digraph {
rankdir=LR;
node [shape=plaintext];
subgraph cluster__windows_evt_log {
label="WindowsEvtLog";
graph[style=dotted];
windows_evt_log__seq [label=<
pos | size | type | id |
0 | 48 | Header | header |
48 | ... | Record | records |
repeat to end of stream |
>];
subgraph cluster__header {
label="WindowsEvtLog::Header";
graph[style=dotted];
header__seq [label=<
pos | size | type | id |
0 | 4 | u4le | len_header |
4 | 4 | | magic |
8 | 4 | u4le | version_major |
12 | 4 | u4le | version_minor |
16 | 4 | u4le | ofs_start |
20 | 4 | u4le | ofs_end |
24 | 4 | u4le | cur_rec_idx |
28 | 4 | u4le | oldest_rec_idx |
32 | 4 | u4le | len_file_max |
36 | 4 | Flags | flags |
40 | 4 | u4le | retention |
44 | 4 | u4le | len_header_2 |
>];
subgraph cluster__flags {
label="WindowsEvtLog::Header::Flags";
graph[style=dotted];
flags__seq [label=<
pos | size | type | id |
0 | 28b | b28 | reserved |
3:4 | 1b | BitsType1(BigBitEndian) | archive |
3:5 | 1b | BitsType1(BigBitEndian) | log_full |
3:6 | 1b | BitsType1(BigBitEndian) | wrap |
3:7 | 1b | BitsType1(BigBitEndian) | dirty |
>];
}
}
subgraph cluster__record {
label="WindowsEvtLog::Record";
graph[style=dotted];
record__seq [label=<
pos | size | type | id |
0 | 4 | u4le | len_record |
4 | 4 | u4le | type |
8 | ... | switch (type) | body |
... | 4 | u4le | len_record2 |
>];
record__seq_body_switch [label=<
case | type |
1699505740 | RecordBody |
286331153 | CursorRecordBody |
>];
}
subgraph cluster__record_body {
label="WindowsEvtLog::RecordBody";
graph[style=dotted];
record_body__seq [label=<
pos | size | type | id |
0 | 4 | u4le | idx |
4 | 4 | u4le | time_generated |
8 | 4 | u4le | time_written |
12 | 4 | u4le | event_id |
16 | 2 | u2le→EventTypes | event_type |
18 | 2 | u2le | num_strings |
20 | 2 | u2le | event_category |
22 | 6 | | reserved |
28 | 4 | u4le | ofs_strings |
32 | 4 | u4le | len_user_sid |
36 | 4 | u4le | ofs_user_sid |
40 | 4 | u4le | len_data |
44 | 4 | u4le | ofs_data |
>];
record_body__inst__user_sid [label=<
pos | size | type | id |
(ofs_user_sid - 8) | len_user_sid | | user_sid |
>];
record_body__inst__data [label=<
pos | size | type | id |
(ofs_data - 8) | len_data | | data |
>];
}
subgraph cluster__cursor_record_body {
label="WindowsEvtLog::CursorRecordBody";
graph[style=dotted];
cursor_record_body__seq [label=<
pos | size | type | id |
0 | 12 | | magic |
12 | 4 | u4le | ofs_first_record |
16 | 4 | u4le | ofs_next_record |
20 | 4 | u4le | idx_next_record |
24 | 4 | u4le | idx_first_record |
>];
}
}
windows_evt_log__seq:header_type -> header__seq [style=bold];
windows_evt_log__seq:records_type -> record__seq [style=bold];
header__seq:flags_type -> flags__seq [style=bold];
record__seq:body_type -> record__seq_body_switch [style=bold];
record__seq_body_switch:case0 -> record_body__seq [style=bold];
record__seq_body_switch:case1 -> cursor_record_body__seq [style=bold];
record__seq:type_type -> record__seq:body_type [color="#404040"];
record_body__seq:ofs_user_sid_type -> record_body__inst__user_sid:user_sid_pos [color="#404040"];
record_body__seq:len_user_sid_type -> record_body__inst__user_sid:user_sid_size [color="#404040"];
record_body__seq:ofs_data_type -> record_body__inst__data:data_pos [color="#404040"];
record_body__seq:len_data_type -> record_body__inst__data:data_size [color="#404040"];
}