How to Delete Windows Event Log Messages
Our mission is to 'zero' those dozens of Windows event logs that don't respond to PowerShell's native command: Clear-Eventlog.
To avoid disaster by being too gung-ho, I recommend that you practice with Get-WinEvent and Clear-Eventlog before you try my examples on this page.
PowerShell Clear-WinEvent Topics
- Planning the Clear-WinEvent Function
- The PowerShell Problem
- Solution 1: Create Clear-WinEvent Function
- Solution 2: Clean ALL the Logs
- Creating a Function Called Clear-WinEvent
♣
Planning the Clear-WinEvent Function
Rather than slavishly copying my script below, I recommend that you take the time to assimilate the overall plan.
Orientation to the Location : I am talking about the 150+ Application and Services Logs that you see in Event Viewer. See screenshot to the right.
These are the same logs that you could find, and back up, in the
%SystemRoot%\System32\Winevt\Logs\
Understand the Function's Engine:
At the heart of the script is this EventLog class from .Net Framework
[System.Diagnostics.Eventing.Reader.EventLogSession]
Create the Function:
Our mission is to build a cmdlet function called Clear-WinEvent.
Clean (Delete) the Actual Log Entries:
Let us apply the parameter -LogName to a named log file; however for safety, please include the -Confirm parameter, which is especially useful if you plan to modify the script to zero all the logs.
PowerShell Solution 1: Create Clear-WinEvent
The first task should be to backup, or at least copy, the logs under:
%SystemRoot%\System32\Winevt\Logs. I found this task harder than I anticipated, and this is why I recommend the -Confirm parameter when testing.
Our second task is to pick-out one of the Application and Service logs to test the function. We can use the built-in Get-WinEvent cmdlet / function to list the logs.
# List the Winevt files
Get-WinEvent -ListLog Microsoft-Windows-Windows*
Note 1: Remember to use the -ListLog parameter, we will employ a similar parameter in the function we are going to build. Also remember the wildcard* at the end of this command. (Yes, I really meant -Windows-Windows*)
For my experiment, and for no particular reason, I selected this log:
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Creating a Function called Clear-WinEvent
Here is an example of our function cleaning one of the firewall logs.
# PowerShell Function/Cmdlet to clear one of the Application and Service Logs
Function Clear-WinEvent {
[CmdletBinding(SupportsShouldProcess=$True)]
Param
([String]$LogName)
Process {
If ($PSCmdlet.ShouldProcess("$LogName", "Clear log file"))
{
[System.Diagnostics.Eventing.Reader.EventLogSession]::`
GlobalSession.ClearLog("$LogName")
} # End of If
} # End of Process
} # End of creating the function
# Calling the function Clear-WinEvent
Clear-Host
$VictimLog = "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
Get-WinEvent -ListLog $VictimLog
Clear-WinEvent -LogName $VictimLog -Confirm
Write-Host "`nAfter running Clear-WinEvent: Check RecordCount "
Get-WinEvent -ListLog $VictimLog
Note 2: As mentioned earlier, for safety I have incorporated the -Confirm parameter in the function.
Note 3: This is all one crucial command, if there is a problem then remove the backtick thus:
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$LogName")
Guy Recommends: SolarWinds’ Log & Event Management Tool
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
Download your FREE trial of SolarWinds Log & Event Management tool.
Clear-WinEvent Function
One of the reasons for creating a PowerShell function is because it's easy and useful to reuse the code, especially if you create them as Global: FunctionName. A crucial feature of this particular task is the ability to delete the message objects inside the log, and not the log itself; it is for this reason I choose use the verb 'Clear' in the function's name.
