Solved

Clear event log from command line?

Posted on 2000-03-10
33
6,632 Views
Last Modified: 2013-12-28
How can I clear the event log from the command line?  I don't want to set it to overwrite as needed... I actually need the functionality to clear it.
thanks-

Jeremy
0
Comment
Question by:j-enos
  • 17
  • 11
  • 3
  • +2
33 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I think there is something in the NT resource kit. No, There is stuff for dumping and adding events manually. Nothing for clearing the log. Probably considered a security risk. I'll keep looking.
0
 

Author Comment

by:j-enos
Comment Utility
I can't believe it would be a security risk... should use the same authentication as the GUI mode for clearing the log.  I'll have a look into the rk as well...  
0
 

Author Comment

by:j-enos
Comment Utility
You know... I did think of a way I might be able to do it.  What if I stopped the eventlog service and copied fresh versions of sysevent.evt and appevent.evt over the originals?  I want to do it across multiple machines though, and I'm not sure if there is residual identity information left in the file or not.. it's got some binary info left after clearing, so I can't tell.
Either way... I couldn't even try it.  I couldn't stop the event log service... maybe because SNMP depends on it.  I tried stopping SNMP, and that just hung the attempt and never stopped it.  Arrgh...  seemed like a good idea.  :)
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 100 total points
Comment Utility
Look at :

http://www.doriansoft.com/

(and his event archiver software)
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
dumpel.exe (from the resource kit) can also clear the event log (along with dumping it).

I also recall seeing clevent.exe, but not where I saw it.
0
 

Author Comment

by:j-enos
Comment Utility
I checked all documentation available for dumpel.exe and I could not find any mention of clearing the log.  I can't and such file clevent.exe- Do you remember who made it?
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Where did you get your version of dumpel? (I'd ask what version it is, but I'm at home and have no reference here).

I searched for clevent, but only came up with this: http://rcswww.urz.tu-dresden.de/~fh/nt/eventlog/EventSave.zip, which does the same thing.

BTW, the easiest way, using Perl:
use Win32::EventLog
Win32::EventLog->new("Application")->Clear;

0
 

Author Comment

by:j-enos
Comment Utility
I'm a perl novice...  wouldn't that require an interpreter on every client?
0
 

Author Comment

by:j-enos
Comment Utility
I had to give the answer to the first one that gave me the functionality... however, now that I'm using that software, I'm realizing that it's not the perfect solution either.  It doesn't allow instant archiving (which clears the eventlog) except for one log and one machine at a time.  That is, unless you reconfigure each one and schedule it... which is what I have to do.  So everytime I want to dump the logs, I have to re-register each machine with a scheduled dump time.  At least this is the way it appears.  My eyes are still open to another solution, and I wish there was a way I could offer points for it.
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
You don't need Perl on every machine, just the one that you are running it on.

Like so:

use Win32::EventLog;
Win32::Eventog->New("Application", @ARGV)->Clear;

It would accept command-line parameters, so for example:

cl.pl \\myserver

That's it.
0
 

Author Comment

by:j-enos
Comment Utility
I would love for your solution to work... but here's what it returns-

Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.

Jeremy
0
 

Author Comment

by:j-enos
Comment Utility
I would love for your solution to work... but here's what it returns-

Can't locate object method "New" via package "Win32::Eventog" at Z:\clev.pl line 2.

Jeremy
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
My bad, new, not New (note case).
0
 

Author Comment

by:j-enos
Comment Utility
Same result...

Can't locate object method "new" via package "Win32::Eventog" at clev.pl line 2.
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Again, a typo.

It's EventLog, not Eventog.

Let's recap:
use Win32::EventLog;
Win32::EventLog->new("Application", @ARGV)->Clear;

I don't have an NT server here, else I'd check it.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:j-enos
Comment Utility
You can kick me for not seeing that one...  but I changed it and once again, I don't know what to do.  I don't know what to make of this.

usage: OBJECT->Clear( FILENAME )
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Pass Clear either the filename to dump the log into before clearing it, or null to just clear it - Clear("");
0
 

Author Comment

by:j-enos
Comment Utility
Please repost that as an answer so I can give you credit... Thank you so much!

Jeremy
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Uh, well, you already gave the credit for the question to
Tim Holman, so I cannot answer again (it's a closed question).

Don't worry about it though.
0
 

Author Comment

by:j-enos
Comment Utility
Ooops... sorry... I was looking at a different question I had up and got my wires crossed.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Post a Q up in community support to get the points reassigned.
Don't be so trigger happy with the 'accept comment as answer' button !
0
 

Author Comment

by:j-enos
Comment Utility
omere... I can make the solution you gave me work fine, but just so I know- is there an easy way to make your 2 line script clear a log on a remote machine?
thx again-

Jeremy
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Uh yeah, that's the whole point.

Just pass the name of the remote machine on the command line.

If you want it hardcoded (though I fail to see why), then:
use Win32::EventLog;
$serverName = "\\server1";
Win32::EventLog->new("Application", $serverName)->Clear("");
0
 

Author Comment

by:j-enos
Comment Utility
That would seem like a good idea, but it doesn't work.  Here is what I've got...

use Win32::EventLog;
Win32::EventLog->new("System", @ARGV)->Clear("out.evt");

and if I type at the command line (with all appropriate permissions)

clsys.pl \\machinename

It doesn't do anything.
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Try it hardcoded (as in my above example), see if it works.

If it does, substitute @ARGV for $ARGV[0];

I'd try it, but there aren no NT servers around this place.
No reason why it shouldn't work, but if it doesn't, let me know
and I'll check it when I'm at work.
0
 

Author Comment

by:j-enos
Comment Utility
Nope- still doesn't work (either way).  Thanks for checking for me.
0
 

Author Comment

by:j-enos
Comment Utility
I could try and run it locally on the machines via rcmd, but I can't install perl on the remote machines... do you know which files are needed by perl.exe to do the eventlog stuff?
0
 

Author Comment

by:j-enos
Comment Utility
omere- were you ever able to get the script to work on a remote machine?
thx-

    Jeremy
0
 
LVL 1

Expert Comment

by:omere
Comment Utility
I forgot all about it till I got an email about your comment.

I'll have to check tommorow.
0
 

Author Comment

by:j-enos
Comment Utility
I finally found a sample on a web site that I was able to make into something that worked.  Here it is:

use Win32::EventLog;

 $myServer="\\\\$ARGV[0]";     # your servername here.
 my($dest);


 for my $eventLog ("System", "Application") {
        $handle=Win32::EventLog->new($eventLog, $myServer)
                or die "Can't open Application EventLog on $myServer\n";
               
        $dest="c:\\$ARGV[0]-$eventLog.evt";
        $handle->Clear($dest)
                or warn "Could not backup and clear the $eventLog EventLog on $myServer ($^E)\n";
               
        $handle->Close;
 }


thanks for all your help!

0
 
LVL 1

Expert Comment

by:omere
Comment Utility
Does exactly the same thing, except they Close the connection.

Maybe that's why it didn't work for you.
0
 

Expert Comment

by:duyenoyama
Comment Utility
This will work on non Home OS's

wmic nteventlog where (LogFileName="Application") call ClearEventLog
wmic nteventlog where (LogFileName="System") call ClearEventLog
wmic nteventlog where (LogFileName="Security") call ClearEventLog
wmic nteventlog where (LogFileName="Internet Explorer") call ClearEventLog
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now