Posted On January 31, 2022

PowerShell: Windows Get-EventLog vs Get-WinEvent

kimconnect 0 comments
blog.KimConnect.com >> Codes >> PowerShell: Windows Get-EventLog vs Get-WinEvent
January 31, 2022January 31, 2022 kimconnectkimconnect 0 Comments

Get-Eventlog is the legacy Windows log querying command. Its advanced filtering is limited. Whereas Get-WinEvent, as a newer command, could make use of advanced XPath and XML filters. It only matches the exact records by filtering at source. The resulting object would be indexed; hence, in theory, targeted events can be returned very quickly and efficiently. However, Get-EventLog isn’t always slower than Get-WinEvent as shown in the illustrations below:

# Get-WinEvent Method
$logType='Application'
$source='Waveaccess - CRM Integration Service'
$message="Can't connect to Trixbox"
$eventId=0
$minutesRelevancy=20000
$limit=1

$filter = @{
    LogName = 'Application'
    ID = 0
    StartTime = [datetime]::Now.AddMinutes(-$minutesRelevancy)
}

measure-command { Get-WinEvent -FilterHashTable $filter -ComputerName $env:computername -EA Ignore|?{$_.Message -match $message}|select -first $limit }

# Testing on a Server with True-positives
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 274
Ticks             : 2748585
TotalDays         : 3.18123263888889E-06
TotalHours        : 7.63495833333333E-05
TotalMinutes      : 0.004580975
TotalSeconds      : 0.2748585
TotalMilliseconds : 274.8585

# Testing on a Server with True-negatives
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 22
Milliseconds      : 11
Ticks             : 220112284
TotalDays         : 0.000254759587962963
TotalHours        : 0.00611423011111111
TotalMinutes      : 0.366853806666667
TotalSeconds      : 22.0112284
TotalMilliseconds : 22011.2284

# Get-EventLog Method
$logType='Application'
$source='Waveaccess - CRM Integration Service'
$message="Can't connect to Trixbox"
$eventId=0
$minutesRelevancy=20000
$limit=1

measure-command {Get-EventLog -LogName $logType -InstanceId $eventId -source $source -message "*$message*" -Newest $limit|?{$_.TimeWritten -ge [datetime]::Now.AddMinutes(-$minutesRelevancy)} }

# Testing on a Server with True-positives
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 151
Ticks             : 1513339
TotalDays         : 1.75154976851852E-06
TotalHours        : 4.20371944444444E-05
TotalMinutes      : 0.00252223166666667
TotalSeconds      : 0.1513339
TotalMilliseconds : 151.3339

# Testing on a server with True-negatives
Days              : 0
Hours             : 0
Minutes           : 1
Seconds           : 20
Milliseconds      : 884
Ticks             : 808844706
TotalDays         : 0.000936162854166667
TotalHours        : 0.0224679085
TotalMinutes      : 1.34807451
TotalSeconds      : 80.8844706
TotalMilliseconds : 80884.4706

Conclusion: the run-time speed on True-positives are similar. Yet, on a True-negative results, Get-WinEvent is 267% faster than Get-EventLog.

Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Read More

PowerShell: Gather Information About Windows Shutdown Reasons

Copy and Paste this to See Result(s): $computername=$env:computername $limitEventsCount=40000 $daysSearchLimit=30 function getWindowsShutdownReason{ param( $computername=$env:computername, $limitEventsCount=10000,…
Post Image

Read More

PowerShell Dealing with Proxy

# Direct Access - no proxy netsh winhttp reset proxy   # Set proxy $proxyString…
Post Image

Read More

PowerShell: Scan for Available or Unavailable IPs

This function is a demonstration of multi-tasking using PowerShell. The program will ping multiple targets…