Each event log file contains one or many so-called "chunks", which store the event records. During operation, only the current chunk of an event log file is mapped into memory.
Each chunk is 64 kiB in size. The first 0x200 bytes contain the chunk header, a string table and a template table:
| Offset | Type | Meaning |
|---|---|---|
| 0x000 | char[8] | Magic, const 'ElfChnk', 0x00 |
| 0x008 | int64 | NumLogRecFirst |
| 0x010 | int64 | NumLogRecLast |
| 0x018 | int64 | NumFileRecFirst |
| 0x020 | int64 | NumFileRecLast |
| 0x028 | uint32 | OfsTables, const 0x080 |
| 0x02c | uint32 | OfsRecLast |
| 0x030 | uint32 | OfsRecNext |
| 0x034 | uint32 | DataCRC |
| 0x038 | char[68] | unknown |
| 0x07c | uint32 | HeaderCRC |
| 0x080 | uint32[64] | StringTable |
| 0x180 | uint32[32] | TemplateTable |
The chunk header provides two sets of first/last record numbers. One refers to the log as a whole, which could consist of multiple log files, while the other refers to the actual log file. This difference will be made clear in a subsequent post, which will take a look at some special log files. In empty log files a value of -1 can be found for all the counters with the exception of NumLogRecFirst, which is set to 1.
The HeaderCRC is a 32 bit CRC. It is calculated over the first 0x200 bytes of the chunk, with the exception of 8 bytes starting from offset 0x78 (so the check sum and the preceding DWORD are excluded, similar to the calculation of the check sum in the file header).
Another check sum, DataCRC covers the data area from 0x200 up to the end of the last event entry.
The StringTable and TemplateTable provide 64 and 32 hash buckets respectively. The event log service uses these tables to avoid the redundant declaration of certain strings and XML structures within the same chunk. Both tables are not required to transform an event log file into a human-readable form.
2010-08-29: edit to add DataCRC.
