Logparser - querying the remote event log

Question

How safely can I use the LogParser 2.2 utility while querying the remote server's event log, in terms of CPU/memory/network?

I would like to perform a few event log queries on the production machines, without affecting performance of the running system.

For instance, when I run the below LogParser query:

SELECT QUANTIZE(TimeGenerated, 86400) AS Day, COUNT(*) AS [Total Errors] INTO     
outFile.csv FROM \\AServerIWishConnectTo\APPLICATION where message 
like '%error to seek%' GROUP BY Day ORDER BY Day ASC

.. would the above affect the "AServerIWishConnectTo" server a lot?

I'll add that the remote server is located in the local intranet.

Answer 1

It's really hard to say.

There are two types of network traffic generated by LogParser when you query remote event logs:

• The traffic generated by the Windows remote EventLog API, which consists basically of transfering the byte amount in that event log (Application, in your case); you can check the byte size by looking at the file at c:\Windows\system32\winevt\Logs
• The traffic generated to move the DLLs needed for resolution of messages: this consists of the whole DLL for each of the event sources registered in the (Application) event log

You can turn off resolution of messages by using -fullText:OFF, but then you won't be able to query for message like '%error to seek%.

As for CPU or Memory, querying a remote event log should not use any memory on the server, and a negligible amount of CPU.