PowerShell Clear-WinEvent

How to Delete Windows Event Log Messages

Our mission is to 'zero' those dozens of Windows event logs that don't respond to PowerShell's native command: Clear-Eventlog.

To avoid disaster by being too gung-ho, I recommend that you practice with Get-WinEvent and Clear-Eventlog before you try my examples on this page.

PowerShell Clear-WinEvent Topics

• Planning the Clear-WinEvent Function
• The PowerShell Problem
• Solution 1: Create Clear-WinEvent Function
• Solution 2: Clean ALL the Logs
• Creating a Function Called Clear-WinEvent

 ♣

Planning the Clear-WinEvent Function

Rather than slavishly copying my script below, I recommend that you take the time to assimilate the overall plan.

Orientation to the Location : I am talking about the 150+ Application and Services Logs that you see in Event Viewer.  See screenshot to the right.

These are the same logs that you could find, and back up, in the
%SystemRoot%\System32\Winevt\Logs\

Understand the Function's Engine:
At the heart of the script is this EventLog class from .Net Framework
[System.Diagnostics.Eventing.Reader.EventLogSession]

Create the Function:
Our mission is to build a cmdlet function called Clear-WinEvent.

Clean (Delete) the Actual Log Entries:
Let us apply the parameter -LogName to a named log file; however for safety, please include the -Confirm parameter, which is especially useful if you plan to modify the script to zero all the logs.

PowerShell Solution 1: Create Clear-WinEvent

The first task should be to backup, or at least copy, the logs under:
%SystemRoot%\System32\Winevt\Logs. I found this task harder than I anticipated, and this is why I recommend the -Confirm parameter when testing.

Our second task is to pick-out one of the Application and Service logs to test the function.  We can use the built-in Get-WinEvent cmdlet / function to list the logs.

Note 1: Remember to use the -ListLog parameter, we will employ a similar parameter in the function we are going to build.  Also remember the wildcard* at the end of this command.  (Yes, I really meant -Windows-Windows*)

For my experiment, and for no particular reason, I selected this log:
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Creating a Function called Clear-WinEvent

Here is an example of our function cleaning one of the firewall logs.

Note 2: As mentioned earlier, for safety I have incorporated the -Confirm parameter in the function.

Note 3: This is all one crucial command, if there is a problem then remove the backtick thus:
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$LogName")

Guy Recommends:  SolarWinds’ Log & Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Clear-WinEvent Function

One of the reasons for creating a PowerShell function is because it's easy and useful to reuse the code, especially if you create them as Global: FunctionName.  A crucial feature of this particular task is the ability to delete the message objects inside the log, and not the log itself; it is for this reason I choose use the verb 'Clear' in the function's name.

Here is a breakdown of the sections in my Clear-WinEvent function :

Function Name }   # I could have used: Global:Clear-WinEvent
Param (Parameters)
Process {Payload}
}

-Confirm
This is the code I used to create an extra safety feature, the -Confirm parameter:

[CmdletBinding(SupportsShouldProcess=$True)]

If ($PSCmdlet.ShouldProcess("Parameter Name", "Display message"))
{ Process}

See more on creating PowerShell functions »

The PowerShell Problem

Unfortunately, Get-Eventlog and its sister cmdlet Clear-Eventlog only work on the traditional Windows logs such as System and Application.  While PowerShell v 2.0 brings a new cmdlet called Get-WinEvent, which displays all the other 'Application and Services Logs', it has no parameter to remove their log entries.  As Microsoft hasn't created a built-in cmdlet called Clean-WinEvent we are going to construct one by accessing the EventLog class in .Net Framework.

Solution 2: Clear-Eventlog: Clean ALL the Logs

A key feature of this script is the 'Foreach' construction, which loops through $AllLogs, deleting the records as it proceeds.

Note 4: To improve the 'Waiting… ' message, you could experiment with Write-Progress, this is as far as I have got:
Write-Progress -Activity "Deleting logs" -Status $AllLogs.rank -percentcomplete ($AllLogs.Count)

Note 5: This time I created Clear-WinEvent as a Global function.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Help about_Functions_advanced_parameters

To improve the construction of our functions, Microsoft include a handy help-file within PowerShell.  Take a look thus:

PowerShell functions include the following items:

• The precise keyword 'Function' followed by a name, typically a Verb-Noun pair.
  Tip: Always start with one of the existing PowerShell verbs.
• While parameters (param) are optional, you need them in all but the simplest functions.
• The process engine of the function containing the {PowerShell commands enclosed in braces}.

Where next?  Check these 'about_Function…' help files.

Research Similar Cmdlets (Functions)

Once I find a PowerShell cmdlet, I like to look for similar cmdlets.  To narrow the search I filter with the -Noun or -Verb parameter.

Note 6: You could also try -Verb Clear.

Get-Help Clear-Eventlog Parameters

You may get ideas for your scripts by studying the sister cmdlet: Clear-Eventlog.

For example, Clear-Eventlog has a -ComputerName parameter.  PowerShell's help coupled with the -Full parameter also gives useful examples. 

See more on Clear-Eventlog »

Summary of PowerShell Clear-WinEvent

I created this function because PowerShell has no built-in cmdlet to delete the messages in the Application and Services Logs.  The reason I made my own function was that Clear-Eventlog only works on the handful of traditional Windows logs.

See more PowerShell examples to read, write and list Windows event logs

• PowerShell Home   • Get-Eventlog   • EventVwr -list  • Clear-WinEvent Function   • Remote Eventlog

• PowerShell Limit-Eventlog   • Windows 8 Event Viewer   • Get-WinEvent  • Log Event Manager

• Write-Eventlog (Basic)   • PowerShell Write-Eventlog (Adv)  • PowerShell Clear-Eventlog

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.