?
Solved

Clear event log from command line?

Posted on 2000-03-10
33
Medium Priority
?
6,728 Views
Last Modified: 2013-12-28
How can I clear the event log from the command line?  I don't want to set it to overwrite as needed... I actually need the functionality to clear it.
thanks-

Jeremy
0
Comment
Question by:j-enos
  • 17
  • 11
  • 3
  • +2
33 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 2604977
I think there is something in the NT resource kit. No, There is stuff for dumping and adding events manually. Nothing for clearing the log. Probably considered a security risk. I'll keep looking.
0
 

Author Comment

by:j-enos
ID: 2604993
I can't believe it would be a security risk... should use the same authentication as the GUI mode for clearing the log.  I'll have a look into the rk as well...  
0
 

Author Comment

by:j-enos
ID: 2605076
You know... I did think of a way I might be able to do it.  What if I stopped the eventlog service and copied fresh versions of sysevent.evt and appevent.evt over the originals?  I want to do it across multiple machines though, and I'm not sure if there is residual identity information left in the file or not.. it's got some binary info left after clearing, so I can't tell.
Either way... I couldn't even try it.  I couldn't stop the event log service... maybe because SNMP depends on it.  I tried stopping SNMP, and that just hung the attempt and never stopped it.  Arrgh...  seemed like a good idea.  :)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 2605186
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 300 total points
ID: 2605187
Look at :

http://www.doriansoft.com/

(and his event archiver software)
0
 
LVL 1

Expert Comment

by:omere
ID: 2605854
dumpel.exe (from the resource kit) can also clear the event log (along with dumping it).

I also recall seeing clevent.exe, but not where I saw it.
0
 

Author Comment

by:j-enos
ID: 2605876
I checked all documentation available for dumpel.exe and I could not find any mention of clearing the log.  I can't and such file clevent.exe- Do you remember who made it?
0
 
LVL 1

Expert Comment

by:omere
ID: 2605993
Where did you get your version of dumpel? (I'd ask what version it is, but I'm at home and have no reference here).

I searched for clevent, but only came up with this: http://rcswww.urz.tu-dresden.de/~fh/nt/eventlog/EventSave.zip, which does the same thing.

BTW, the easiest way, using Perl:
use Win32::EventLog
Win32::EventLog->new("Application")->Clear;

0
 

Author Comment

by:j-enos
ID: 2606056
I'm a perl novice...  wouldn't that require an interpreter on every client?
0
 

Author Comment

by:j-enos
ID: 2606210
I had to give the answer to the first one that gave me the functionality... however, now that I'm using that software, I'm realizing that it's not the perfect solution either.  It doesn't allow instant archiving (which clears the eventlog) except for one log and one machine at a time.  That is, unless you reconfigure each one and schedule it... which is what I have to do.  So everytime I want to dump the logs, I have to re-register each machine with a scheduled dump time.  At least this is the way it appears.  My eyes are still open to another solution, and I wish there was a way I could offer points for it.
0
 
LVL 1

Expert Comment

by:omere
ID: 2606276
You don't need Perl on every machine, just the one that you are running it on.

Like so:

use Win32::EventLog;
Win32::Eventog->New("Application", @ARGV)->Clear;

It would accept command-line parameters, so for example:

cl.pl \\myserver

That's it.
0
 

Author Comment

by:j-enos
ID: 2606528
I would love for your solution to work... but here's what it returns-

Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.

Jeremy
0
 

Author Comment

by:j-enos
ID: 2606541
I would love for your solution to work... but here's what it returns-

Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.

Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2606599
My bad, new, not New (note case).
0
 

Author Comment

by:j-enos
ID: 2607210
Same result...

Can't locate object method "new" via package "Win32::Eventog" at clev.pl line 2.
0
 
LVL 1

Expert Comment

by:omere
ID: 2607483
Again, a typo.

It's EventLog, not Eventog.

