Win32_NTEventlogFile Class

[This is preliminary documentation and subject to change.]

The Event Log instance Provider defines the Win32_NTEventlogFile class to access the data stored in a Windows NT log file. The Win32_NTEventlogFile class derives from the CIM_DataFile class, which is part of the class hierarchy that ultimately inherits from CIM_ManagedSystemElement. Win32_NTEventlogFile inherits properties from the following superclasses:

CIM_ManagedSystemElement
CIM_LogicalFile

The following table describes the properties that are defined directly in the Win32_NTEventlogFile class:

Property	Description
LogfileName	Name of the log file. Standard log file names are application, system, and security.
MaxFileSize	Read/write value retrieved from the Windows NT Event Log service's MaxSize value in the registry.
NumberOfRecords	Determined by calling the Win32 function GetNumberOfEventLogRecords.

Clients of the Event Log Provider can change the value for the MaxFileSize property. If MaxFileSize is decreased, the change does not take effect until the log file is cleared.

Two other properties, OverWritePolicy and OverwriteOutDated, are based on the Windows NT Event Log service's Retention value in the registry. OverwriteOutDated is set to the same value as Retention and provides the number of days after which an event can be overwritten. Valid values for this property are:

0, indicating that any entry can be overwritten when necessary.
1-365, indicating that events that have been in the log file for one year or less can be overwritten.
4294967295, indicating that nothing can be overwritten.

To change the overwrite policy being used for the log file, change the OverwriteOutDated property. When IWbemServices::PutInstance or IWbemServices::PutInstanceAsync is called to store the Win32_NTEventlogFile instance, the registry is updated. PutInstance or PutInstanceAsync fails if an attempt is made to set OverwriteOutDated to a value between 365 and 4294967295.

OverWritePolicy is a read-only property that identifies the current overwrite policy employed by the Windows NT Event Log service for this log file. Its value is based on the value of the OverwriteOutDated property and is set as follows:

OverwriteOutDated value	OverWritePolicy value
0	WhenNeeded
1 - 365	OutDated
4294967295	Never

For more information about overwrite policy values, see Log File Registry Entries.

In addition to properties, the Win32_NTEventlogFile class includes two methods: BackupEventlog and ClearEventlog. These methods implement the corresponding Win32 functions and take one input parameter, the name of the archive file to be created. For BackupEventlog, this parameter must not be NULL or the name of a file that already exists. ClearEventlog accepts a NULL parameter if the caller does not require the log file to be archived before it is cleared. If the parameter is non-NULL, the file must not already exist. Both methods return 0 if they are successful; if unsuccessful, they return an error code obtained from the Win32 GetLastError function.