[Winlogbeat] Compare performance of event rendering without using XML

[andrewkroh]

We should so a comparison test between the current implementation that receives events as XML from Windows versus a prototype implementation that receives events in a binary format. The goal is to see what the performance difference is. We can use our benchmark tests for perform the measurements (here's this last run we did of these tests).

Additionally we should check if the Windows API is thread-safe such that multiple threads can be reading batches of events concurrently.

Details

When Winlogbeat calls EvtRender it passes the EvtRenderEventXml flag. In this test we want to utilize the EvtRenderEventValues flag. Then Winlogbeat will receive a buffer containing an array of EVT_VARIANT objects that it needs to extract the event parameters from.

[JPvRiel]

Additionally we should check if the Windows API is thread-safe such that multiple threads can be reading batches of events concurrently.

This post looks helpful/relevant: https://stackoverflow.com/a/53439276/5472444

Note:

This gives a decent speedup of a factor 4. I needed to use some tricks to get faster because for some strange reason the class ProviderMetadataCachedInformation is not thread safe and uses internally a lock(this) around the Format method which defeats paralell reading. The key trick is to open the event log in the conversion threads again and then read a bunch of events of the query there via the event bookmark Api. That way you can format the strings independently.

[andrewkroh]

Another thing I'd like to test/compare is using the ETW APIs to read from event logs (assuming that's possible).