier Read : ToSubClass ;
|
|
Qualifier Schema : ToInstance ;
|
|
Qualifier Singleton : ToSubClass ToInstance ;
|
|
Qualifier SUBTYPE : ToSubClass ;
|
|
Qualifier Units : ToSubClass ;
|
|
Qualifier UUID : ToInstance ;
|
|
Qualifier Volatile : ToSubClass ;
|
|
Qualifier Weak : ToSubClass ;
|
|
Qualifier Write : ToSubClass ;
|
|
Qualifier WritePrivileges : ToSubClass ;
|
|
|
|
|
|
#pragma namespace ("\\\\.\\Root\\CIMV2")
|
|
|
|
|
|
[singleton,
|
|
Locale (0x409), UUID ("{8502C57A-5FBB-11D2-AAC1-006008C78BC7}")]
|
|
class NTEventlogProviderConfig
|
|
{
|
|
datetime LastBootUpTime;
|
|
};
|
|
|
|
instance of __Win32Provider as $DataProv
|
|
{
|
|
Name = "MS_NT_EVENTLOG_PROVIDER";
|
|
ClsId = "{FD4F53E0-65DC-11d1-AB64-00C04FD9159E}";
|
|
ImpersonationLevel = 1;
|
|
PerUserInitialization = "TRUE";
|
|
HostingModel = "NetworkServiceHost";
|
|
};
|
|
|
|
instance of __MethodProviderRegistration
|
|
{
|
|
Provider = $DataProv;
|
|
};
|
|
|
|
instance of __InstanceProviderRegistration
|
|
{
|
|
Provider = $DataProv;
|
|
SupportsPut = TRUE;
|
|
SupportsGet = TRUE;
|
|
SupportsDelete = FALSE;
|
|
SupportsEnumeration = TRUE;
|
|
QuerySupportLevels = {"WQL:UnarySelect"};
|
|
};
|
|
|
|
[dynamic,
|
|
provider("MS_NT_EVENTLOG_PROVIDER"), SupportsUpdate,
|
|
Locale (0x409), UUID ("{8502C57B-5FBB-11D2-AAC1-006008C78BC7}")]
|
|
class Win32_NTEventlogFile : CIM_DataFile
|
|
{
|
|
[Fixed, Description("The LogFileName property indicates name of the log file."),
|
|
read]
|
|
string LogfileName;
|
|
|
|
[Description("The MaxFileSize property indicates the maximum size "
|
|
"(in bytes) permitted for the log file. If "
|
|
"the file exceeds its maximum size, its contents are moved to "
|
|
"another file and the primary file is emptied. A value of zero "
|
|
"indicates no size limit. "),
|
|
read,
|
|
write]
|
|
uint32 MaxFileSize;
|
|
|
|
[Description("Number of records in the log file. This value is determined "
|
|
"by calling the Win32 function GetNumberOfEventLogRecords."),
|
|
read]
|
|
uint32 NumberOfRecords;
|
|
|
|
[Description("Current overwrite policy the Windows NT/Windows 2000 "
|
|
"Event Log service employs for this log file. The possible values "
|
|
"of the property are: \n"
|
|
"WhenNeeded - This corresponds to OverWriteOutdated = 0.\n"
|
|
"OutDated - This corresponds to OverWriteOutdated of 1 to 365.\n"
|
|
"Never - This corresponds to OverWriteOutdated = 4294967295. \n"
|
|
"There is an interdependence between the OverWriteOutDated property "
|
|
"(which is writable) value and the OverWritePolicy property "
|
|
"(which is not writable) value.\n"
|
|
"If one changes the OverWriteOutDated property value to 0, "
|
|
"the OverWritePolicy property value will be 'henNeeded' \n"
|
|
"If one changes the OverWriteOutDated property value to 1-365, "
|
|
"the OverWritePolicy property value will be 'outDated' \n"
|
|
"If one changes the OverWriteOutDated property value to 4294967295, "
|
|
"the OverWritePolicy property value will be 'Never'."),
|
|
read,
|
|
volatile,
|
|
ValueMap {"0", "1..365", "4294967295"} ,
|
|
Values {"WhenNeeded", "OutDated", "Never"} ]
|
|
string OverWritePolicy;
|
|
|
|
[Description("Number of days after which an event can be overwritten. "
|
|
"Values are:\n"
|
|
"0 = Any entry can be overwritten when necessary."
