Can someone please clarify if EventRecordIDs are unique per eventlog? by Eventlog, I am referring to evtx file. In other words, are EventRecordIDs unique per event (e.g. "a system service was started") or per eventlog (Application, Security, System, Forwarded Events etc) or are these unique per host? I couldn't find any related documentation on MSDN.

Unfortunately I cannot offer any more insight on this, but I do second the motion for the question. Does anyone know more about EventRecordID? I've looked through MSDN documentation as well, but haven't been able to find much on details. In fact this post was one of the few search results I've found. Beyond the uniqueness of the property, I would also be interested to know the limits of the number. Does the number ever restart? What's the maximum? From what I've found it appears to start at either 0 or 1 per log per system, and index up by 1 for each event. My main focus of interest has to do with ForwardedEvents and the Windows Event Collector. Events that are forwarded to the ForwardedEvents log appear to retain their original EventRecordID. That makes it difficult to index through the events in the order they were logged. Anyone have any more information on the element other than this? http://msdn.microsoft.com/en-us/library/aa384579(v=vs.85).aspx

Ok, I probably just answered one of my questions... maximum.... base="unsignedLong" :) Still curious to find out if anyone has any more information on this element though. How it is assigned, uniqueness, etc.