Solved

Clear event log from command line?

Posted on 2000-03-10
33
6,650 Views
Last Modified: 2013-12-28
How can I clear the event log from the command line?  I don't want to set it to overwrite as needed... I actually need the functionality to clear it.
thanks-

Jeremy
0
Comment
Question by:j-enos
  • 17
  • 11
  • 3
  • +2
33 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 2604977
I think there is something in the NT resource kit. No, There is stuff for dumping and adding events manually. Nothing for clearing the log. Probably considered a security risk. I'll keep looking.
0
 

Author Comment

by:j-enos
ID: 2604993
I can't believe it would be a security risk... should use the same authentication as the GUI mode for clearing the log.  I'll have a look into the rk as well...  
0
 

Author Comment

by:j-enos
ID: 2605076
You know... I did think of a way I might be able to do it.  What if I stopped the eventlog service and copied fresh versions of sysevent.evt and appevent.evt over the originals?  I want to do it across multiple machines though, and I'm not sure if there is residual identity information left in the file or not.. it's got some binary info left after clearing, so I can't tell.
Either way... I couldn't even try it.  I couldn't stop the event log service... maybe because SNMP depends on it.  I tried stopping SNMP, and that just hung the attempt and never stopped it.  Arrgh...  seemed like a good idea.  :)
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 2605186
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 100 total points
ID: 2605187
Look at :

http://www.doriansoft.com/

(and his event archiver software)
0
 
LVL 1

Expert Comment

by:omere
ID: 2605854
dumpel.exe (from the resource kit) can also clear the event log (along with dumping it).

I also recall seeing clevent.exe, but not where I saw it.
0
 

Author Comment

by:j-enos
ID: 2605876
I checked all documentation available for dumpel.exe and I could not find any mention of clearing the log.  I can't and such file clevent.exe- Do you remember who made it?
0
 
LVL 1

Expert Comment

by:omere
ID: 2605993
Where did you get your version of dumpel? (I'd ask what version it is, but I'm at home and have no reference here).

I searched for clevent, but only came up with this: http://rcswww.urz.tu-dresden.de/~fh/nt/eventlog/EventSave.zip, which does the same thing.

BTW, the easiest way, using Perl:
use Win32::EventLog
Win32::EventLog->new("Application")->Clear;

0
 

Author Comment

by:j-enos
ID: 2606056
I'm a perl novice...  wouldn't that require an interpreter on every client?
0
 

Author Comment

by:j-enos
ID: 2606210
I had to give the answer to the first one that gave me the functionality... however, now that I'm using that software, I'm realizing that it's not the perfect solution either.  It doesn't allow instant archiving (which clears the eventlog) except for one log and one machine at a time.  That is, unless you reconfigure each one and schedule it... which is what I have to do.  So everytime I want to dump the logs, I have to re-register each machine with a scheduled dump time.  At least this is the way it appears.  My eyes are still open to another solution, and I wish there was a way I could offer points for it.
0
 
LVL 1

Expert Comment

by:omere
ID: 2606276
You don't need Perl on every machine, just the one that you are running it on.

Like so:

use Win32::EventLog;
Win32::Eventog->New("Application", @ARGV)->Clear;

It would accept command-line parameters, so for example:

cl.pl \\myserver

That's it.
0
 

Author Comment

by:j-enos
ID: 2606528
I would love for your solution to work... but here's what it returns-

Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.

Jeremy
0
 

Author Comment

by:j-enos
ID: 2606541
I would love for your solution to work... but here's what it returns-

Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.

Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2606599
My bad, new, not New (note case).
0
 

Author Comment

by:j-enos
ID: 2607210
Same result...

Can't locate object method "new" via package "Win32::Eventog" at clev.pl line 2.
0
 
LVL 1

Expert Comment

by:omere
ID: 2607483
Again, a typo.

It's EventLog, not Eventog.

