#pragma autorecover
#pragma namespace("\\\\.\\root\\cimv2")

[singleton,Locale(1033),UUID("{8502C57A-5FBB-11D2-AAC1-006008C78BC7}")] 
class NTEventlogProviderConfig
{
  datetime LastBootUpTime;
};

Instance of __Win32Provider as $DataProv
{
  Name = "MS_NT_EVENTLOG_PROVIDER";
  ClsId = "{FD4F53E0-65DC-11d1-AB64-00C04FD9159E}";
  ImpersonationLevel = 1;
  PerUserInitialization = "TRUE";
};

Instance of __MethodProviderRegistration
{
  Provider = $DataProv;
};

Instance of __InstanceProviderRegistration
{
  Provider = $DataProv;
  SupportsPut = TRUE;
  SupportsGet = TRUE;
  SupportsDelete = FALSE;
  SupportsEnumeration = TRUE;
  QuerySupportLevels = {"WQL:UnarySelect"};
};

[dynamic,provider("MS_NT_EVENTLOG_PROVIDER"),Locale(1033),UUID("{8502C57B-5FBB-11D2-AAC1-006008C78BC7}")] 
class Win32_NTEventlogFile : CIM_DataFile
{
  [read] string LogfileName;
  [read,write] uint32 MaxFileSize;
  [read] uint32 NumberOfRecords;
  [read,volatile,ValueMap{"0", "1..365", "4294967295"}] string OverWritePolicy;
  [read,write,Units("Days"),Range("0-365 | 4294967295")] uint32 OverwriteOutDated;
  [read] string Sources[];
  [implemented,Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}] uint32 ClearEventlog([in] string ArchiveFileName);
  [implemented,Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}] uint32 BackupEventlog([in] string ArchiveFileName);
};

[dynamic,provider("MS_NT_EVENTLOG_PROVIDER"),EnumPrivileges{"SeSecurityPrivilege"},Locale(1033),UUID("{8502C57C-5FBB-11D2-AAC1-006008C78BC7}")] 
class Win32_NTLogEvent
{
  [key] uint32 RecordNumber;
  [key] string Logfile;
  uint32 EventIdentifier;
  uint16 EventCode;
  string SourceName;
  [ValueMap{"1", "2", "4", "8", "16"}] string Type;
  uint16 Category;
  string CategoryString;
  datetime TimeGenerated;
  datetime TimeWritten;
  string ComputerName;
  string User;
  string Message;
  string InsertionStrings[];
  Uint8 Data[];
};

[dynamic,provider("MS_NT_EVENTLOG_PROVIDER"),EnumPrivileges{"SeSecurityPrivilege"},Locale(1033),UUID("{8502C57D-5FBB-11D2-AAC1-006008C78BC7}"),Association : ToInstance] 
class Win32_NTLogEventLog
{
  [key,read] Win32_NTEventlogFile Ref Log;
  [key,read] Win32_NTLogEvent Ref Record;
};

[dynamic,provider("MS_NT_EVENTLOG_PROVIDER"),EnumPrivileges{"SeSecurityPrivilege"},Locale(1033),UUID("{8502C57E-5FBB-11D2-AAC1-006008C78BC7}"),Association : ToInstance] 
class Win32_NTLogEventUser
{
  [key,read] Win32_UserAccount Ref User;
  [key,read] Win32_NTLogEvent Ref Record;
};

[dynamic,provider("MS_NT_EVENTLOG_PROVIDER"),EnumPrivileges{"SeSecurityPrivilege"},Locale(1033),UUID("{8502C57F-5FBB-11D2-AAC1-006008C78BC7}"),Association : ToInstance] 
class Win32_NTLogEventComputer
{
  [key,read] Win32_ComputerSystem Ref Computer;
  [key,read] Win32_NTLogEvent Ref Record;
};

Instance of __Win32Provider as $EventProv
{
  Name = "MS_NT_EVENTLOG_EVENT_PROVIDER";
  ClsId = "{F55C5B4C-517D-11d1-AB57-00C04FD9159E}";
};

Instance of __EventProviderRegistration
{
  Provider = $EventProv;
  EventQueryList = {"select * from __InstanceCreationEvent where TargetInstance isa \"Win32_NTLogEvent\""};
};