The Inner Structure
By far the largest part of an event record consists of a complex binary XML structure. I'm going to explain its internals in a series of postings. I'm starting with an overview of the XML schema.
Fortunately the XML structure is not completely undocumented. The Microsoft Developer Network provides an extensive documentation of the XML schema. The following figure shows the layout of an event log file:
<Events>
<Event>
<System> . . . </System>
<EventData> . . . </EventData>
</Event>
<Event>
<System> . . . </System>
<UserData> . . . </UserData>
</Event>
<Event>
...
</Event>
</Events>
The "Events" element spans the whole file. It acts as an container for the "Event" elements. Each of them provides the information about a single event. Every "Event" starts with a "System" element, which is filled in by the Windows event logging subsystem and contains a basic set of information like a timestamp, the Event ID number and the subsystem the event message originated from. The System element will play a key-role at a later time when it comes to the reconstruction of partial log files.
One out of the "EventData", "UserData", "BinaryEventData", "DebugData" or "ProcessingErrorData" structures may follow the "System" container. Of them "EventData" is the element most frequently used.
The textual representation of an event message is transformed into a binary form by a three step process:
- XML language elements are tokenized
- structure is separated from content through the substitution mechanism
- templates are defined for repeated XML structures
This transformation helps to cut down on storage space and computing power. The details of all three steps will be covered in some later posts.
