Remove From My Forums

Clear an event log with specific ID using Powershell

Question
0

Sign in to vote

Hi,

I need to do a search in system or security logs and find a special ID log (for example event id : 1022) and clears all of those logs

i tested

Get-EventLog "System" | Where-Object {$_.EventID -eq 16397}

and

Get-WinEvent "System" | Where-Object {$_.EventID -eq 16397}

but did not work, (Get Works but clear makes the below error) seems logs are not sent to these commands as separate identities

PS C:\> Get-EventLog "System" | Where-Object {$_.EventID -eq 16397} | Clear-EventLog
Clear-EventLog : Object reference not set to an instance of an object.
At line:1 char:78
+ Get-EventLog "System" | Where-Object {$_.EventID -eq 16397} | Clear-EventLog <<<<
+ CategoryInfo : NotSpecified: (:) [Clear-EventLog], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.ClearEventLogCommand

Payne is back

Sunday, May 12, 2013 6:25 AM

Answers

1

Sign in to vote
Seems so bad

Yes, seems so. But one poster of this thread, where the same problem is thoroughly discussed, advices to create custom view on your event log as a kind of work around.

wizend
- Proposed as answer by Yan Li_ Wednesday, May 15, 2013 3:05 AM
- Marked as answer by Yan Li_ Tuesday, May 21, 2013 2:38 AM
Sunday, May 12, 2013 6:34 PM

All replies

0

Sign in to vote
Hi,

i think you can not delete entries in the eventlogs. But if you would see only new entries for your EventID's you can this do in this way.

Get-EventLog -LogName System -Index 18916 -After (get-date).AddHours(-12)

Get-EventLog "System" -After (get-date).AddHours(-12) | Where-Object {$_.EventID -eq 16397}

Best regards
brima
- Edited by brima Sunday, May 12, 2013 11:23 AM
Sunday, May 12, 2013 11:16 AM
1

Sign in to vote

Thanks Brima but that is not i want

i can use a simple filtering to see those (time, ID and ..)

but i want them to be deleted ?

really no way to delete log entries using a command line ?

maybe i should use wevtutil but seems it cannot do that too

Payne is back

Sunday, May 12, 2013 12:58 PM
0

Sign in to vote
You can use the cmdlet Remove-Event, but, I'm afraid, it won't help you, because it removes the events only from the current event queue and that exists only in your current session. I'm not sure, if you 're able to delete a choice of entries from the actual event log. These logs exist as '.evtx' files deep within your System32 directory and that aren't simple text files. The system creates the text represantation only when needed (for details, read this msdn article with a lot of links to other sides).

Be carefull with that 'Clear-EventLog' cmdlet. It deletes all entries from the specified log; not sure if you would really want to do this.

BTW, the objects returned by Get-WinEvent don't have the old property 'EventId', they have simple 'Id' instead.

Kind regards,

wizend
- Edited by Wizend Sunday, May 12, 2013 3:48 PM
Sunday, May 12, 2013 3:47 PM
0

Sign in to vote

Seems so bad

Isn't there any way to select some ID in the event log and export or delete it from a command line (as a scheduled task and with the command line)

what about wevtutil ?
Payne is back

Sunday, May 12, 2013 4:49 PM
1

Sign in to vote
Seems so bad

Yes, seems so. But one poster of this thread, where the same problem is thoroughly discussed, advices to create custom view on your event log as a kind of work around.

wizend
- Proposed as answer by Yan Li_ Wednesday, May 15, 2013 3:05 AM
- Marked as answer by Yan Li_ Tuesday, May 21, 2013 2:38 AM
Sunday, May 12, 2013 6:34 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Clear an event log with specific ID using Powershell

Question

Answers

All replies