|
|
"1..365 = Events that have been in the log file for one "
|
|
"year (365 days) or less can be overwritten."
|
|
"4294967295 = Nothing can be ever be overwritten. \n"
|
|
"There is an interdependence between the OverWriteOutDated property "
|
|
"(which is writable) value and the OverWritePolicy property "
|
|
"(which is not writable) value.\n"
|
|
"If one changes the OverWriteOutDated property value to 0, "
|
|
"the OverWritePolicy property value will be 'henNeeded' \n"
|
|
"If one changes the OverWriteOutDated property value to 1-365, "
|
|
"the OverWritePolicy property value will be 'outDated' \n"
|
|
"If one changes the OverWriteOutDated property value to 4294967295, "
|
|
"the OverWritePolicy property value will be 'Never'."),
|
|
read,
|
|
write,
|
|
Units("Days"),
|
|
Range("0-365 | 4294967295")]
|
|
uint32 OverwriteOutDated;
|
|
|
|
[Description("The Sources property indicates the applications "
|
|
"that are registered to log into this log file."),
|
|
read]
|
|
string Sources[];
|
|
|
|
//Methods
|
|
|
|
[Description("Clears the specified event log, and optionally "
|
|
"saves the current copy of the logfile to a backup file. "
|
|
"The method returns an integer value that can be "
|
|
"interpretted as follows: \n"
|
|
"0 - Successful completion.\n"
|
|
"8 - The user does not have adequate privileges.\n"
|
|
"21 - Invalid parameter.\n"
|
|
"Other - For integer values other than those listed above, "
|
|
"refer to Win32 error code documentation."): ToSubClass,
|
|
Values{ "Success",
|
|
"Privilege missing",
|
|
"Invalid parameter",
|
|
"Other" },
|
|
ValueMap{ "0", "8", "21", ".." },
|
|
implemented,
|
|
Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}]
|
|
uint32 ClearEventlog(
|
|
|
|
[Description("String specifying the name of a "
|
|
"file in which a current copy of the event logfile will be placed. "
|
|
"If this file already exists, the function fails. "),
|
|
in]
|
|
string ArchiveFileName
|
|
|
|
);
|
|
|
|
[Description("Saves the specified event log to a backup file. "
|
|
"The method returns an integer value that can be "
|
|
"interpretted as follows: \n"
|
|
"0 - Successful completion.\n"
|
|
"8 - The user does not have adequate privileges.\n"
|
|
"21 - Invalid parameter.\n"
|
|
"183 - Archive file name already exists. Cannot create file. \n"
|
|
"Other - For integer values other than those listed above, "
|
|
"refer to Win32 error code documentation."): ToSubClass,
|
|
Values{ "Success",
|
|
"Privilege missing",
|
|
"Invalid parameter",
|
|
"Archive file name already exists.",
|
|
"Other" },
|
|
ValueMap{ "0", "8", "21", "183", ".." },
|
|
implemented,
|
|
Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}]
|
|
uint32 BackupEventlog(
|
|
|
|
[Description("String specifying the name of the backup file."),
|
|
in]
|
|
string ArchiveFileName
|
|
|
|
);
|
|
|
|
};
|
|
|
|
|
|
[DisplayName("NT Log Events"),
|
|
Dynamic, Provider("MS_NT_EVENTLOG_PROVIDER"), EnumPrivileges{"SeSecurityPrivilege"},
|
|
Description("This class is used to translate instances from the NT Eventlog."),
|
|
Locale (0x409), UUID ("{8502C57C-5FBB-11D2-AAC1-006008C78BC7}")]
|
|
class Win32_NTLogEvent
|
|
{
|
|
[DisplayName ("Record Number"), Key,
|
|
Description ("Identifies the event within the NT Eventlog logfile. This "
|
|
"is specific to the logfile and is used together with the logfile name to "
|
|
"uniquely identify an instance of this class.")
