I'm trying to use the new event log API to get the oldest record number from a windows event log, but cannot get the the API to return the same answer as event viewer displays (looking at the details EventRecordID). Some sample code I'm using is below:
EVT_HANDLE log = EvtOpenLog(NULL, _logName, EvtOpenChannelPath);
EVT_VARIANT buf;
DWORD need = 0;
int vlen = sizeof(EVT_VARIANT);
ZeroMemory(&buf, vlen);
EvtGetLogInfo(log, EvtLogOldestRecordNumber, vlen, &buf, &need);
UINT64 old = buf.UInt64Val;
EvtClose(log);
What the API appears to be doing is returning the record number of the oldest event in the log, but not the oldest accessible event... What I mean by that is lets say you have 10 records in your log, 1-10 and you clear your log. The next 10 events inserted will be 11-20. If you use the API, it will return 1, not 11 like event viewer displays. If you try to retrieve event 1 using EvtQuery/EvtNext it will fail and not return an event -- as I would expect.
Does anyone have experience with this method? What am I doing wrong? I have used the method successfully with other properties (i.e. EvtLogNumberOfLogRecords), but cannot get this property (EvtLogOldestRecordNumber) to behave as expected.
http://msdn.microsoft.com/en-us/library/aa385385(v=VS.85).aspx