none
Getting Performance issue while using get-winevent for fetching Event Viewer Data. RRS feed

  • Question

  • Hi, 

    I am working on a script to fetch logon events from event viewer of server having bulk amount of events. For this i am using Get-Winevent command but i am getting bad performance. It's taking too much time to fetch the data and also the cpu utilisation and memory utilisation is also very high. Below is the code.

    $log =Get-WinEvent -FilterHashtable @{LogName='Security';StartTime="$startTmp";EndTime="$endTmp";ID='4624','4625','4648'}

    foreach ($i in $log){ 

     if ($i.Id -eq '4624')
             { 
                # Create a Row
                $row = $LogonActivityTable.NewRow()

                # Enter Data into the Row
                $row.TimeCreated =  $i.TimeCreated
                $row.status =  "logon_Success"
                $row.ID =  $i.ID
                $uname= $i.properties[5].value
                $row.UserName = $uname
                $dname= $i.properties[6].value
                $row.DomainName= $dname
                $IpAddress=$i.properties[18].value
                $row.IpAddress= $IpAddress
                $IpPort=$i.properties[19].value
                $row.IpPort= $IpPort


                # Add the Row to the Table
                $LogonActivityTable.Rows.Add($row)
               } 


               # Logon Failure Events,
             elseif ($i.Id -eq '4625'){ 
                # Create a Row
                $row = $LogonActivityTable.NewRow()

                # Enter Data into the Row
                $row.TimeCreated =  $i.TimeCreated
                $row.status =  "logon failed"
                $row.ID =  $i.ID
               $uname= $i.properties[5].value
                $row.UserName = $uname
                $dname= $i.properties[6].value
                $row.DomainName= $dname
                $IpAddress=$i.properties[19].value
                $row.IpAddress= $IpAddress
                $IpPort=$i.properties[20].value
                $row.IpPort= $IpPort


                # Add the Row to the Table
                $LogonActivityTable.Rows.Add($row)
            } 

           # Logon using Explicit credentials.
            elseif ($i.Id -eq '4648') { 
                # Create a Row
                $row = $LogonActivityTable.NewRow()

                # Enter Data into the Row
                $row.TimeCreated =  $i.TimeCreated
                $row.status =  "Logon-Success"
                $row.ID =  $i.ID
               $uname= $i.properties[5].value
                $row.UserName = $uname
                $dname= $i.properties[6].value
                $row.DomainName= $dname
                 $IpAddress=$i.properties[12].value
                $row.IpAddress= $IpAddress
                $IpPort=$i.properties[13].value
                $row.IpPort= $IpPort

                # Add the Row to the Table
                $LogonActivityTable.Rows.Add($row)
            } 

             }
             $LogonActivityTable |Export-Csv c:\test91.csv

    Also, i tried using get-eventlog cmdlet, The time it take is faster than get-winevent, but the cpu utilization and memory utilization issue is same.

    ($log = Get-Eventlog -LogName Security -after $startTmp  -before $endTmp -InstanceId '4624','4625','4648')

    Can anyone please help me in this.

    Thanks

    Thursday, December 26, 2019 12:35 PM

All replies

  • Please edit your original post and post the code correctly:

    Use a pipeline and avoid processing all events twice.  Don't convert to a table just output the objects from memory to the pipeline.

    $filter = @{
        LogName='Security'
        StartTime=$startTmp
        EndTime=$endTmp
        ID=4624,4625,4648
    }
    Get-WinEvent -FilterHashtable $filter |
        ForEach-Object{
            switch ($_.ID){
                4624 {
                        [pscustomobject]@{
                            TimeCreated =  $i.TimeCreated
                            Status =  'logon_Success'
                            ID =  $i.ID
                            UserName =  $i.properties[5].value
                            DomainName= $i.properties[6].value
                            IpAddress= $i.properties[18].value
                            IpPort= $i.properties[19].value
                        }
                }
                4625 { }
                4648 { }
            }
        } |
        Export-Csv c:\test91.csv 
    

    This will be much faster and easier to maintain.  Also refrain from using temporary variables and avoid unnecessary quotes.

    When copying and changing code from the Internet be sure you understand the code and PowerShell before choosing code examples.


    \_(ツ)_/


    • Edited by jrv Thursday, December 26, 2019 1:08 PM
    Thursday, December 26, 2019 1:06 PM
  • Also note that you cannot output records that have different structures and this system does not require different record type.


    \_(ツ)_/

    Thursday, December 26, 2019 1:13 PM
  • Thanks ..Really helped your code.
    Friday, December 27, 2019 12:13 PM