|
|
]
|
|
uint32 RecordNumber;
|
|
[DisplayName ("Log File"), Key,
|
|
Description ("The name of NT Eventlog logfile. This is used together with "
|
|
"the RecordNumber to uniquely identify an instance of this class.")
|
|
]
|
|
string Logfile;
|
|
[Fixed, DisplayName("Event Identifier"), Description("Identifies the event. "
|
|
"This is specific to the source that generated the event log entry, and "
|
|
"is used, together with SourceName, to uniquely identify an NT event type.")
|
|
]
|
|
uint32 EventIdentifier;
|
|
[DisplayName("Event Code"), Description("This property has the value of "
|
|
"the lower 16-bits of the EventIdentifier property. It is present to match "
|
|
"the value displayed in the NT Event Viewer. NOTE: Two events from the same "
|
|
"source may have the same value for this property but may have different "
|
|
"severity and EventIdentifier values")
|
|
]
|
|
uint16 EventCode;
|
|
[Fixed, DisplayName("Source Name"), Description("The variable-length null-terminated "
|
|
"string specifying the name of the source (application, service, driver, "
|
|
"subsystem) that generated the entry. It is used, together with the "
|
|
"EventIdentifier, to uniquely identify an NT event type.")
|
|
]
|
|
string SourceName;
|
|
[Fixed, DisplayName("Type"), Description("Specifies the type of event. This "
|
|
"is an enumerated string"),
|
|
ValueMap {"1", "2", "4", "8", "16"},
|
|
Values {"error", "warning", "information", "audit success", "audit failure"}
|
|
]
|
|
string Type;
|
|
[DisplayName("Category"), Description("Specifies a subcategory for "
|
|
"this event. This subcategory is source specific.")
|
|
]
|
|
uint16 Category;
|
|
[DisplayName("Category String"), Description("Specifies the translation "
|
|
"of the subcategory. The translation is source specific.")
|
|
]
|
|
string CategoryString;
|
|
[Fixed, DisplayName("Time Generated"), Description("Specifies the time at "
|
|
"which the source generated the event.")
|
|
]
|
|
datetime TimeGenerated;
|
|
[Fixed, DisplayName("Time Written"), Description("Specifies the time at which "
|
|
"the event was written to the logfile.")
|
|
]
|
|
datetime TimeWritten;
|
|
[Fixed, DisplayName("Computer Name"), Description("The variable-length "
|
|
"null-terminated string specifying the name of the computer that "
|
|
"generated this event.")
|
|
]
|
|
string ComputerName;
|
|
[DisplayName("User Name"), Description("The user name of the logged on "
|
|
"user when the event ocurred. If the user name cannot be determined "
|
|
"this will be NULL")
|
|
]
|
|
string User;
|
|
[DisplayName("Message"), Description("The event message as it appears "
|
|
"in the NT Eventlog. This is a standard message with zero or more "
|
|
"insertion strings supplied by the source of the NT event. The "
|
|
"insertion strings are inserted into the standard message in a "
|
|
"predefined format. If there are no insertion strings or there is a "
|
|
"problem inserting the insertion strings, only the standard message "
|
|
"will be present in this field.")
|
|
]
|
|
string Message;
|
|
[DisplayName("Insertion Strings"), Description("The insertion strings "
|
|
"that accompanied the report of the NT event.")
|
|
]
|
|
string InsertionStrings[ ];
|
|
[DisplayName("Binary Data"), Description("The binary data that "
|
|
"accompanied the report of the NT event.")
