Recently, we had an occasion to write a process to read event logs on several sql servers to try to determine login times for different sql and Windows logins. Since we have begun using PowerShell v2.0, and since get-eventlog now has a -computername parameter, it seemed like an obvious solution.
The event message we were interested in looked something like “Login succeeeded for uesr ‘UserName’ ….”. The code we were trying to use was:
get-eventlog -computername $servername -logname Application -message "Login succeeded for user*" -after ((get-date).AddDays(-1))
I expected that, given a date parameter and a leading string to match wouldn’t be too bad, but this ended up taking several minutes per server. As there are over a hundred servers to scan, that didn’t work well for us.
We ended up falling back to get-wmiobject.
$BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-1)) get-wmiobject -class win32_ntlogevent -computerName $servername -filter "(EventCode=18453) and (LogFile='Application') and (TimeGenerated >'$BeginDate')"
- We have to encode the date parameter (instead of using a nice datetime parameter like get-eventlog has)
- We have to write a WQL where-clause to match the parameters
- We get to use the event code (rather than a string match)
- The code is orders of magnitude faster (39 servers in 13 minutes as a test case)
I think that you might have a positive experience using get-eventlog if you need to scan a range of time (for instance if you’re reporting on what happened on the server), but if you need to look for a specific event (or set of events) you’re probably going to want to use get-wmiobject.