Display or Clear MS Windows Server Logs via CMD and PowerShell

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/04 at 03:15 PM

 

Category:
Microsoft Server Software
Other/Misc.

Task:
Via DOS script or PowerShell (PS) logs, display and/or clear MS Windows Server logs


Steps for the DOS wevtutil commands to view and clear the MW Windows Event Logs:
a1. Display logs using older wevtutil command:
- Display all logs:
$ wevtutil el
- Display logs for Application view:
$ wevtutil el Application
- Display logs for the System view:
$ wevtutil el System

b1. Clear the logs using the wevtutil command:
- Search/Home/Start --> System <something changes for different releases or cmd if search> Command (cmd window) --> Right click --> Run as Administrator

- Backup a log file:
# wevtUtil cl Microsoft-Windows-GroupPolicy/Operational /bu:GPOLOG_backup.evtx

- Clear Application view logs:
# wevtutil cl Application
- Clear System view logs:
# wevtutil cl System

- Clear all logs within a .bat file:
...
for /F "tokens=*" %%1 in ('wevtutil.exe el') DO wevtutil.exe cl "%%1"
...

- Clear all logs from the command prompt directly:
# for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

---


a2. Display log w/the PowerShell 3 Get-EventLog command:
To display all logs:
> Get-EventLog -LogName *

To display just for Application:
> Get-EventLog -LogName Application

To display just for the Security and System views:
> Get-EventLog -LogName Security, System
Note:
The log is cleared, and new entries are created with EventID 104 or 1102 at the time of clearing with the time, user id, and event descriptions.
(For the example, the descriptions are: "The System log file was cleared." and "The audit log was cleared.")


b2. Backup and clear the logs using PowerShell Clear-EventLog command:
- Search/Home/Start --> PowerShell (command window) --> Right click --> Run as Administrator

- Run the following command to backup and clear logs:
This example backs up the logs to a workspace network drive folder w:\WindowsLogArchive\
> Get-Winevent -ListLog * | % { [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName,"W:\WindowsLogArchive\$($_.LogName -replace '/','.').evtx") }

- Clear the logs for both Application and System and prompts for confirmation first:
> Clear-EventLog -LogName Application, System -Confirm

- Clear the log for the PowerShell log (which will leave a log for this clearing action but remove the logs for the previous runs):
> Clear-EventLog "Windows PowerShell"





previous page

×