Back to Index
This page describes param to InvokeRmOperation call and returned value from OnRmOperationResult for snapinId = 15002.
- Note
When operation fails, OnRmOperationResult comes with non-zero status and Error object in value:
{
"Error" : {
"code" : 4101,
"message" : "Failed to send RM command"
}
}
When status is zero, value is as provided in following documentation.
Paged output
RM requests may yield lots of data so responses are restricted in size.
That's where StartAt, UpTo and Total are used.
StartAt
- -1 value - execute request on the host, cache data, return starting part of the data
- >=0 value - get cached data from that position
UpTo says which StartAt use next to continue data retrieval
Total says how many data at all. When UpTo equals to Total, then all data has been retrieved.
Data types
EventType:int
- 0 Application
- 1 Security
- 2 System
- 3 File
Operation: Check if supported
snapinId=15002 opId=0
Check if host supports Event log subsystem (Snap-In) for RM calls.
Parameters
Returns
{
"Supported" : 1,
"Version" : 2
}
Supported 1 if supports, 0 if not
Version Event log snapin version
Operation: Get categories
snapinId=15002 opId=301
Parameters
{"CatInd":0,"SubCatInd":0,"EventType":0}
CatInd, SubCatInd: set them 0,0, to cache data and start data retrieving set them to values from previous response to continue data retrieving
EventType can be 0 - Application log 1 - Security log 2 - System log any other value - all log
Returns
{
"CatInd" : 17,
"Categories" : [
{
"Items" : [],
"SourceName" : ".NET Runtime"
},
{
"Items" : [],
"SourceName" : ".NET Runtime 2.0 Error Reporting"
},
{
"Items" : [],
"SourceName" : ".NET Runtime Optimization Service"
},
{
"Items" : [
{
"Index" : 1,
"Name" : "Devices"
},
{
"Index" : 2,
"Name" : "Disk"
},
{
"Index" : 3,
"Name" : "Printers"
},
{
"Index" : 4,
"Name" : "Services"
},
{
"Index" : 5,
"Name" : "Shell"
},
{
"Index" : 6,
"Name" : "System Event"
},
{
"Index" : 7,
"Name" : "Network"
}
],
"SourceName" : "Application"
},
...
}
],
"SubCatInd" : 9,
"Total" : 0
}
CatInd, SubCatInd are values to be used to continue data retrieving until Total=1
Total 1 if there are no more data left, 0 more data available
Categories can be used in event Type field interpretation for events obtained by Get Event operation:
one should put event Source for SourceName and event Type for Index
Total:
- 1 - all data received
- 0 - some data left, repeat operation with returned CatInd and SubCatInd
Operation: Get event type info
snapinId=15002 opId=303
Parameters
To get information on standard events set EventType = 0,1 or 2,
{"EventType":0, "FileName":""}
To get information on custom event file set EventType = 3
{"EventType":3, "FileName":"c:\\somepath\\somefile.evtx"}
Returns
{
"DateAccessed" : 1303987836,
"DateCreated" : 1185996771,
"DateModified" : 1303987836,
"DisplayName" : "Application\r\n",
"FileSize" : 524288,
"LogFileName" : "C:\\WINDOWS\\system32\\config\\AppEvent.Evt",
"MaxLogSize" : 524288,
"Retention" : 604800
}
Operation: Set event type info
snapinId=15002 opId=304
Parameters
{"EventType":0,"Retention":604800,"MaxSize":"524288"}
Returns
Operation: Backup events
snapinId=15002 opId=305
When saving event log to the Host computer:
Parameters
{
"EventType" : 0,
"FileNameTo" : "c:\\backlogs\\App.evt",
"ToGuest" : 0
}
Returns
When saving event log to the Guest computer:
Step 1
Parameters
{
"EventType" : 0,
"FileNameTo" : "c:\\backlogs\\App.evt",
"ToGuest" : 1
}
Returns
Step 2
Parameters
{
"StartAt" : 0,
"ToGuest" : 1
}
Returns
{
"FileNameTo" : "c:\\backlogs\\App.evt",
"StartAt" : 0,
"Total" : 40959916,
"UpTo" : 4096
}
Step 3+
Parameters
{
"StartAt" : 4096,
"ToGuest" : 1
}
Returns
{
"FileNameTo" : "c:\\backlogs\\App.evt",
"StartAt" : 4096,
"Total" : 40959916,
"UpTo" : 8192
}
and so on until UpTo = Total.
EventType can be 0 - Application log 1 - Security log 2 - System log
FileNameTo is the name of the file on the host or the guest side that will receive the events backup
(".evt" extension is appended unless FileNameTo already has ".evt" extension)
Operation: Clear events
snapinId=15002 opId=306
Parameters
Returns
This command will remove ALL events from the specified log!
Operation: Get description
snapinId=15002 opId=308
Parameters
{
"EventType" : 0,
"FileName" : "",
"Index" : 5
}
Index uniquely identifies an event of a given type, goes up for newer events
EventType see EventType:int EventType.
FileName used when EventType = 3
Returns
{
"Data" : [],
"Description" : "The Security Center service has been stopped. It was prevented from running by a software group policy."
}
Data, some events may have binary data.
Operation: Get event indices
snapinId=15002 opId=309
- Note
- This operation should be issued at least once for EventType before Get Event and Get description operations with that EventType.
Parameters
{
"EventType" : 0,
"FileName" : "",
"StartAt" : -1
}
EventType see EventType:int EventType.
FileName used when EventType = 3
Returns
{
"Indexes" : [
82190,
82189,
82188,
82187,
...
81395
],
"StartAt" : 0,
"Total" : 27025,
"UpTo" : 796
}
Operation: Get event
snapinId=15002 opId=310
Parameters
{
"EventType" : 0,
"FileName" : "",
"Indexes" : [ 78200, 78199, 78198 ]
}
EventType see EventType:int EventType.
FileName used when EventType = 3
Indexes - array of event Indexes, obtained from Get event indices
Returns
{
"Events" : [
{
"Category" : 1,
"Computer" : "HOST",
"DateTime" : 1347888107,
"EventId" : 101,
"Index" : 78200,
"Source" : "ESENT",
"Type" : 4,
"User" : ""
},
{
"Category" : 1,
"Computer" : "HOST",
"DateTime" : 1347888107,
"EventId" : 103,
"Index" : 78199,
"Source" : "ESENT",
"Type" : 4,
"User" : ""
},
{
"Category" : 0,
"Computer" : "HOST",
"DateTime" : 1347888071,
"EventId" : 1000,
"Index" : 78198,
"Source" : "Application Error",
"Type" : 1,
"User" : ""
}
]
}
DateTime - seconds elapsed since midnight, January 1, 1970
Type - event type:
- 0 success
- 1 error
- 2 warning
- 4 information
- 8 audit success
- 16 audit failure
EventId - event id, see Event Identifiers (Windows)
1.8.10
