Reading the Windows Event Log

[Guest]

Hey

I am trying to read the Windows Event Logc. In fact, I am able to read the
Event Log. My problem is that I am reading and filtering a large log and it
takes a very very very very long time to complete. I am using the ordinary
technique for reading/writing from and to the Event Log. I am wondering if
there is a better way to speed things up. Below is an excerpt of the code I
am using (notice that I am filtering by Category and TimeGenerated; again
this works fine on small logs but is painfully sloooooooowwwww on large ones):

DateTime eventDate = DateTime.MinValue;
EventLog eventLog = new EventLog(logName, machine);

foreach(EventLogEntry logEntry in eventLog.Entries)
{
if(logEntry.Category == "Logon/Logoff" && logEntry.TimeGenerated > eventDate)
{
//print the values
Console.Write(Convert.ToString(logEntry.EntryType) + "\t" +
logEntry.TimeGenerated.ToString() + "\t" + logEntry.Category + "\t" +
logEntry.UserName + "\n");
}
}

Please help.

Thanks
KK

 

[Willy Denoyette [MVP]]

I suppose you are connecting to a remote system, in this case you might
speed up the process considerably by using System.Management and WMI.
Here is a complete sample, but I suggest you consult MSDN and the platform
sdk docs to get an idea what is done at the WMI level.


using System;
using System.Management;
using System.IO;
class App {
[MTAThread]
private static void Main(string[] args)
{
// Beware! the account used to connect must have remote WMI privileges on
the remote server.

RunProcess M = new RunProcess("adminuser", "adminpwd", "remservername");
M.Run();
}
}
sealed class RunProcess
{
private ConnectionOptions co;
private ManagementScope scope;

public RunProcess(string ConnectionUser, string ConnectionPassword, string
Machine )
{
co = new ConnectionOptions();
co.Username = ConnectionUser;
co.Password = ConnectionPassword;
co.Impersonation = ImpersonationLevel.Impersonate;
scope = new ManagementScope(@"\\" + Machine + @"\root\cimv2", co);
scope.Connect();
}
public void Run()
{
string logFileName = "security";
// default blocksize = 1, larger value may increase network throughput
EnumerationOptions opt = new EnumerationOptions();
opt.BlockSize = 1000;
// Get only Logon/LogOff category from security log
SelectQuery query = new SelectQuery("select CategoryString,
TimeGenerated, User, Type from Win32_NtLogEvent where Logfile ='" +
logFileName + "' " + "and category = 2");
using(ManagementObjectSearcher searcher = new
ManagementObjectSearcher(scope, query, opt))
{
foreach (ManagementObject mo in searcher.Get()) {
string logInfo = String.Format("{0} - {1} - {2}", mo["Type"],
mo["CategoryString"], mo["User"]);
Console.WriteLine(logInfo);
}
}
}
}

Willy.

| Hey
|
| I am trying to read the Windows Event Logc. In fact, I am able to read the
| Event Log. My problem is that I am reading and filtering a large log and
it
| takes a very very very very long time to complete. I am using the ordinary
| technique for reading/writing from and to the Event Log. I am wondering if
| there is a better way to speed things up. Below is an excerpt of the code
I
| am using (notice that I am filtering by Category and TimeGenerated; again
| this works fine on small logs but is painfully sloooooooowwwww on large
ones):
|
| DateTime eventDate = DateTime.MinValue;
| EventLog eventLog = new EventLog(logName, machine);
|
| foreach(EventLogEntry logEntry in eventLog.Entries)
| {
| if(logEntry.Category == "Logon/Logoff" && logEntry.TimeGenerated >
eventDate)
| {
| //print the values
| Console.Write(Convert.ToString(logEntry.EntryType) + "\t" +
| logEntry.TimeGenerated.ToString() + "\t" + logEntry.Category + "\t" +
| logEntry.UserName + "\n");
| }
| }
|
| Please help.
|
| Thanks
| KK
|