Let's recap:
use Win32::EventLog;
Win32::EventLog->new("Application", @ARGV)->Clear;

I don't have an NT server here, else I'd check it.
0
 

Author Comment

by:j-enos
ID: 2610708
You can kick me for not seeing that one...  but I changed it and once again, I don't know what to do.  I don't know what to make of this.

usage: OBJECT->Clear( FILENAME )
0
 
LVL 1

Expert Comment

by:omere
ID: 2613699
Pass Clear either the filename to dump the log into before clearing it, or null to just clear it - Clear("");
0
 

Author Comment

by:j-enos
ID: 2613841
Please repost that as an answer so I can give you credit... Thank you so much!

Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2613895
Uh, well, you already gave the credit for the question to
Tim Holman, so I cannot answer again (it's a closed question).

Don't worry about it though.
0
 

Author Comment

by:j-enos
ID: 2614380
Ooops... sorry... I was looking at a different question I had up and got my wires crossed.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2619561
Post a Q up in community support to get the points reassigned.
Don't be so trigger happy with the 'accept comment as answer' button !
0
 

Author Comment

by:j-enos
ID: 2620737
omere... I can make the solution you gave me work fine, but just so I know- is there an easy way to make your 2 line script clear a log on a remote machine?
thx again-

Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2620844
Uh yeah, that's the whole point.

Just pass the name of the remote machine on the command line.

If you want it hardcoded (though I fail to see why), then:
use Win32::EventLog;
$serverName = "\\server1";
Win32::EventLog->new("Application", $serverName)->Clear("");
0
 

Author Comment

by:j-enos
ID: 2624650
That would seem like a good idea, but it doesn't work.  Here is what I've got...

use Win32::EventLog;
Win32::EventLog->new("System", @ARGV)->Clear("out.evt");

and if I type at the command line (with all appropriate permissions)

clsys.pl \\machinename

It doesn't do anything.
0
 
LVL 1

Expert Comment

by:omere
ID: 2625468
Try it hardcoded (as in my above example), see if it works.

If it does, substitute @ARGV for $ARGV[0];

I'd try it, but there aren no NT servers around this place.
No reason why it shouldn't work, but if it doesn't, let me know
and I'll check it when I'm at work.
0
 

Author Comment

by:j-enos
ID: 2625595
Nope- still doesn't work (either way).  Thanks for checking for me.
0
 

Author Comment

by:j-enos
ID: 2629515
I could try and run it locally on the machines via rcmd, but I can't install perl on the remote machines... do you know which files are needed by perl.exe to do the eventlog stuff?
0
 

Author Comment

by:j-enos
ID: 2646113
omere- were you ever able to get the script to work on a remote machine?
thx-

    Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2646568
I forgot all about it till I got an email about your comment.

I'll have to check tommorow.
0
 

Author Comment

by:j-enos
ID: 2655558
I finally found a sample on a web site that I was able to make into something that worked.  Here it is:

use Win32::EventLog;

 $myServer="\\\\$ARGV[0]";     # your servername here.
 my($dest);


 for my $eventLog ("System", "Application") {
        $handle=Win32::EventLog->new($eventLog, $myServer)
                or die "Can't open Application EventLog on $myServer\n";
               
        $dest="c:\\$ARGV[0]-$eventLog.evt";
        $handle->Clear($dest)
                or warn "Could not backup and clear the $eventLog EventLog on $myServer ($^E)\n";
               
        $handle->Close;
 }


thanks for all your help!

0
 
LVL 1

Expert Comment

by:omere
ID: 2655734
Does exactly the same thing, except they Close the connection.

Maybe that's why it didn't work for you.
0
 

Expert Comment

by:duyenoyama
ID: 26557680
This will work on non Home OS's

wmic nteventlog where (LogFileName="Application") call ClearEventLog
wmic nteventlog where (LogFileName="System") call ClearEventLog
wmic nteventlog where (LogFileName="Security") call ClearEventLog
wmic nteventlog where (LogFileName="Internet Explorer") call ClearEventLog
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question