Get-EventLog Performance issue


I have an issue where I need to query the Security log. I must use Get-EventLog as this is for XP systems (dont laugh) so I cant use Get-WinEvent with FilterHashTables. The problem I have is when the security log gets big, the queries take forever. I thought assigning the log once to a variable/object and then parsing the variable would stash the log in ram and run at a fair clip. Either I am wrong, or my method is wrong which is more likely.

Here is a shortened example of my code:

$SecurityLog = Get-EventLog -LogName 'Security' -ComputerName $System

$AuditData = $SecurityLog | Where-Object {(($.EventID -eq "576") -Or ($.EventID -eq "577") -Or ($.EventID -eq "578") -And ($.EntryType -eq "FailureAudit"))} | Select-Object MachineName, TimeGenerated, UserName, @{Label="Details";Expression={$_.Message}}, EntryType, EventID

I use the same $SecurityLog object for the rest of the audit for additional queries. I was under the impression after instantiating the object, it would be in memory and run quickly.

When the security log gets up there in size like 50MB or greater, it takes FOREVER to run. Can someone please point out the error of my ways?

Thanks in advance.

Is this working as expected for smaller log files, and just performs poorly with larger ones?

50MB is a huge log file. It must have hundreds of thousand of entries, and you’re performing several checks on it… It may not be possible for it to go faster.

Where is the work being done? are you gathering the log files from remote systems and pulling the data to local and then running the checks? or are you performing these checks via remote on the individual systems? if so, and they’re XP systems, they may just be too limited by their hardware to perform better. What kind of systems are these? what is the hardware like?

Mostly local systems. The system is defined in $System, but the option does exist to feed the script a list of hosts and act upon those hosts. What I was hoping to get from this forum was if my approach is all wrong and finding a better way. I really thought that defining a single Get-EventLog to a single object/variable would then have that info in RAM and be much faster. The script is no faster if I use Get-EventLog for each audit item versus parsing the single query object which made me wonder if my theory was way off.

My testing is being done on VM’s, but also a newer generation laptop (i5/16GB Ram, SSD etc)

I must say, Get-WinEvent using a FilterHashTable is orders of magnitude faster.

The script can be run as a Scheduled task as a fall back plan due to performance issues. Sadly, 50MG log files and greater are the norm in our environment even with archiving done weekly. Typical sizes are 100 to 150MB.