PowerShell: Windows Get-EventLog vs Get-WinEvent

Get-Eventlog is the legacy Windows log querying command. Its advanced filtering is limited. Whereas Get-WinEvent, as a newer command, could make use of advanced XPath and XML filters. It only matches the exact records by filtering at source. The resulting object would be indexed; hence, in theory, targeted events can be returned very quickly and efficiently. However, Get-EventLog isn’t always slower than Get-WinEvent as shown in the illustrations below:

# Get-WinEvent Method
$logType='Application'
$source='Waveaccess - CRM Integration Service'
$message="Can't connect to Trixbox"
$eventId=0
$minutesRelevancy=20000
$limit=1

$filter = @{
    LogName = 'Application'
    ID = 0
    StartTime = [datetime]::Now.AddMinutes(-$minutesRelevancy)
}

measure-command { Get-WinEvent -FilterHashTable $filter -ComputerName $env:computername -EA Ignore|?{$_.Message -match $message}|select -first $limit }

# Testing on a Server with True-positives
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 274
Ticks             : 2748585
TotalDays         : 3.18123263888889E-06
TotalHours        : 7.63495833333333E-05
TotalMinutes      : 0.004580975
TotalSeconds      : 0.2748585
TotalMilliseconds : 274.8585

# Testing on a Server with True-negatives
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 22
Milliseconds      : 11
Ticks             : 220112284
TotalDays         : 0.000254759587962963
TotalHours        : 0.00611423011111111
TotalMinutes      : 0.366853806666667
TotalSeconds      : 22.0112284
TotalMilliseconds : 22011.2284
# Get-EventLog Method
$logType='Application'
$source='Waveaccess - CRM Integration Service'
$message="Can't connect to Trixbox"
$eventId=0
$minutesRelevancy=20000
$limit=1

measure-command {Get-EventLog -LogName $logType -InstanceId $eventId -source $source -message "*$message*" -Newest $limit|?{$_.TimeWritten -ge [datetime]::Now.AddMinutes(-$minutesRelevancy)} }

# Testing on a Server with True-positives
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 151
Ticks             : 1513339
TotalDays         : 1.75154976851852E-06
TotalHours        : 4.20371944444444E-05
TotalMinutes      : 0.00252223166666667
TotalSeconds      : 0.1513339
TotalMilliseconds : 151.3339

# Testing on a server with True-negatives
Days              : 0
Hours             : 0
Minutes           : 1
Seconds           : 20
Milliseconds      : 884
Ticks             : 808844706
TotalDays         : 0.000936162854166667
TotalHours        : 0.0224679085
TotalMinutes      : 1.34807451
TotalSeconds      : 80.8844706
TotalMilliseconds : 80884.4706

Conclusion: the run-time speed on True-positives are similar. Yet, on a True-negative results, Get-WinEvent is 267% faster than Get-EventLog.

Leave a Reply

Your email address will not be published. Required fields are marked *