Query

The query type specifies an XML document used to select events in the event log by using well-formed XML (as specified in [XML10]) and is defined by the following XSD (as specified in

[XMLSCHEMA1.1/2:2008]).

<xs:schema targetNamespace=

"http://schemas.microsoft.com/win/2004/08/events/eventquery"

elementFormDefault="qualified"

xmlns="http://schemas.microsoft.com/win/2004/08/events/eventquery"

xmlns:xs="http://www.w3.org/2001/XMLSchema">

<xs:complexType name="QueryType">

<xs:choice maxOccurs="unbounded">

<xs:element name="Select">

<xs:complexType mixed="true">

<xs:attribute name="Path" type="xs:anyURI"

use="optional"/>

</xs:complexType>

</xs:element>

<xs:element name="Suppress">

<xs:complexType mixed="true">

<xs:attribute name="Path" type="xs:anyURI"

use="optional"/>

</xs:complexType>

</xs:element>

</xs:choice>

<xs:attribute name="Id" type="xs:long" use="optional"/>

<xs:attribute name="Path" type="xs:anyURI" use="optional"/>

</xs:complexType>

<xs:complexType name="QueryListType">

<xs:sequence maxOccurs="unbounded">

<xs:element name="Query" type="QueryType"/>

</xs:sequence>

</xs:complexType>

<xs:element name="QueryList" type="QueryListType"/>

</xs:schema>

Elements Description

QueryList Lists the query elements. The event query result set contains events matched by any of the query elements.

Query Defines a set of selectors and suppressors. Query elements are referred to as subqueries.

Select Defines an event filter for events included in the result set (unless rejected by a suppressor in the same query element), as specified in section 2.2.15.

Suppress Defines an event filter for events omitted from the result set (even if the same events were selected by a selector in the same query element), as specified in section 2.2.15.

Attributes Description

ID Defines the ID of a subquery so that a consumer can determine what subquery out of many caused the record to be included in a result set. Multiple subqueries using the same IDs are not

distinguished in the result set. For information on subquery IDs, see section 2.2.17.

Path Specifies either the name of a channel or a path to a backup event log for query elements, selectors, and suppressors. A path specified for the query element applies to the selectors and suppressors it contains that do not specify a path of their own.

If a path begins with file://, it MUST be interpreted as a Uniform Resource Identifier (URI) path to a backup event log file, as specified in [RFC3986], that uses file as a scheme; for example,

file://c:/dir1/dir2/file.evt. Otherwise, a path MUST be interpreted as a channel name.

2.2.17 Result Set

An event query or subscription returns multiple events in the result set. The result set is a buffer containing one or more variable length EVENT_DESCRIPTOR structures, as specified in [MS-DTYP]

section 2.3.1. Methods that return multiple events always return an array of offsets into the buffer for the individual events.

The records are transferred as a set of bytes. All integer fields in this structure MUST be in little-endian byte order (that is, least significant byte first).

0 1 2 3 4 5 6 7 8 9 1

0 1 2 3 4 5 6 7 8 9 2

0 1 2 3 4 5 6 7 8 9 3 0 1 totalSize

headerSize

eventOffset

bookmarkOffset

binXmlSize

eventData (variable)

...

numberOfSubqueryIDs

subqueryIDs (variable)

...

bookMarkData (variable)

...

totalSize (4 bytes): A 32-bit unsigned integer that contains the total size in bytes of this structure, including the header.

headerSize (4 bytes): This MUST always be set to 0x00000010.

eventOffset (4 bytes): This MUST always be set to 0x00000010.

bookmarkOffset (4 bytes): A 32-bit unsigned integer that contains the byte offset from the start of this structure to bookMarkData.

binXmlSize (4 bytes): Size in bytes of the BinXml data in the eventData field.

eventData (variable): A byte-array that contains variable length BinXml data.

numberOfSubqueryIDs (4 bytes): Number of subqueryIDs fields that follow. This is 0 if the event is selected by an XPath expression (rather than a structured XML query).

subqueryIDs (variable): An array of subquery IDs. Events that are selected using a structured XML query can be selected by one or more subqueries. Each subquery has either an ID specified in the XML element that defines the subquery, or defaults to 0xFFFFFFFF. This list has an entry for each subquery that matches the event. If two subqueries select the event, and both use the same ID, the ID only is listed once.

bookMarkData (variable): A byte-array that contains variable length bookmark data, as specified:

A query can refer to several channels or backup event logs. A subscription can refer to several channels. To accurately record the state of a query, it is necessary to know where the file cursor (bookmark) is with respect to those channels or backup event logs. The bookmark data is encoded as follows. Note that all integer fields in this structure MUST be in little-endian byte order (that is, least significant byte first).

0 1 2 3 4 5 6 7 8 9 1

0 1 2 3 4 5 6 7 8 9 2

0 1 2 3 4 5 6 7 8 9 3 0 1 bookmarkSize

headerSize

channelSize

currentChannel

readDirection

recordIdsOffset

logRecordNumbers (variable)

...

bookmarkSize (4 bytes): A 32-bit unsigned integer that contains the total size in bytes of the bookmark, including the header and logRecordNumbers.

headerSize (4 bytes): A 32-bit unsigned integer, and MUST be set to 0x00000018.

channelSize (4 bytes): A 32-bit unsigned integer that contains the number of channels in the query. This is the number of elements in logRecordNumbers.

currentChannel (4 bytes): A 32-bit unsigned integer that indicates what channel the current event is from.

readDirection (4 bytes): A 32-bit unsigned integer that contains the read direction. 0x00000000 indicates chronological order based on time written, and 0x00000001 indicates reverse order.

recordIdsOffset (4 bytes): A 32-bit unsigned integer that contains the byte offset from the start of the header to logRecordNumbers.

logRecordNumbers (variable): An array of 64-bit unsigned integers that contain the record numbers for each of the channels or backup event logs. The order of the record numbers MUST match the order of the channels or backup event logs in the query (for example, the first channel in the query corresponds to the first member of the array).