Querying application eventlog using wmi takes long time

Discussion in 'Scripting' started by Brodders, Jan 16, 2004.

  1. Brodders

    Brodders Guest

    (Code snippet below:)

    Hi
    Using wmi and wql I am finding that querying the application eventlog for events with an ID of 213 is taking ~ 8mins, regardless of if the query is kept to a local or remote machine and if the 'application' eventlog has been cleared or not. I have written the script to help us with Exchange 2000 log shipping between a production Exchange server and DR server within the same AD Domain, but at different sites. To help create the script I have used the "MS Win2K Scripting Guide" book as an invaluable resource and reference point. The book mentions that quicker queries can be written using the "Forward-Only" enumerator method (or asynchronuous), however I wll not be able to use the count property on my colLoggedEvents collection when utilising a "Forward-Only" enumerator (as per Technet http://www.microsoft.com/technet/tr...echnet/scriptcenter/scrguide/sas_wmi_krnh.asp). The book also mentions (Table 12.5, page 860) that a similar query on an eventlog with more records than ours took only 17 seconds! The script is being run against Windows 2000 Advanced Servers (SP3) and remotely running scripts (using WshController) is not permitted by IS Policy here.

    Does anyone know of a way I can speed up the query? Can the eventlog's be queried starting at 'end of file' (i.e. starting at the most recent entry) using wmi? Is any of this possible or do I have to suffer long eventlog query times forever? Please help, somebody, please?

    (Code Snippet)
    Set oWMIService = getObject("winmgmts:{impersonationLevel=impersonate,(security)}!\\" & strSourceServer & "\root\cimv2")
    Wscript.StdOut.writeline "Querying Win32_NTLogEvent for completed Exchange backup's on " & _
    & strSourceServer & ", please wait..."
    '* Event ID: 213 Check if Exchange Backup procedure has been completed successfully today.
    Set colLoggedEvents = oWMIService.ExecQuery ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'application' AND eventcode = 213 AND TimeWritten > '" & dtmTargetStartDate & "' AND TimeWritten < '" & dtmTargetEndDate & "'")
    wscript.StdOut.writeline "Number of ESE 213 Events on the source server for today = " & colLoggedEvents.Count

    '* Set gbBackupComplete flag based on output for use later determining destination directory.
    If colLoggedEvents.count = 0 Then
    gbBackupComplete = False
    wscript.StdOut.writeline "A full Backup has not completed, for today..."
    Elseif colLoggedEvents.count = 1 Then
    gbBackupComplete = True
    wscript.StdOut.writeline "A full Backup has completed, for today..."
    Else
    WScript.StdOut.writeline "Error querying the Application log, returned error: " & Hex(Err.Number)
    WScript.StdOut.writeline "Exchange 2000 Backup status cannot be determined, script will now quit."
    Err.Clear
    WScript.Quit
    End If
     
    Brodders, Jan 16, 2004
    #1
    1. Advertisements

  2. Hi

    When using the "Forward-Only" enumerator, you can create your own count. Also note that to optimize the script further, you should not use "SELECT * FROM ...", select just one attribute (you don't need any of the attributes, so using * to get them all is not optimal), something like this is better:

    "SELECT eventcode FROM ..."


    An example on creating a count even if you use the "Forward-Only" enumerator:


    Const IFlags = 48

    Set colEvents = objWMIService.ExecQuery _
    (""SELECT eventcode FROM Win32_NTLogEvent WHERE " _
    & "LogFile = 'Application' and TimeWritten >= '" & StartTime _
    & "' and TimeWritten < '" & StopTime & "' and SourceName = 'ntbackup'" _
    ,,IFlags)

    iCount = 0
    On Error Resume Next
    For Each objEvent In colEvents
    If Err.Number <> 0 Then
    ' No events found
    On Error Goto 0
    Exit For
    End If
    On Error Goto 0
    iCount = iCount + 1
    Next

