A couple of weeks ago I released a Management Pack with a Security Log retention monitor. This monitor uses PowerShell to determine the retention of the security log. This is important in ACS implementations and therefore you want to monitor this. Unfortunately I discovered some performance issues with the monitor so I changed the monitor to resolve these problems for Windows 2008 and later systems.
The retention monitor was using the Get-Eventlog cmdlet. This cmdlet has a ‘-newest’ parameter but it has not a ‘-oldest’ parameter. Therefore I had to read the complete Security log and then select the last entry of the log. Based on that entry I could do the retention calculation. This monitor works when your security logs are not that big. But on some servers with event logs greater than 256MB I noticed some PowerShell timeouts on the execution of the monitor.
After investigating the timeout I came across the Get-WinEvent cmdlet. This cmdlet has a ‘-oldest’ parameter and a ‘-MaxEvents’ parameter which filters the number of events which should be returned. When using the cmdlet I could reduce the runtime of the monitor from 20 minutes to 5 seconds on a server with a Security log of 4GB.
The only problem with Get-WinEvent is that this cmdlet is available from Windows PowerShell version 3. So I can only use this cmdlet when version 3 is installed on a server. So I redesigned the monitor that the script first checks which version of PowerShell is installed, if this is 3 or later it will use Get-WinEvent. If the version of PowerShell is less than version 3 it will failback to the ‘old’ way with the cmdlet Get-Eventlog.
Basically this means that from Windows 2008 it can use the new Get-WinEvent cmdlet. Please find the updated version of the Management Pack here.