j-enos
asked on
Clear event log from command line?
How can I clear the event log from the command line? I don't want to set it to overwrite as needed... I actually need the functionality to clear it.
thanks-
Jeremy
thanks-
Jeremy
SysExpert
I think there is something in the NT resource kit. No, There is stuff for dumping and adding events manually. Nothing for clearing the log. Probably considered a security risk. I'll keep looking.
ASKER
I can't believe it would be a security risk... should use the same authentication as the GUI mode for clearing the log. I'll have a look into the rk as well...
ASKER
You know... I did think of a way I might be able to do it. What if I stopped the eventlog service and copied fresh versions of sysevent.evt and appevent.evt over the originals? I want to do it across multiple machines though, and I'm not sure if there is residual identity information left in the file or not.. it's got some binary info left after clearing, so I can't tell.
Either way... I couldn't even try it. I couldn't stop the event log service... maybe because SNMP depends on it. I tried stopping SNMP, and that just hung the attempt and never stopped it. Arrgh... seemed like a good idea. :)
Either way... I couldn't even try it. I couldn't stop the event log service... maybe because SNMP depends on it. I tried stopping SNMP, and that just hung the attempt and never stopped it. Arrgh... seemed like a good idea. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
dumpel.exe (from the resource kit) can also clear the event log (along with dumping it).
I also recall seeing clevent.exe, but not where I saw it.
I also recall seeing clevent.exe, but not where I saw it.
ASKER
I checked all documentation available for dumpel.exe and I could not find any mention of clearing the log. I can't and such file clevent.exe- Do you remember who made it?
Where did you get your version of dumpel? (I'd ask what version it is, but I'm at home and have no reference here).
I searched for clevent, but only came up with this: http://rcswww.urz.tu-dresden.de/~fh/nt/eventlog/EventSave.zip, which does the same thing.
BTW, the easiest way, using Perl:
use Win32::EventLog
Win32::EventLog->new("Appl
I searched for clevent, but only came up with this: http://rcswww.urz.tu-dresden.de/~fh/nt/eventlog/EventSave.zip, which does the same thing.
BTW, the easiest way, using Perl:
use Win32::EventLog
Win32::EventLog->new("Appl
ASKER
I'm a perl novice... wouldn't that require an interpreter on every client?
ASKER
I had to give the answer to the first one that gave me the functionality... however, now that I'm using that software, I'm realizing that it's not the perfect solution either. It doesn't allow instant archiving (which clears the eventlog) except for one log and one machine at a time. That is, unless you reconfigure each one and schedule it... which is what I have to do. So everytime I want to dump the logs, I have to re-register each machine with a scheduled dump time. At least this is the way it appears. My eyes are still open to another solution, and I wish there was a way I could offer points for it.
You don't need Perl on every machine, just the one that you are running it on.
Like so:
use Win32::EventLog;
Win32::Eventog->New("Appli
It would accept command-line parameters, so for example:
cl.pl \\myserver
That's it.
Like so:
use Win32::EventLog;
Win32::Eventog->New("Appli
It would accept command-line parameters, so for example:
cl.pl \\myserver
That's it.
ASKER
I would love for your solution to work... but here's what it returns-
Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.
Jeremy
Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.
Jeremy
ASKER
I would love for your solution to work... but here's what it returns-
Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.
Jeremy
Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.
Jeremy
My bad, new, not New (note case).
ASKER
Same result...
Can't locate object method "new" via package "Win32::Eventog" at clev.pl line 2.
Can't locate object method "new" via package "Win32::Eventog" at clev.pl line 2.
Again, a typo.
It's EventLog, not Eventog.
Let's recap:
use Win32::EventLog;
Win32::EventLog->new("Appl
I don't have an NT server here, else I'd check it.
It's EventLog, not Eventog.
Let's recap:
use Win32::EventLog;
Win32::EventLog->new("Appl
I don't have an NT server here, else I'd check it.
ASKER
You can kick me for not seeing that one... but I changed it and once again, I don't know what to do. I don't know what to make of this.
usage: OBJECT->Clear( FILENAME )
usage: OBJECT->Clear( FILENAME )
Pass Clear either the filename to dump the log into before clearing it, or null to just clear it - Clear("");
ASKER
Please repost that as an answer so I can give you credit... Thank you so much!