Here is a breakdown of the sections in my Clear-WinEvent function :
Function Name } # I could have used: Global:Clear-WinEvent
Param (Parameters)
Process {Payload}
}
-Confirm
This is the code I used to create an extra safety feature, the -Confirm parameter:
[CmdletBinding(SupportsShouldProcess=$True)]
If ($PSCmdlet.ShouldProcess("Parameter Name", "Display message"))
{ Process}
See more on creating PowerShell functions »
The PowerShell Problem
Unfortunately, Get-Eventlog and its sister cmdlet Clear-Eventlog only work on the traditional Windows logs such as System and Application. While PowerShell v 2.0 brings a new cmdlet called Get-WinEvent, which displays all the other 'Application and Services Logs', it has no parameter to remove their log entries. As Microsoft hasn't created a built-in cmdlet called Clean-WinEvent we are going to construct one by accessing the EventLog class in .Net Framework.
Solution 2: Clear-Eventlog: Clean ALL the Logs
A key feature of this script is the 'Foreach' construction, which loops through $AllLogs, deleting the records as it proceeds.
# PowerShell Function/Cmdlet to clear ALL of the Application and Service Logs
Function Global:Clear-WinEvent {
[CmdletBinding(SupportsShouldProcess=$True)]
Param
([String]$LogName)
Process {
If ($PSCmdlet.ShouldProcess("$LogName", "Clear log file"))
{
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$LogName")
}
} # End of Process section
} # End of creating the Clear-WinEvent function
#PowerShell script to clear ALL the Application and Service logs
Clear-Host
$AllLogs = Get-WinEvent -ListLog *
Start-Sleep -Seconds 3
Write-Host "Waiting for Clear-WinEvent to delete logs …."
Foreach ($Item in $AllLogs) {
Clear-WinEvent $Item.LogName -Confirm
}
Write-Host "After cleaning"
Get-WinEvent -ListLog *
Note 4: To improve the 'Waiting… ' message, you could experiment with Write-Progress, this is as far as I have got:
Write-Progress -Activity "Deleting logs" -Status $AllLogs.rank -percentcomplete ($AllLogs.Count)
Note 5: This time I created Clear-WinEvent as a Global function.
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM) v11.5
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Download a free trial of Solarwinds’ Network Performance Monitor
Help about_Functions_advanced_parameters
To improve the construction of our functions, Microsoft include a handy help-file within PowerShell. Take a look thus:
Clear-host
Help about_Functions_Advanced
PowerShell functions include the following items:
- The precise keyword 'Function' followed by a name, typically a Verb-Noun pair.
Tip: Always start with one of the existing PowerShell verbs. - While parameters (param) are optional, you need them in all but the simplest functions.
- The process engine of the function containing the {PowerShell commands enclosed in braces}.
Where next? Check these 'about_Function…' help files.
Clear-host
about_Functions_Advanced_Methods
#about_Functions_Advanced_Parameters
#about_Functions_CmdletBindingAttribute
#about_Functions_OutputTypeAttribute
#about_Parameters
Research Similar Cmdlets (Functions)
Once I find a PowerShell cmdlet, I like to look for similar cmdlets. To narrow the search I filter with the -Noun or -Verb parameter.
# PowerShell WinEvent Cmdlet Research
Get-Command -Noun WinEvent
Note 6: You could also try -Verb Clear.
Get-Help Clear-Eventlog Parameters
You may get ideas for your scripts by studying the sister cmdlet: Clear-Eventlog.
# Get more ideas
Clear-Host
Get-HelpClear-Eventlog -Full
For example, Clear-Eventlog has a -ComputerName parameter. PowerShell's help coupled with the -Full parameter also gives useful examples.
Summary of PowerShell Clear-WinEvent
I created this function because PowerShell has no built-in cmdlet to delete the messages in the Application and Services Logs. The reason I made my own function was that Clear-Eventlog only works on the handful of traditional Windows logs.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
• PowerShell Home • Get-Eventlog • EventVwr -list • Clear-WinEvent Function • Remote Eventlog
• PowerShell Limit-Eventlog • Windows 8 Event Viewer • Get-WinEvent • Log Event Manager
• Write-Eventlog (Basic) • PowerShell Write-Eventlog (Adv) • PowerShell Clear-Eventlog
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.