Enhance reading speed from event log?

Question

I have an application reading some data from the event log, this application performance is too bad if the event log was too large, i.e. more than 30,000 entry.

I am searching for a faster way to get the info from it,

I have used for now two ways, using WMI the query was {Select message from Win32_NTLogEvent Where Logfile = 'System' and EventCode = '1' }

I used System.Diagnostic.Eventlog.GetEventLogs(); which also takes too much time

What should I use to enhance the search speed?

have you seen this: http://stackoverflow.com/questions/5411384/which-approach-is-better-to-read-windows-event-log-in-c-wmi-or-eventlog — Giedrius, Nov 29 '12 at 07:25
@Giedrius , Thanks for replying, I tried it, but it do not bring all the information I need, I need at least the record ID and the event ID and the message — Abdallah Nasir, Nov 29 '12 at 08:40
Can you please post a time needed for your program to execute on 30,000 events in eventlog? — westwood, Nov 29 '12 at 09:40
Regarding @Giedrius' suggestion: the `EventLogReader` returns an `EventLogRecord`, which contains both the fields you mention. — Christian.K, Nov 29 '12 at 10:30
@Christian.K yes, you are right, I did not notice that, Thanks a lot. I will try it. — Abdallah Nasir, Dec 02 '12 at 06:36

score 1 · Accepted Answer · answered Nov 29 '12 at 14:30

1

This simple piece of code takes 4.6 seconds on 100,000 events on AMD Athlon X3 (i5 is more faster).

string queryString = "*";
int eventsCount = 0;
Stopwatch stopWatch = new Stopwatch();
stopWatch.Start();
EventLogQuery eventsQuery = new EventLogQuery("MyLog", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);

for (EventRecord eventInstance = logReader.ReadEvent();
                null != eventInstance; eventInstance = logReader.ReadEvent())
{
  if (eventInstance.Id == 100) //random event id                 
     ++eventsCount;

}
stopWatch.Stop();

Console.WriteLine("Found events: {0}", eventsCount);
Console.WriteLine("Time elapsed: {0}", stopWatch.Elapsed);

For better performance you can use a properly created XPATH Query, by your own or via windows eventviewer (create Custom view than choose XML tab)

answered Nov 29 '12 at 14:30

westwood

1,774
15
29

This way helped me saving some seconds, for example, one PCs with the old way needed 21 seconds to perform the search needed, but using your way it became 15 seconds, still I need a faster way, but I assume there is not, :)\ – Abdallah Nasir Dec 04 '12 at 06:20
@AbdallahNasir actually, you can do some multithreading programming ;) For example, separate log reading in several threads, first thread reading first 0 - 4999 events, second reading events from 5000 to 9999 events, etc. – westwood Dec 04 '12 at 08:35
I have not thought about that, since I have not done something similar yet, Thanks :) – Abdallah Nasir Dec 04 '12 at 10:25

Enhance reading speed from event log?

1 Answers1