Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Get-WinEvent with Hashtable instead of Get-Eventlog increases performance #47

Closed
Marc4056 opened this issue Mar 4, 2021 · 5 comments · Fixed by #49
Closed

Using Get-WinEvent with Hashtable instead of Get-Eventlog increases performance #47

Marc4056 opened this issue Mar 4, 2021 · 5 comments · Fixed by #49
Assignees
@bill-long
Labels
Enhancement New feature or request

Comments

@Marc4056
Copy link

Marc4056 commented Mar 4, 2021
edited
Loading

CSS-Exchange/Security/Test-Hafnium.ps1

Line 45 in 2fce810

$eventLogs = Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error -ErrorAction SilentlyContinue | Where-Object { $_.Message -like "*System.InvalidCastException*" }

I replaced line 45 where the eventlog is searched using CMDlet "Get-Eventlog" with CMDlet "Get-WinEvent" using FilterableHashtable as follows:

$eventLogs = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='MSExchange Unified Messaging'; Level='2'} | Where-Object { $_.Message -like "*System.InvalidCastException*"}

This speeds up the query approx by factor 10 on my systems. Eventlog search now only takes about 3 minutes per system instead of 30 minutes
@bill-long bill-long self-assigned this Mar 4, 2021
@bill-long bill-long added the Enhancement New feature or request label Mar 4, 2021
@bill-long
Copy link
Member

Looks like it throws an error when the event log is clean, so we will need to handle that gracefully.

PS C:\>  Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='MSExchange Unified Messaging'; Level='2'} | Where-Object { $_.Message -like "*System.InvalidCastException*"}
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:2
+  Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName= ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

@Marc4056
Copy link
Author

Marc4056 commented Mar 4, 2021

That is true, but I experience the same when the eventlog is clean using the Get-Eventlog CMDlet

@bill-long
Copy link
Member

Ah you're right, we just need to tack on the SilentlyContinue like the other command had.

bill-long added a commit that referenced this issue Mar 4, 2021
@bill-long
Use Get-WinEvent for better performance
65532bc 
Fixes #47
@bill-long bill-long mentioned this issue Mar 4, 2021
Merged
@bill-long
Copy link
Member

Thank you!

@Marc4056
Copy link
Author

Marc4056 commented Mar 4, 2021

Right, forgot to take parameter "-ErrorAction SilentlyContinue" into my command

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bill-long bill-long

Labels
Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use Get-WinEvent for better performance microsoft/CSS-Exchange
2 participants
@bill-long @Marc4056