|
|
]
|
|
Uint8 Data[ ];
|
|
[Fixed, Description ("The Type property specifies the type of event."),
|
|
DisplayName("Type Event"),
|
|
ValueMap {"1", "2", "3","4","5"},
|
|
Values {"error", "warning", "information",
|
|
"security audit success","security audit failure"}]
|
|
uint8 EventType;
|
|
};
|
|
|
|
// RuleBased("Select * From "
|
|
// "Win32_NTLogEvent As A "
|
|
// "Join "
|
|
// "Win32_NTEventLogFile As B "
|
|
// "On A.LogFile = B.LogFileName")
|
|
|
|
[Description("The Win32_NTLogEventLog class represents an association "
|
|
"between an NT log event and the log file that contains the event."),
|
|
dynamic,
|
|
provider("MS_NT_EVENTLOG_PROVIDER"),
|
|
EnumPrivileges{"SeSecurityPrivilege"},
|
|
Locale (0x409),
|
|
UUID ("{8502C57D-5FBB-11D2-AAC1-006008C78BC7}"),
|
|
Association: ToInstance]
|
|
class Win32_NTLogEventLog
|
|
{
|
|
[Description("The Log property references the log file that "
|
|
"contains the NT log event."),
|
|
Key,
|
|
read]
|
|
Win32_NTEventlogFile ref Log;
|
|
|
|
[Description("The Record property references an NT log event."),
|
|
Key,
|
|
read]
|
|
Win32_NTLogEvent ref Record;
|
|
};
|
|
|
|
[Description("The Win32_NTLogEventUser class represents an association "
|
|
"between an NT log event and the active user at the time the "
|
|
"event was logged. "),
|
|
dynamic,
|
|
provider("MS_NT_EVENTLOG_PROVIDER"),
|
|
EnumPrivileges{"SeSecurityPrivilege"},
|
|
Locale (0x409),
|
|
UUID ("{8502C57E-5FBB-11D2-AAC1-006008C78BC7}"),
|
|
Association: ToInstance]
|
|
class Win32_NTLogEventUser
|
|
{
|
|
[Description("The User property references the active user "
|
|
"at the time the event was logged."),
|
|
Key,
|
|
read]
|
|
Win32_UserAccount ref User;
|
|
|
|
[Description("The Record property references an NT log event."),
|
|
Key,
|
|
read]
|
|
Win32_NTLogEvent ref Record;
|
|
|
|
};
|
|
|
|
//RuleBased("Select * From "
|
|
// "Win32_ComputerSystem As A "
|
|
// "Join "
|
|
// "Win32_NTLogEvent As B "
|
|
// "On A.Name = B.ComputerName")
|
|
|
|
[Description("The Win32_NTLogEventComputer class represents an association "
|
|
"between an NT log event and the computer from which the event "
|
|
"was generated."),
|
|
dynamic,
|
|
provider("MS_NT_EVENTLOG_PROVIDER"),
|
|
EnumPrivileges{"SeSecurityPrivilege"},
|
|
Locale (0x409),
|
|
UUID ("{8502C57F-5FBB-11D2-AAC1-006008C78BC7}"),
|
|
Association: ToInstance]
|
|
class Win32_NTLogEventComputer
|
|
{
|
|
[Description("The Computer property references the computer from which "
|
|
"the event was generated."),
|
|
Key,
|
|
read]
|
|
Win32_ComputerSystem ref Computer;
|
|
|
|
[Description("The Record property references an NT log event."),
|
|
Key,
|
|
read]
|
|
Win32_NTLogEvent ref Record;
|
|
};
|
|
|
|
instance of __Win32Provider as $EventProv
|
|
{
|
|
Name = "MS_NT_EVENTLOG_EVENT_PROVIDER";
|
|
ClsId = "{F55C5B4C-517D-11d1-AB57-00C04FD9159E}";
|
|
HostingModel = "LocalSystemHost";
|
|
};
|
|
|
|
instance of __EventProviderRegistration
|
|
{
|
|
Provider = $EventProv;
|
|
EventQueryList = {"select * from __InstanceCreationEvent where TargetInstance isa \"Win32_NTLogEvent\""};
|
|
};
|
|
|
|
|