Describe the enhancement:
I would like to be able to test using the EvtSubscribeStrict flag in EvtSubscribe calls in order to detect when the Winlogbeat registry contains bookmarks that are no longer valid. I want to test if bookmarks are invalid after an event log has been cleared/rotated. When an error is returned then I would expect the reader to start from the beginning of the log (not use any bookmark).
EvtSubscribeStrict
Forces the EvtSubscribe call to fail if you specify EvtSubscribeStartAfterBookmark and the bookmarked event is not found (the return value is ERROR_NOT_FOUND). Also, set this flag if you want to receive notification in your callback when event records are missing.
Describe a specific use case for the enhancement or feature:
I'm hoping to prevent data loss in cases where a bookmark causes the reader to begin in the middle of the log rather than the beginning. I haven't confirmed if there is a bug or if bookmarks actually become invalid in some cases so this is an experiment.
References
Describe the enhancement:
I would like to be able to test using the EvtSubscribeStrict flag in
EvtSubscribecalls in order to detect when the Winlogbeat registry contains bookmarks that are no longer valid. I want to test if bookmarks are invalid after an event log has been cleared/rotated. When an error is returned then I would expect the reader to start from the beginning of the log (not use any bookmark).Describe a specific use case for the enhancement or feature:
I'm hoping to prevent data loss in cases where a bookmark causes the reader to begin in the middle of the log rather than the beginning. I haven't confirmed if there is a bug or if bookmarks actually become invalid in some cases so this is an experiment.
References