1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
.Dd April 22, 2019
.Dt libevt 3
.Os libevt
.Sh NAME
.Nm libevt.h
.Nd Library to access the Windows Event Log (EVT) format
.Sh SYNOPSIS
.In libevt.h
.Pp
Support functions
.Ft const char *
.Fn libevt_get_version "void"
.Ft int
.Fn libevt_get_access_flags_read "void"
.Ft int
.Fn libevt_get_codepage "int *codepage" "libevt_error_t **error"
.Ft int
.Fn libevt_set_codepage "int codepage" "libevt_error_t **error"
.Ft int
.Fn libevt_check_file_signature "const char *filename" "libevt_error_t **error"
.Pp
Available when compiled with wide character string support:
.Ft int
.Fn libevt_check_file_signature_wide "const wchar_t *filename" "libevt_error_t **error"
.Pp
Available when compiled with libbfio support:
.Ft int
.Fn libevt_check_file_signature_file_io_handle "libbfio_handle_t *file_io_handle" "libevt_error_t **error"
.Pp
Notify functions
.Ft void
.Fn libevt_notify_set_verbose "int verbose"
.Ft int
.Fn libevt_notify_set_stream "FILE *stream" "libevt_error_t **error"
.Ft int
.Fn libevt_notify_stream_open "const char *filename" "libevt_error_t **error"
.Ft int
.Fn libevt_notify_stream_close "libevt_error_t **error"
.Pp
Error functions
.Ft void
.Fn libevt_error_free "libevt_error_t **error"
.Ft int
.Fn libevt_error_fprint "libevt_error_t *error" "FILE *stream"
.Ft int
.Fn libevt_error_sprint "libevt_error_t *error" "char *string" "size_t size"
.Ft int
.Fn libevt_error_backtrace_fprint "libevt_error_t *error" "FILE *stream"
.Ft int
.Fn libevt_error_backtrace_sprint "libevt_error_t *error" "char *string" "size_t size"
.Pp
File functions
.Ft int
.Fn libevt_file_initialize "libevt_file_t **file" "libevt_error_t **error"
.Ft int
.Fn libevt_file_free "libevt_file_t **file" "libevt_error_t **error"
.Ft int
.Fn libevt_file_signal_abort "libevt_file_t *file" "libevt_error_t **error"
.Ft int
.Fn libevt_file_open "libevt_file_t *file" "const char *filename" "int access_flags" "libevt_error_t **error"
.Ft int
.Fn libevt_file_close "libevt_file_t *file" "libevt_error_t **error"
.Ft int
.Fn libevt_file_is_corrupted "libevt_file_t *file" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_ascii_codepage "libevt_file_t *file" "int *ascii_codepage" "libevt_error_t **error"
.Ft int
.Fn libevt_file_set_ascii_codepage "libevt_file_t *file" "int ascii_codepage" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_format_version "libevt_file_t *file" "uint32_t *major_format_version" "uint32_t *minor_format_version" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_flags "libevt_file_t *file" "uint32_t *flags" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_number_of_records "libevt_file_t *file" "int *number_of_records" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_record_by_index "libevt_file_t *file" "int record_index" "libevt_record_t **record" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_number_of_recovered_records "libevt_file_t *file" "int *number_of_records" "libevt_error_t **error"
.Ft int
.Fn libevt_file_get_recovered_record_by_index "libevt_file_t *file" "int record_index" "libevt_record_t **record" "libevt_error_t **error"
.Pp
Available when compiled with wide character string support:
.Ft int
.Fn libevt_file_open_wide "libevt_file_t *file" "const wchar_t *filename" "int access_flags" "libevt_error_t **error"
.Pp
Available when compiled with libbfio support:
.Ft int
.Fn libevt_file_open_file_io_handle "libevt_file_t *file" "libbfio_handle_t *file_io_handle" "int access_flags" "libevt_error_t **error"
.Pp
File functions - deprecated
.Ft int
.Fn libevt_file_get_recovered_record "libevt_file_t *file" "int record_index" "libevt_record_t **record" "libevt_error_t **error"
.Pp
Record functions
.Ft int
.Fn libevt_record_free "libevt_record_t **record" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_offset "libevt_record_t *record" "off64_t *offset" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_identifier "libevt_record_t *record" "uint32_t *identifier" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_creation_time "libevt_record_t *record" "uint32_t *posix_time" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_written_time "libevt_record_t *record" "uint32_t *posix_time" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_event_identifier "libevt_record_t *record" "uint32_t *event_identifier" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_event_type "libevt_record_t *record" "uint16_t *event_type" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_event_category "libevt_record_t *record" "uint16_t *event_category" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_source_name_size "libevt_record_t *record" "size_t *utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_source_name "libevt_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_source_name_size "libevt_record_t *record" "size_t *utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_source_name "libevt_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_computer_name_size "libevt_record_t *record" "size_t *utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_computer_name "libevt_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_computer_name_size "libevt_record_t *record" "size_t *utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_computer_name "libevt_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_user_security_identifier_size "libevt_record_t *record" "size_t *utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_user_security_identifier "libevt_record_t *record" "uint8_t *utf8_string" "size_t utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_user_security_identifier_size "libevt_record_t *record" "size_t *utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_user_security_identifier "libevt_record_t *record" "uint16_t *utf16_string" "size_t utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_number_of_strings "libevt_record_t *record" "int *number_of_strings" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_string_size "libevt_record_t *record" "int string_index" "size_t *utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf8_string "libevt_record_t *record" "int string_index" "uint8_t *utf8_string" "size_t utf8_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_string_size "libevt_record_t *record" "int string_index" "size_t *utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_utf16_string "libevt_record_t *record" "int string_index" "uint16_t *utf16_string" "size_t utf16_string_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_data_size "libevt_record_t *record" "size_t *data_size" "libevt_error_t **error"
.Ft int
.Fn libevt_record_get_data "libevt_record_t *record" "uint8_t *data" "size_t data_size" "libevt_error_t **error"
.Sh DESCRIPTION
The
.Fn libevt_get_version
function is used to retrieve the library version.
.Sh RETURN VALUES
Most of the functions return NULL or \-1 on error, dependent on the return type.
For the actual return values see "libevt.h".
.Sh ENVIRONMENT
None
.Sh FILES
None
.Sh NOTES
libevt can be compiled with wide character support (wchar_t).
.sp
To compile libevt with wide character support use:
.Ar ./configure --enable-wide-character-type=yes
or define:
.Ar _UNICODE
or
.Ar UNICODE
during compilation.
.sp
.Ar LIBEVT_WIDE_CHARACTER_TYPE
in libevt/features.h can be used to determine if libevt was compiled with wide character support.
.Sh BUGS
Please report bugs of any kind on the project issue tracker: https://github.com/libyal/libevt/issues
.Sh AUTHOR
These man pages are generated from "libevt.h".
.Sh COPYRIGHT
Copyright (C) 2011-2020, Joachim Metz <joachim.metz@gmail.com>.
.sp
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.Sh SEE ALSO
the libevt.h include file
|
