Clearing Windows Event Log

Welcome Forums General PowerShell Q&A Clearing Windows Event Log

  • This topic has 9 replies, 5 voices, and was last updated 1 month ago by
    Participant
    .
Viewing 9 reply threads
  • Author
    Posts
    • #221898
      Participant
      Topics: 12
      Replies: 523
      Points: 1,214
      Helping Hand
      Rank: Community Hero

      Any idea how to clear all (or some) events in the ‘Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational’ Windows event log?
      Using

      Clear-EventLog 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational' 
      

      does not work since this cmdlet does not recognize this log..

    • #221916
      Participant
      Topics: 4
      Replies: 11
      Points: 58
      Rank: Member

      Hey Sam,

      You can use the below method to get the eventlogs.. I’m still figuring out how to get rid of them though..

      $Date = (Get-Date).AddDays(-7)$Date = (Get-Date).AddDays(-7)

      $Events = Get-WinEvent -FilterHashtable @{ LogName = "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"; StartTime = $Date }

       

      Peace & Cheers,

    • #221940
      Participant
      Topics: 3
      Replies: 340
      Points: 1,120
      Helping Hand
      Rank: Community Hero

      That’s an interesting question. Perhaps you could do something with the file directly if you make sure it’s not in use. I haven’t found anything else. I even tried adding a new eventlog but I couldn’t figure out how to reference the file. Certainly it will need to be visible by get-eventlog -list, right? I hope someone can show us the way.

      $path = "$env:SystemRoot\system32\Winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx"
      Get-WinEvent -FilterHashtable @{Path=$path}

    • #222258
      Participant
      Topics: 6
      Replies: 93
      Points: 427
      Helping Hand
      Rank: Contributor

      I had to resort to using

      $logToClear = 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'

      wevtutil.exe cl $logToClear /r:$System

      In my case, I am clearing on remote systems as well, you can of course leave that off for local.

    • #222990
      Participant
      Topics: 6
      Replies: 16
      Points: 47
      Rank: Member

      Check this out “PowerShell Clear-WinEvent” at
      https://www.computerperformance.co.uk/powershell/clear-winevent/
      Hopefully, it is the answer you are looking for….

    • #223002
      Participant
      Topics: 6
      Replies: 93
      Points: 427
      Helping Hand
      Rank: Contributor

      Seems like a lot of work when you can use a native windows EXE to accomplish the task. What would the advantages be to this solution? Just curious. Thanks.

    • #223854
      Participant
      Topics: 12
      Replies: 523
      Points: 1,214
      Helping Hand
      Rank: Community Hero

      Check this out “PowerShell Clear-WinEvent” at

      https://www.computerperformance.co.uk/powershell/clear-winevent/

      Hopefully, it is the answer you are looking for….

      This works. I wrote up a couple of functions based on [System.Diagnostics.Eventing.Reader.EventLogSession] to backup and clear any windows event log.

      Install-Module AZSBTools 
      help Backup-EventLog -ShowWindow
      help Clear-SBEventLog -ShowWindow
      
      # Example:
      $EventLogList = @('Application','Security','Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational')
      Backup-EventLog -EventLogName $EventLogList -BackupFolder c:\Sandbox\Logs\Test
      Clear-SBEventLog -EventLogName $EventLogList -Confirm:$false
      
    • #224163
      Participant
      Topics: 6
      Replies: 93
      Points: 427
      Helping Hand
      Rank: Contributor

      I again pose the question, why should I not be using wevtutil.exe? Much simpler and native to windows. Seems if you went to all the trouble you did, there is a good reason I should not be using this.

      Thanks.

    • #224172
      Participant
      Topics: 12
      Replies: 523
      Points: 1,214
      Helping Hand
      Rank: Community Hero

      I again pose the question, why should I not be using wevtutil.exe? Much simpler and native to windows. Seems if you went to all the trouble you did, there is a good reason I should not be using this.

      Thanks.

      Tony,

      There are advantages to using the EXE such as compatibility with older systems like Windows 7 or 2008.
      It’s certainly a valid choice for you to use the EXE
      For me I try to stick to pure PowerShell. For one thing, mixing EXE’s with PS cmdlets raises unnecessary complications like passing data back and forth. It’s very common for a cmdlet to use output of the prior cmdlet as its input. To use output of an EXE poses the difficulties of a) having to parse the output as if we’re in bash on a Linux box, and b) that EXE output to be parsed may differ widely based on many conditions making the parsing unreliable at best…

    • #224241
      Participant
      Topics: 6
      Replies: 93
      Points: 427
      Helping Hand
      Rank: Contributor

      Thank you Sam.

      I, like you prefer to avoid EXE’s if possible. I was not aware of the method you chose. I will have a look into using the same method.

Viewing 9 reply threads
  • You must be logged in to reply to this topic.