Problem reading Event Log

Archived from groups: microsoft.public.win2000.security (More info?)

I'm reading the event log on a 2k3 domain controller using the
ReadEventLog API call from a C program. One of the events of interest is
Security event 540 - network logon - generated by Win2k clients.
According to the MSDN documentation the parameters returned should be:

User name
Domain
Logon ID
Logon type
Logon process
Auth package
Workstation name

However the Event Log Viewer on the server also reports these items for
event 540:

Logon GUID
Caller user name
Caller domain
Caller logon ID
Transited services
Source IP address
Source port

Looking at a binary dump of the event log entry there is no sign of
these extra items in the log. Does anyone know where they are coming
from and how I can retrieve them?

(The particular problem I have is that the 'workstation' field is blank
so I need the IP address field to do a reverse-lookup).
--
Dave