Jeremy
Jeremy
Uh, well, you already gave the credit for the question to
Tim Holman, so I cannot answer again (it's a closed question).
Don't worry about it though.
Tim Holman, so I cannot answer again (it's a closed question).
Don't worry about it though.
ASKER
Ooops... sorry... I was looking at a different question I had up and got my wires crossed.
Post a Q up in community support to get the points reassigned.
Don't be so trigger happy with the 'accept comment as answer' button !
Don't be so trigger happy with the 'accept comment as answer' button !
ASKER
omere... I can make the solution you gave me work fine, but just so I know- is there an easy way to make your 2 line script clear a log on a remote machine?
thx again-
Jeremy
thx again-
Jeremy
Uh yeah, that's the whole point.
Just pass the name of the remote machine on the command line.
If you want it hardcoded (though I fail to see why), then:
use Win32::EventLog;
$serverName = "\\server1";
Win32::EventLog->new("Appl
Just pass the name of the remote machine on the command line.
If you want it hardcoded (though I fail to see why), then:
use Win32::EventLog;
$serverName = "\\server1";
Win32::EventLog->new("Appl
ASKER
That would seem like a good idea, but it doesn't work. Here is what I've got...
use Win32::EventLog;
Win32::EventLog->new("Syst
and if I type at the command line (with all appropriate permissions)
clsys.pl \\machinename
It doesn't do anything.
use Win32::EventLog;
Win32::EventLog->new("Syst
and if I type at the command line (with all appropriate permissions)
clsys.pl \\machinename
It doesn't do anything.
Try it hardcoded (as in my above example), see if it works.
If it does, substitute @ARGV for $ARGV[0];
I'd try it, but there aren no NT servers around this place.
No reason why it shouldn't work, but if it doesn't, let me know
and I'll check it when I'm at work.
If it does, substitute @ARGV for $ARGV[0];
I'd try it, but there aren no NT servers around this place.
No reason why it shouldn't work, but if it doesn't, let me know
and I'll check it when I'm at work.
ASKER
Nope- still doesn't work (either way). Thanks for checking for me.
ASKER
I could try and run it locally on the machines via rcmd, but I can't install perl on the remote machines... do you know which files are needed by perl.exe to do the eventlog stuff?
ASKER
omere- were you ever able to get the script to work on a remote machine?
thx-
Jeremy
thx-
Jeremy
I forgot all about it till I got an email about your comment.
I'll have to check tommorow.
I'll have to check tommorow.
ASKER
I finally found a sample on a web site that I was able to make into something that worked. Here it is:
use Win32::EventLog;
$myServer="\\\\$ARGV[0]"; # your servername here.
my($dest);
for my $eventLog ("System", "Application") {
$handle=Win32::EventLog->n
or die "Can't open Application EventLog on $myServer\n";
$dest="c:\\$ARGV[0]-$event
$handle->Clear($dest)
or warn "Could not backup and clear the $eventLog EventLog on $myServer ($^E)\n";
$handle->Close;
}
thanks for all your help!
use Win32::EventLog;
$myServer="\\\\$ARGV[0]"; # your servername here.
my($dest);
for my $eventLog ("System", "Application") {
$handle=Win32::EventLog->n
or die "Can't open Application EventLog on $myServer\n";
$dest="c:\\$ARGV[0]-$event
$handle->Clear($dest)
or warn "Could not backup and clear the $eventLog EventLog on $myServer ($^E)\n";
$handle->Close;
}
thanks for all your help!
Does exactly the same thing, except they Close the connection.
Maybe that's why it didn't work for you.
Maybe that's why it didn't work for you.
This will work on non Home OS's
wmic nteventlog where (LogFileName="Application"
wmic nteventlog where (LogFileName="System") call ClearEventLog
wmic nteventlog where (LogFileName="Security") call ClearEventLog
wmic nteventlog where (LogFileName="Internet Explorer") call ClearEventLog
wmic nteventlog where (LogFileName="Application"
wmic nteventlog where (LogFileName="System") call ClearEventLog
wmic nteventlog where (LogFileName="Security") call ClearEventLog
wmic nteventlog where (LogFileName="Internet Explorer") call ClearEventLog