B
benua
Guest
Hi,
I'm working since few weeks on XML event logs from evtx files.
In order to find the associated message that we can see in the Event viewer tool, I need to combine two 16bits ID: qualifier ID and Event ID from the event XML.
But sometimes, the "qualifier" is missing. Does it mean I can assume that the qualifier is zero and so do zero padding ?
From the eventschema-systempropertiestype-complextype from microsoft docs (sorry can't put link here), we can read that the "qualifier" field is optional. But it seems that we need it to determine the provider's event IDs and then get the string message.
So, how do you understand that ? missing field means 0 ?
Thank you if you have the answer, I can't find it in the microsoft docs.
More...
I'm working since few weeks on XML event logs from evtx files.
In order to find the associated message that we can see in the Event viewer tool, I need to combine two 16bits ID: qualifier ID and Event ID from the event XML.
But sometimes, the "qualifier" is missing. Does it mean I can assume that the qualifier is zero and so do zero padding ?
From the eventschema-systempropertiestype-complextype from microsoft docs (sorry can't put link here), we can read that the "qualifier" field is optional. But it seems that we need it to determine the provider's event IDs and then get the string message.
So, how do you understand that ? missing field means 0 ?
Thank you if you have the answer, I can't find it in the microsoft docs.
More...