none
Event-Log Clearing

    Question

  • Hello,

    what command can be used to delete entries from the event log that are more than 7 days old, for example?

    I'm not concerned with downsizing, more about purposefully erasing a period of time.

    Thanks for all your help!


    Danke und liebe Grüße Oliver Richter

    Wednesday, May 15, 2019 8:32 AM

All replies

  • Hi Oliver,

    Unfortunately you cannot delete/clear events from a specific time or time-frame, the Clear-EventLog PowerShell cmdlet or "Clear Log" from the Event Viewer GUI will clear all events.


    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Proposed as answer by Leon Laude Monday, May 20, 2019 6:14 AM
    Wednesday, May 15, 2019 8:41 AM
  • Thanks @Leon

    My concern is that on one of our servers, however, this is exactly what is happening.
    There was a data loss in the period of 10:30-11:30 a.m.
    After a first search, the security logs were still visible for this period, after about 60 minutes the security logs were missing at once exactly for this period.

    So it's important for me to know if you can change the log so purposefully and if not, then it has to be a hacker.


    Danke und liebe Grüße Oliver Richter

    Wednesday, May 15, 2019 3:50 PM
  • Was the system down during that time? That is another scenario why there isn't any logs.

    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, May 15, 2019 3:54 PM
  • Hi,

    Thank you for posting in Microsoft TechNet Forum.

    I'm afraid that you can't change the log purposefully. You need to check why security logs were missing.

    If you want to delete entries from the event log, please refer to the above method mentioned by Leon.

    Meanwhile, I found a post which may had a similar with you, please refer to it:

    https://serverfault.com/questions/8339/how-can-i-remove-specific-events-from-the-event-log-in-windows-server-2008

    Note: This is a third-party link and we do not have any guarantees on this website. This is just for your convenience. And Microsoft does not make any guarantees about the content.

    Best regards,

    Hurry


    Please remember to mark the reply as an answer if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 16, 2019 5:59 AM
  • Hi,

    How was going on this issue, please?

    Please let me know if you need further help.

    Best regards,

    Hurry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Sunday, May 19, 2019 1:59 PM
  • Hi @Hurry,

    the case was more forensic in nature for us. 

    My main concern was to know whether you could manipulate the event log like this or not using normal methods. If tools were necessary, then a person with expertise must have manipulated it.

    Thank you for your help.


    Danke und liebe Grüße Oliver Richter

    Monday, May 20, 2019 6:11 AM
  • Hi,

    Thank you for your feedback.

    I'm afraid that you can't do it. 

    Best regards,

    Hurry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 7:09 AM