Query EventLog on Windows Server 2003 using C#

Question

I'm now building a Windows Event Log viewer and we have quite a few Window Server 2003 boxes. I'm using EventLogReader class to do the querying, but it requires Vista+ so cannot be run on Windows Server 2003. Although EventLog class is available but it is very slow. Any other choices do I have?

Update: I'm not querying all the event logs, instead I'm querying event logs in a date range, is there a way to make it faster given that we only need event logs fall into a range? Now using EventLog class is extremely slow even for local box, unbearable for remote one.

Answer 1

I just had a play with logparser. Log Parser Studio that I suggested earlier is a UI for these set of tasks.

Here is a logparser query:

logparser.exe -i:EVT “SELECT TimeGenerated,EventID,EventType,EventTypeName,EventCategory,EventCategoryName,SourceName,
Strings,ComputerName,SID,Message FROM \\servername\Application WHERE TimeGenerated > ’2012-07-12 00:00:00′ AND EventType IN (1;2) ORDER BY TimeGenerated DESC” -o:CSV -q:ON -stats:OFF >> c:\temp\Events.csv

Replace the '\servername\Application' with your server details.

The -i:EVT tells it to query event log.

Here is a quick LogParser reference that I use.

Answer 2

The EventLog class is slow. The speed of access depends on the size of the event log. In most server scenarios, they are allowed to get quite large before archiving. The native Windows Event Viewer also supports remote log viewing which allows you to demonstrate how slow remote log viewing is.

I think it is likely that the Entries property of an EventLog is ordered by date. That means you could implement binary search of the entries (which Linq does NOT do by default) to speed things up a ton. Here's an example of a binary search extension: Can LINQ use binary search when the collection is ordered?

Answer 3

This is either a duplicate if or related to Which approach is better to read Windows Event log in C#? WMI or EventLog.

In addition to the information provided by the link above consider limiting the amount of information before the log file events roll over.

Answer 4

You can check out a tool I wrote for logparser. It has a SQL-Like create screen that will give you good query examples you can use.

If you include LogParser in your application be careful about how you deploy it: logparser binaries distribution, you can see I included it separately.

#1 why I'm stuck with EventLog class since EventLogReader is not supported on Win Server 2003

I suggest you just borrow the code from Visual Log Parser.

#2 it needs to query over multiple servers at once

LogParser is perfect for querying multiple servers & multiple logs. It is very handy viewing all logs combined and sorting by Time or even Grouping by occurrence.

#3 I'm not querying all the event logs, instead I'm querying event logs in a date range, is there a way to make it faster given that we only need event logs fall into a range?

Yes, LogParser full on fly's, faster than a speeding train! Here is how you query Evt logs by DateRange:

SELECT Extract_FileName(EventLog) AS EventLog, RecordNumber, TimeGenerated, EventID, EventType, EventTypeName, EventCategoryName, SourceName, ComputerName, Message FROM
\\servername\Application
WHERE TimeWritten > '2011-01-25 12:01:00'
AND TimeWritten < '2012-01-25 12:01:00'

#4 I tried it out and that Log Parser Studio seems only work on log files, not on local system or remote server.

Log Parser Studio is just a GUI for logparser, it should work, try this raw query (without LP Studio using LogParser directly) to get all logs in your domain:

LogParser "SELECT SourceName,TimeGenerated,TimeWritten,Message INTO filename.csv FROM \\Server\Application where Message Like '%mydomain.com%'" -o:CSV