    WScript.Echo "Number of events found: " & iCount
     
    Torgeir Bakken (MVP), Jan 16, 2004
    #2
    1. Advertisements

  3. Brodders

    Brodders Guest

    Hi Torgeir

    I didn't mention it but have tried "SELECT eventcode FROM ..." already, and the query was still just as slow. However, I will try again using just one attribute. I will also try the Forward-Only enumerator method using your count idea

    Thanks v.much for the pointers and the quick reply
    Brodders
     
    Brodders, Jan 16, 2004
    #3
  4. Brodders

    Paul Matear Guest

    maybe try LogParser 2.1 (part of IIS6 resource kit) instead? LogParser 2.0
    won't work.

    this will give number of EventID 213 on the current days date from
    application log of \\server...

    in a BAT file (easy and produces statistics so you can check performance):
    LOGPARSER "SELECT COUNT(*) FROM \\Server\Application WHERE (EventID = '213')
    AND (TO_DATE(TimeGenerated) = SYSTEM_DATE())"

    as vbscript:
    SET objLogQuery = CreateObject("MSUtil.LogQuery")
    strQuery = "SELECT COUNT(*) FROM \\server\Application WHERE (EventID =
    '213') AND (TO_DATE(TimeGenerated) = SYSTEM_DATE())"
    SET RecordSet = objLogQuery.Execute(strQuery)
    WScript.Echo RecordSet.GetRecord().getValue(0)
    RecordSet.Close()

    regards
    paul

    events with an ID of 213 is taking ~ 8mins, regardless of if the query is
    kept to a local or remote machine and if the 'application' eventlog has been
    cleared or not. I have written the script to help us with Exchange 2000 log
    shipping between a production Exchange server and DR server within the same
    AD Domain, but at different sites. To help create the script I have used
    the "MS Win2K Scripting Guide" book as an invaluable resource and reference
    point. The book mentions that quicker queries can be written using the
    "Forward-Only" enumerator method (or asynchronuous), however I wll not be
    able to use the count property on my colLoggedEvents collection when
    utilising a "Forward-Only" enumerator (as per Technet
    http://www.microsoft.com/technet/tr...echnet/scriptcenter/scrguide/sas_wmi_krnh.asp).
    The book also mentions (Table 12.5, page 860) that a similar query on an
    eventlog with more records than ours took only 17 seconds! The script is
    being run against Windows 2000 Advanced Servers (SP3) and remotely running
    scripts (using WshController) is not permitted by IS Policy here.
    queried starting at 'end of file' (i.e. starting at the most recent entry)
    using wmi? Is any of this possible or do I have to suffer long eventlog
    query times forever? Please help, somebody, please?
    getObject("winmgmts:{impersonationLevel=impersonate,(security)}!\\" &
    strSourceServer & "\root\cimv2")
    Win32_NTLogEvent WHERE Logfile = 'application' AND eventcode = 213 AND
    TimeWritten > '" & dtmTargetStartDate & "' AND TimeWritten < '" &
    dtmTargetEndDate & "'")
    for today = " & colLoggedEvents.Count
    determined, script will now quit."
     
    Paul Matear, Jan 19, 2004
    #4
  5. Brodders

    Brodders Guest

    Hi again Torgeir

    As you described, I have used the "Forward-Only" enumerator (48) option on the .ExecQuery method and also narrowed down the returned items from the WQL using the 'eventcode' attribute and am getting the correct number of items returned using the count. However, the query time has not changed!? I may have to rethink my use of the eventlog for the purpose of checking for event ID 213 and use a post-backup command from our backup server (HP Omniback) instead to copy an empty file which I'll use as a flag instead.
     
    Brodders, Jan 21, 2004
    #5
  6. Hi

    Thanks for the feedback. Strange, usually the "Forward-Only" enumerator speeds those type of queries much up.
     
    Torgeir Bakken (MVP), Jan 22, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.