Remove From My Forums

How to delete event logs automatically from C:\Windows\System32\winevt\Logs folder

Question
0

Sign in to vote

Hi, I have enabled archive option for my windows logs in the event viewer. The archive logs are growing very fast and is taking up a lot of disk space. Anyone knows is there a way to delete the archive logs automatically so that only a few days are retain?

I tried to create a batch file but it cannot move or delete any files from that folder. Somehow that folder permissions are different from the rest.

Is it possible?

Friday, December 14, 2012 10:19 AM

Answers

5

Sign in to vote
When you clear an event log, the operating system does not delete the previous event log file. Instead,

Windows creates a new 64 KB log file that replaces the old log file because

the disk drive sectors are overwritten and filled with new information, you cannot retrieve records from a cleared event log using an undelete tool.

You can also follow the given link for more detail..

Technet blog you can also go for a third party tool for event log monitoring in case
- Marked as answer by Boo_MonstersInc Wednesday, December 19, 2012 7:13 AM
- Unmarked as answer by ironmanwannabe Friday, December 21, 2012 5:52 AM
- Marked as answer by Santosh Bhandarkar Friday, March 22, 2013 3:20 AM
Monday, December 17, 2012 1:12 PM
2

Sign in to vote
Hi,

You need to first stop Windows Event Log service to be able to delete/move the log files manually or through script.

Here is what you can try, create a batch file which would first stop the event log service and then move/delete the log files as per the criteria specified and start event log service again once logs are deleted/moved.

Also, have a look at following thread

Is it safe to delete .evtx files mannualy?

Thanks
Regards, Santosh

I do not represent the organisation I work for, all the opinions expressed here are my own.

This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.
- Proposed as answer by Ravikumar Pulagouni Monday, December 17, 2012 1:16 PM
- Marked as answer by Boo_MonstersInc Wednesday, December 19, 2012 7:13 AM
- Unmarked as answer by ironmanwannabe Friday, December 21, 2012 5:52 AM
- Marked as answer by Santosh Bhandarkar Friday, March 22, 2013 3:20 AM
Friday, December 14, 2012 10:45 AM

All replies

2

Sign in to vote
Hi,

You need to first stop Windows Event Log service to be able to delete/move the log files manually or through script.

Here is what you can try, create a batch file which would first stop the event log service and then move/delete the log files as per the criteria specified and start event log service again once logs are deleted/moved.

Also, have a look at following thread

Is it safe to delete .evtx files mannualy?

Thanks
Regards, Santosh

I do not represent the organisation I work for, all the opinions expressed here are my own.

This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.
- Proposed as answer by Ravikumar Pulagouni Monday, December 17, 2012 1:16 PM
- Marked as answer by Boo_MonstersInc Wednesday, December 19, 2012 7:13 AM
- Unmarked as answer by ironmanwannabe Friday, December 21, 2012 5:52 AM
- Marked as answer by Santosh Bhandarkar Friday, March 22, 2013 3:20 AM
Friday, December 14, 2012 10:45 AM
5

Sign in to vote
When you clear an event log, the operating system does not delete the previous event log file. Instead,

Windows creates a new 64 KB log file that replaces the old log file because

the disk drive sectors are overwritten and filled with new information, you cannot retrieve records from a cleared event log using an undelete tool.

You can also follow the given link for more detail..

Technet blog you can also go for a third party tool for event log monitoring in case
- Marked as answer by Boo_MonstersInc Wednesday, December 19, 2012 7:13 AM
- Unmarked as answer by ironmanwannabe Friday, December 21, 2012 5:52 AM
- Marked as answer by Santosh Bhandarkar Friday, March 22, 2013 3:20 AM
Monday, December 17, 2012 1:12 PM
0

Sign in to vote

With the greatest respect and in light of you being so helpful, I'm not as sure as other folks that your information is especially helpful for this question, as it's more applicable to older versions of Windows - hence your link to the Windows 2000 scripting guide.

You talk about clearing the logs, rather than the Archiving option, which of course only became available from Windows 2008 onwards.

Thursday, January 29, 2015 11:26 AM
0

Sign in to vote
Hello, I have no problem deleting archived evtx files from the folder C:\Windows\System32\winevt\Logs without stopping any services - that's on a 2008 R2 server.
- Edited by TimC1 Thursday, January 29, 2015 11:32 AM
Thursday, January 29, 2015 11:32 AM
6

Sign in to vote
Hi,

I guess below command will fix your problem.

forfiles -p c:\windows\system32\winevt\logs\ -m *.evtx -d -5 -c "cmd /c del @path"

Where -5 is the age of the files you want to delete (5 days or older in this case). This
script is deleting .evtx files - drop the -m *.evtx if you want to delete any
file type.

Create the schedule task to run this cmd everyday.

Regards,

SreeM
- Edited by Sree8133 Thursday, January 29, 2015 1:56 PM
Thursday, January 29, 2015 1:41 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

How to delete event logs automatically from C:\Windows\System32\winevt\Logs folder

Question

Answers

All replies