Slow reading of EventLog

[Ashu]

Hi,
I am reading the event log of a remote system. The reading of event log
entries are extremely slow.

In the last test I carried out assigning the Entries to a local variable
and getting the count of entries takes close to 5 seconds.
Reading the first entry took 12 seconds, 2nd took 11 seconds, 3rd took 8
seconds, 4 took 7 seconds, 5th took 8 seconds.

The results are similar even when I am running the release version of
the exe.

How can I speed this up? I am eager to know as to when does the actual
entry moves from the remote system to local system, when we access the
Entries properties or access individual entry.

Thanks & Regards,
Ashutosh

 

[Jialiang Ge [MSFT]]

Dear Ashutosh

May I know how you read the event log of a remote system? What's the target
machine's OS? The KB article
http://support.microsoft.com/?id=815314
demonstrates a standard way to enumerate the event log entries:

//logType can be Application, Security, System or any other Custom Log.
string logType = "Application";

EventLog ev = new EventLog(logType, "server name");
int LastLogToShow = ev.Entries.Count;
if ( LastLogToShow <= 0 )
Console.WriteLine("No Event Logs in the Log :" + logType);

// Read the last 2 records in the specified log.
int i;
for ( i = ev.Entries.Count - 1; i>= LastLogToShow - 2; i--)
{
EventLogEntry CurrentEntry = ev.Entries;
Console.WriteLine("Event ID : " + CurrentEntry.EventID);
Console.WriteLine("Entry Type : " + CurrentEntry.EntryType.ToString());
Console.WriteLine("Message : " + CurrentEntry.Message + "\n");
}
ev.Close();

I tested the code to enumerate the event log entries of Win2003, Win2008
servers in the same domain, and the execution runs with a high speed.

I think that the slow reading of EventLog on your side may result from
one/several of these reasons

1. Incorrect use of the API. You may want to try the sample code in KB
815314.
2. Network bandwidth.
3. Security checking (e.g. cross-domain security checking)
4. The server is busy. (Is the slow reading happening to all your servers?)
5. The event log in the target machine is consistently changing. (e.g. many
new entries are being added into the event log when we query them from the
remote machine)

I am eager to know as to when does the actual entry
moves from the remote system to local system, when
we access the Entries properties or access individual entry.

By reading the source code of EventLog
(http://referencesource.microsoft.com/netframework.aspx), I get these info:

1. When we create an EventLog object by specifying the log type and machine
name, the processor validates the machine, and demands the proper
permission.
2. When we call EventLog.Entries.Count, the processor demands the
EventLogPermissionAccess.Administer permission of the target machine, and
call the APIs, OpenEventLog and GetNumberOfEventLogRecords, to retrieve the
total number. At this point, no log entry is downloaded to the local
machine. It just gets the total number.
3. When we enumerate the entries (ev.Entries), there is actually a cache
of the entries. If the log entry specified by is not in the cache, the
processor will connect to the remote machine, retrieve the entry with the
APIs, OpenEventLog, ReadEventLog, and fill it into the cache. If the log
entry is in the cache, the processor gets the entry directly from the cache.
4. If changes happen to the event log in the remote machine, a notification
will be sent to the client, and the client will adjust the entries' index
accordingly. This process may consume some time.

To effectively figure out the slow reading process, you may consider
debugging into the .NET source code:
http://referencesource.microsoft.com/downloadsetup.aspx
I'm willing to help you with the debugging. If you meet with any problem,
please feel free to tell me.

Have a nice day!

Regards,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.