Any way to remove all entries from the Windows event logs (Application, System & Software) apart from the last 24 hours?
Via command line such as batch file.
On Windows 2008 R2 Server & Windows 7
Asked
Active
Viewed 2,849 times
0
-
Which version of Window are you using? If >= Vista/2008 you can use wevtutil for accomplish the task http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx – Emyl Apr 12 '13 at 15:24
-
Just out of curiosity - why would you want to do this? You can just set the logs to overwrite themselves. – Lucky Luke Apr 12 '13 at 23:47
2 Answers
1
You can't do what you are trying to do. You can either save or clear an event log. When you clear, you can optionally save the events before clearing.
EDIT
Looking again, that wasn't very helpful. You can't remove some events from an event log without removing them all. You can, however, export some events based on a filter. For example, the following command will export all events logged to the System event log in the last 24 hours:
wevtutil epl system c:\system.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"
Does this get closer to what you want? If not, can you clarify if there is something more we can help with?
charleswj81
- 2,453
- 15
- 18
0
Found this:
If WScript.Arguments.Count > 1 Then
WScript.Echo
WScript.Echo "Usage: cscript ""Clear Event Logs.vbs"" [computer name]"
WScript.Echo
WScript.Quit
End If
Dim strComputer ' As String
If WScript.Arguments.Count > 0 Then
strComputer= WScript.Arguments(0)
Else
strComputer= "localhost"
End If
ClearEventLogs strComputer
WScript.Echo "Done"
Private Sub ClearEventLogs( _
strComputer)
WScript.Echo "Clearing event logs on " & strComputer & "..."
Set objWMIService = GetObject( _
"winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery( _
"Select * from Win32_NTEventLogFile")
For Each objLogfile in colLogFiles
ClearEventLog strComputer, objLogfile.LogfileName
Next
End Sub
Private Sub ClearEventLog( _
strComputer, _
strEventLogName)
WScript.Echo "Clearing '" & strEventLogName & "' event log on " _
& strComputer & "..."
Set objWMIService = GetObject( _
"winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery( _
"Select * from Win32_NTEventLogFile where LogFileName='" _
& strEventLogName & "'")
For Each objLogfile in colLogFiles
Dim backupFilename
backupFilename= "C:\" & strEventLogName & "_" & GetFormattedTimestamp() _
& ".evt"
errBackupLog = objLogFile.BackupEventLog(backupFilename)
If errBackupLog <> 0 Then
WScript.Echo "The " & strEventLogName & " event log on " _
& strComputer & " could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
End Sub
Private Function GetFormattedTimestamp()
Dim timestamp
timestamp = Now
GetFormattedTimestamp = Year(timestamp) _
& LPad(Month(timestamp), 2, "0") _
& LPad(Day(timestamp), 2, "0") _
& "_" & Replace(FormatDateTime(timestamp, 4), ":", "")
End Function
Private Function LPad( _
strValue, _
nLength, _
strPadCharacter)
Dim strPaddedValue
strPaddedValue = strValue
While (Len(strPaddedValue) < nLength)
strPaddedValue = strPadCharacter & strPaddedValue
WEnd
LPad = strPaddedValue
End Function
here: http://blogs.msdn.com/b/jjameson/archive/2011/03/01/script-to-clear-and-save-event-logs.aspx
Another note from the blog: run it using cscript, not wscript.
Snowburnt
- 775
- 2
- 5
- 18
-
-
it's not, but it doesn't delete the last 24 either...this is pretty much the simplest way to archive the logs. There are other scripts out there that will do something similar that work by parsing through the log event by event. I could pull one of those out for you...maybe you could do the backup and rather than clearing the whole thing, just delete individual entries. Depending on how secure your environment is I don't think the security log will like being tampered with in this way, however. – Snowburnt Apr 15 '13 at 12:53