9

I have a service application that is processing client requests over TCP and writing any events into Windows EventLog. Since this application is expected to service many clients and lots of requests from each client in a short amount of time (let's say between 1 and 50 requests per second), I'm curious to know how intensive (CPU wise and time wise) and how fast can writing into Windows EventLog be?

More specifically, how intensive are the operations of connecting to, reading from and writing to EventLog?

LightBulb
  • 964
  • 1
  • 11
  • 27
  • What events are you writing to the event log? A pointer to the answer to your question might be that IIS and similar servers write to text logs, not the event log. – Lazarus Nov 30 '10 at 12:31
  • Only simple text messages for the moment. Using a simple text file (log file) is also an option, but I still want to know more about EventLog. – LightBulb Nov 30 '10 at 12:35

4 Answers4

12

Don't do that. The event log is not designed for such an activity:

  1. It has a maximum size.
  2. When the maximum size is reached, it can overwrite events or stop logging, depending on settings (recent Windows can also archive the log and start a new one). If events are not overwritten, they can fill your partition or block other applications until the logs are manually cleared.

The event log is not a general logging facility. It should be used to report errors, situations that needs attention, and even informative reports, but not every little bit of information one has to write somewhere. If you have heavt log needs, use your own log facilities and report issues - if any - in the event log with a "pointer" where to find detailed data if needed.

NOTE: if really the event log is needed, at least the application should use its own log destination, not one of the standard ones (application or even worse system). This way it won't impact other applications operations, and won't "hide" other application events "flooding" the log with its events, making more difficult to spot the others without looking for them.

  • 1
    +1 Good advice, my app once filled the event log at a client's site and it caused no end of trouble! – David Heffernan Nov 30 '10 at 19:37
  • I agree with your recommendation. In my case, I have to maintain an existing service application that is writing to the EventLog, so I wanted to know if and how much can that influence the overall application performance. – LightBulb Nov 30 '10 at 22:29
  • You're risking to affect the overall working of Windows and all applications running on the machine. Up to you and your customers, anyway. –  Nov 30 '10 at 22:44
  • See also my note about using an event log dedicated to the application to avoid to "flood" the standard ones. –  Dec 01 '10 at 08:03
10

Event Tracing for Windows would likely be a better repository for this level of traffic.

Event Tracing for Windows (ETW) is an efficient kernel-level tracing facility that lets you log kernel or application-defined events to a log file. You can consume the events in real time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application.

Sample pseudo-code:

const 
    MyApplicationProviderGUID: TGUID = '{47A0DECE-4DCF-4782-BCF4-82AECA6BAAB7}';
private
   FETWRegistrationHandle: THandle;

...

EventRegister(MyApplicationProviderGUID, nil, nil, {out}FETWRegistrationHandle);
...
EventWriteString(FETWRegistrationHandle, 0, 0, 'Hello');
EventWriteString(FETWRegistrationHandle, 0, 0, ', ');
EventWriteString(FETWRegistrationHandle, 0, 0, 'world');
EventWriteString(FETWRegistrationHandle, 0, 0, '!');
...
EventUnregister(MyApplicationProviderGUID);
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
Steve Townsend
  • 53,498
  • 9
  • 91
  • 140
  • This sounds very interesting. I have to read more about it since it sounds as a very nice method for collecting and analyzing real-time application performance (among other things). – LightBulb Nov 30 '10 at 22:35
  • 1
    Yes, it's not as simple to use as the Event Log, but a lot more performant. – Steve Townsend Nov 30 '10 at 23:30
6

I made a test with my 2 event log classes, one writing to file (each log_event() writes to and flushes already opened file) and one based on EventLog (ReportEvent() call on already registered EventSource). In my case file log was about 10 times faster than EventLog. In multithread envirnonment I would add critical section to protect writing to file.

In my opinion files are better: they are easily parsed in tools such as grep. Speed is less important for me.

Michał Niklas
  • 53,067
  • 18
  • 70
  • 114
  • This is the kind of answer I was looking for. I also agree that using log files is a better, faster and simpler method, but I was given a task to maintain an existing service application which is writing all events into Windows EventLog. I assumed that it is "heavy-wight" logging facility so that's why I asked my question. – LightBulb Nov 30 '10 at 22:38
1

Maybe Microsoft Message Queuing (MSMQ) is an alternative to the Windows EventLog. It is available in all current versions of Windows, and offers high speed, loosely coupled messaging.

mjn
  • 36,362
  • 28
  • 176
  • 378