optimizing AD logon query inEventViewer using PS

  • 90 Views
  • Last Post 14 January 2017
MatCollins posted this 14 January 2017

Greetings Guys!

I started a self project script which basically tells you, who logged on to which workstation from a single DC. This query which is almost 70 lines, goes trough each DC's event viewer and search for event IDs related to logon and after applying some filters, it shows the result in a nice sorted table.

this is the main part of the script:

$Events = Get-WinEvent -FilterHashtable @{logname='security'; id=4769} -computername $DCName -errorAction Stop

Have you ever experienced to create a script like this qhich queries the DC's and apply certain rules like that? 

So the question from PS folks here is, why the script is taking so much time (but working), and the apps out there (like ManageEngine) and ... are so smarter and faster?

Do you think they fetch records from event viewer by defining a startdate and end date?

 

darren posted this 14 January 2017

Matt-

There’s probably a lot of answers to this, but from personal experience, I suspect it relates mostly to where you’re collecting from and the APIs you’re using to get the events.

Most modern enterprise-class auditing solutions, working in large environments where DC logs roll over quickly, are putting agents on the DCs and using native code to get at events. My experience with the .Net event APIs are that they can have a hard time

keeping up in high-volume environments vs. their native counterparts. There may be some other trickery, code injection or lower level APIs that some vendors use, but in terms of pure performance, being directly on the box with native code is going to get you

the best performance. The event log subsystem, frankly, is not terribly high-performing IMHO, so you have to meet it on i’s own terms, so to speak.



 

So if you’re stuck using PowerShell, I would suggest that you run your script on each DC directly rather than remotely (or use PS-Remoting) to maximize performance.



 

Darren

 

show

Close