Event Log Reader is horribly slow... too slow. WTF Microsoft?

Use LogParser 2.2 - Search for C# and LogParser on the Internet (or you can use the log parser commands from the command line). I don't want to duplicate the work already contributed by others.

I pull the log from the remote system by having the log exported as an EVTX file. I then copy the file from the remote system. This process is really quick - even with a network that spans the planet (I had issues with having the log exported to a network resource). Once you have it local, you can do your searches and processing.

There are multiple reasons for having the EVTX - I won't get into the reasons why we do this.

The following is a working example of the code to save a copy of the log as an EVTX: (Notes: "device" is the network host name or IP. "LogName" is the name of the log desired: "System", "Security", or "Application". outputPathOnRemoteSystem is the path on the remote computer, such as "c:\temp\%hostname%.%LogName%.%YYYYMMDD_HH.MM%.evtx".)

    static public bool DumpLog(string device, string LogName, string outputPathOnRemoteSystem, out string errMessage)
    {
        bool wasExported = false;
        string errorMessage = "";
        try
        {
            System.Diagnostics.Eventing.Reader.EventLogSession els = new System.Diagnostics.Eventing.Reader.EventLogSession(device);
            els.ExportLogAndMessages(LogName, PathType.LogName, "*", outputPathOnRemoteSystem);
            wasExported = true;

        }
        catch (UnauthorizedAccessException e)
        {
            errorMessage = "Unauthorized - Access Denied: " + e.Message;
        }
        catch (EventLogNotFoundException e)
        {
            errorMessage = "Event Log Not Found: " + e.Message;
        }
        catch (EventLogException e)
        {
            errorMessage = "Export Failed: " + e.Message + ", Log: " + LogName + ", Device: " + device;
        }
        errMessage = errorMessage;
        return wasExported;
    }

Maybe that the remote computers could do a little bit of computing. So this way your server would only deal with relevant information. It would be a kind of cluster using the remote computer to do some light filtering and the server would the the analysis part.

Maybe WMI can help you:

WMI with C#

A good Explanation/Example can be found on MSDN.

EventLogSession session = new EventLogSession(Environment.MachineName);

// [System/Level=2] filters out the errors
// Where "Log" is the log you want to get data from.
EventLogQuery query = new EventLogQuery("Log", PathType.LogName, "*[System/Level=2]");

EventLogReader reader = new EventLogReader(query);

for (EventRecord eventInstance = reader.ReadEvent();
    null != eventInstance;
    eventInstance = reader.ReadEvent())
{
    // Output or save your event data here.
}

When waiting 5-20 minutes with the old code this one does it in less than 10 seconds.

You could place a Program at those machines that save the log to file and sends it to your webapplication i think that would be alot faster as you can do the looping local but im not sure how to do it so i cant ive you any code :(

Have you tried using the remoting features in powershell 2.0? They allow you to execute cmdlets (like ones to read event logs) on remote machines and return the results (as objects, of course) to the calling session.