Windows Server Cookbook for Windows Server 2003 and Windows 2000

Recipe 8.7. Clearing the Events in an Event Log

Problem

You want to clear all of the events in an event log. Typically you do not want to do this unless you've backed up or archived the log. Clearing an event log without saving the events makes it very difficult to track down and troubleshoot problems later.

Solution

Using a graphical user interface

1. Open the Event Viewer (eventvwr.msc).

2. In the left pane, right-click on the target event log and select Clear all Events.

3. You then have an option to save the log before clearing it. Click Yes to save it or No to not save it.

Using a command-line interface

The following command clears an event log:

> wmic /node:"<ServerName>" nteventlog where "Logfilename = '<LogName>'" Call ClearEventLog

Here is an example that clears the DNS Server log on server dns01:

> wmic /node:"dns01" nteventlog where "Logfilename = 'DNS Server'" Call ClearEventLog

Using VBScript

' This code clears all events from the specified event log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>" ' e.g., Application strServer = "<ServerName>" ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _ "Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then WScript.Echo "Fatal error. Number of logs found: " & colLogs.Count WScript.Quit end if for each objLog in colLogs objLog.ClearEventLog WScript.Echo strLog & " cleared" next

Discussion

If you clear the Security event log, event 517 will be automatically generated in the Security log. This event indicates the log was cleared and is important from an auditing perspective. Without event 517, you wouldn't have an idea if the security log had previously been cleared. This doesn't happen for the other logs.

See Also

MS KB 315147 (HOW TO: Clear the Event Logs in Windows 2000)