2

I'd like to delete old entries of the event-log (where old means "older that X days") using PowerShell.
I found the Clear-EventLog cmdlet but that

Deletes all entries from specified event logs on the local or remote computers.

I have found a lot of scripts that use this cmdlet to delete ALL entries -
but is there a way to select only some [old] entries of the event-log and delete only those?

user4531
  • 2,525
  • 7
  • 30
  • 38
  • 4
    No can do. This behaviour is by design. http://serverfault.com/questions/8339/how-can-i-remove-specific-events-from-the-event-log-in-windows-server-2008 – James Woolfenden Feb 25 '13 at 13:26

2 Answers2

0

As James said, you can't. But if you want to keep a date range part of your log, it's not clean but here's a workaround:

  1. you backup the messages you want to keep with the 'wevutil' utility (http://technet.microsoft.com/fr-fr/library/cc732848%28v=ws.10%29.aspx) Something like that:

    $LogName="Application" $DateStart=(Get-Date).AddDays(-$Days) $DateEnd=Get-Date $EvtFile="$ComputerName" + "-EventLogExport-" + "$LogName" + ".evtx" function Get-Milliseconds ($EventsDate) { $EventsTimeSpan=New-TimeSpan -Start $EventsDate -End (Get-Date) [math]::Round($EventsTimeSpan.TotalMilliseconds) } # end function $EventsDateStart=Get-Milliseconds(Get-Date $DateStart) $EventsDateEnd=Get-Milliseconds(Get-Date $DateEnd)

    wevtutil epl $LogName $EvtFile /q:"*[System[TimeCreated[timediff(@SystemTime)>=$EventsDateEnd] and TimeCreated[timediff(@SystemTime) <= $EventsDateStart]]]"

  2. Use the Clear-EventLog cmdlet to empty your event log.

fab777
  • 49
  • 3
0

I found a one-liner to remove ALL entries from ALL eventlogs e.g.

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

Personally I either set a limit on eventlog size

limit-eventLog -logname Security -MaximumSize 64KB

or do a monthly export and delete after export.

tramper
  • 61
  • 4