[logs] Getting Windows logs through WMI

[Vincent Bernat]

Hi !

Getting eventlog through  WMI calls has two advantages  over the classic
RPC method:
 - We  don't  need  to  resolve   symbols  using  DLL  (which  is  quite
   problematic when getting logs  from remote). The WMI layer translates
   messages into human readable style.
 - This  works on  both Linux  and Windows. Getting  logs from  RPC from
   Linux  is  still  quite  experimental  (this is  part  of  the  Samba
   project).

However, it seems that there is  a major drawback to using WMI: when the
event  log file  is 100  MB  large, the  WMI call  timeout whatever  the
request is. I mean, you may ask  for log trail 45722 or for 100 last log
trails or  100 first log  trails, the WMI  call takes too much  time and
timeout.

WMI allow to  query eventlog through WQL language which  is SQL with far
less features.  However, it seems that  no indexing occurs  and that the
whole log file is scanned for every request.

For some  large organization, a 100  MB large file is  quite common (and
filled in  a hour, so we  cannot ask them  to use smaller size).  Do you
know of any workaround to this limitation?

Thanks.
-- 
MUD IS NOT ONE OF THE 4 FOOD GROUPS
MUD IS NOT ONE OF THE 4 FOOD GROUPS
MUD IS NOT ONE OF THE 4 FOOD GROUPS
-+- Bart Simpson on chalkboard in episode 9F15