Let's recap:
use Win32::EventLog;
Win32::EventLog->new("Application", @ARGV)->Clear;

I don't have an NT server here, else I'd check it.
0
 

Author Comment

by:j-enos
ID: 2610708
You can kick me for not seeing that one...  but I changed it and once again, I don't know what to do.  I don't know what to make of this.

usage: OBJECT->Clear( FILENAME )
0
 
LVL 1

Expert Comment

by:omere
ID: 2613699
Pass Clear either the filename to dump the log into before clearing it, or null to just clear it - Clear("");
0
 

Author Comment

by:j-enos
ID: 2613841
Please repost that as an answer so I can give you credit... Thank you so much!

Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2613895
Uh, well, you already gave the credit for the question to
Tim Holman, so I cannot answer again (it's a closed question).

Don't worry about it though.
0
 

Author Comment

by:j-enos
ID: 2614380
Ooops... sorry... I was looking at a different question I had up and got my wires crossed.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 2619561
Post a Q up in community support to get the points reassigned.
Don't be so trigger happy with the 'accept comment as answer' button !
0
 

Author Comment

by:j-enos
ID: 2620737
omere... I can make the solution you gave me work fine, but just so I know- is there an easy way to make your 2 line script clear a log on a remote machine?
thx again-

Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2620844
Uh yeah, that's the whole point.

Just pass the name of the remote machine on the command line.

If you want it hardcoded (though I fail to see why), then:
use Win32::EventLog;
$serverName = "\\server1";
Win32::EventLog->new("Application", $serverName)->Clear("");
0
 

Author Comment

by:j-enos
ID: 2624650
That would seem like a good idea, but it doesn't work.  Here is what I've got...

use Win32::EventLog;
Win32::EventLog->new("System", @ARGV)->Clear("out.evt");

and if I type at the command line (with all appropriate permissions)

clsys.pl \\machinename

It doesn't do anything.
0
 
LVL 1

Expert Comment

by:omere
ID: 2625468
Try it hardcoded (as in my above example), see if it works.

If it does, substitute @ARGV for $ARGV[0];

I'd try it, but there aren no NT servers around this place.
No reason why it shouldn't work, but if it doesn't, let me know
and I'll check it when I'm at work.
0
 

Author Comment

by:j-enos
ID: 2625595
Nope- still doesn't work (either way).  Thanks for checking for me.
0
 

Author Comment

by:j-enos
ID: 2629515
I could try and run it locally on the machines via rcmd, but I can't install perl on the remote machines... do you know which files are needed by perl.exe to do the eventlog stuff?
0
 

Author Comment

by:j-enos
ID: 2646113
omere- were you ever able to get the script to work on a remote machine?
thx-

    Jeremy
0
 
LVL 1

Expert Comment

by:omere
ID: 2646568
I forgot all about it till I got an email about your comment.

I'll have to check tommorow.
0
 

Author Comment

by:j-enos
ID: 2655558
I finally found a sample on a web site that I was able to make into something that worked.  Here it is:

use Win32::EventLog;

 $myServer="\\\\$ARGV[0]";     # your servername here.
 my($dest);


 for my $eventLog ("System", "Application") {
        $handle=Win32::EventLog->new($eventLog, $myServer)
                or die "Can't open Application EventLog on $myServer\n";
               
        $dest="c:\\$ARGV[0]-$eventLog.evt";
        $handle->Clear($dest)
                or warn "Could not backup and clear the $eventLog EventLog on $myServer ($^E)\n";
               
        $handle->Close;
 }


thanks for all your help!

0
 
LVL 1

Expert Comment

by:omere
ID: 2655734
Does exactly the same thing, except they Close the connection.

Maybe that's why it didn't work for you.
0
 

Expert Comment

by:duyenoyama
ID: 26557680
This will work on non Home OS's

wmic nteventlog where (LogFileName="Application") call ClearEventLog
wmic nteventlog where (LogFileName="System") call ClearEventLog
wmic nteventlog where (LogFileName="Security") call ClearEventLog
wmic nteventlog where (LogFileName="Internet Explorer") call ClearEventLog
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PDF to JPG 13 56
Audit active directory trust relationships 2 27
Selecting Right Partition 6 69
Optiplex 755 Very Sluggish in Normal Windows 8.1 Pro 10 25
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question