none
Get-WinEvent is very very slow - More thant 45 minutes searching for event 4729 in a 1 million event log (512 MB size) - Super Hardware RRS feed

  • Question

  • Someone removed a user from a group, we´re tryingo to track down, who made it

    I´m using:

    get-eventlog -LogName security -ComputerName SERVERNAME | Where-Object {$_.EventID -eq 4729} | Export-Csv -Path c:\temp\SERVERNAME_4729.log -NoTypeInformation

    or

    get-eventlog -LogName security -ComputerName SERVERNAME | Where-Object {$_.EventID -eq 4729}

    The DC have 4 GB of RAM, 4 vCPUs in a Dell PE R420 with SAS 15K disks, it´s very fast hardware/response time

    The DC have more than 955.000 events in the last 15 days, 512 MB file size for the .EVTX

    The search takes more than 45 minutes to finish

    It´s acceptable? I have the felling that this procedure will take no more than 5 minutes to do the search and grab the results


    Tuesday, August 26, 2014 2:12 PM

Answers

  • This will be much faster:

    get-eventlog -LogName security -ComputerName SERVERNAME -InstanceID 4729 |
         Export-Csv -Path c:\temp\SERVERNAME_4729.CSV -NoTypeInformation

    The method you used returns every record in the log then filters.  This method filters the remote search remotely and in the query.  It only returns records that have that ID.


    ¯\_(ツ)_/¯

    • Marked as answer by KayZerSoze Tuesday, August 26, 2014 3:46 PM
    Tuesday, August 26, 2014 2:30 PM

All replies

  • This will be much faster:

    get-eventlog -LogName security -ComputerName SERVERNAME -InstanceID 4729 |
         Export-Csv -Path c:\temp\SERVERNAME_4729.CSV -NoTypeInformation

    The method you used returns every record in the log then filters.  This method filters the remote search remotely and in the query.  It only returns records that have that ID.


    ¯\_(ツ)_/¯

    • Marked as answer by KayZerSoze Tuesday, August 26, 2014 3:46 PM
    Tuesday, August 26, 2014 2:30 PM
  • It was really fast!

    I´ve etsted on another server, 256 MB of logs, 550.000 events, and returned the information in less than 3 minutes

    Tuesday, August 26, 2014 3:46 PM
  • It was really fast!

    I´ve etsted on another server, 256 MB of logs, 550.000 events, and returned the information in less than 3 minutes

    Now you know how PowerShell works.  Keep it a secret or we will send Kevin Spacey to drive you crazy.


    ¯\_(ツ)_/¯

    Tuesday, August 26, 2014 4:13 PM