Recipe 16.7. Clearing the Events in an Event Log

Problem

You want to clear all of the events in an event log.

Solution

Using a graphical user interface

Open the Event Viewer (eventvwr.msc).
In the left pane, right-click on the Target Event Log and select Clear all Events.
You then have an option to save the log before clearing it. Click Yes to save it, or No to not save it.

Using a command-line interface

The following command clears an event log:

> wmic /node:"<ComputerName>" nteventlog where "Logfilename = '<LogName>'" Call ClearEventLog

Here is an example that clears the Application log on computer wks01:

> wmic /node:"wks01" nteventlog where "Logfilename = 'Application'" Call ClearEventLog

Using VBScript

' This code clears all events from the specified event log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>"        ' e.g. Application strComputer = "<ComputerName>"  ' e.g. wks01 (use "." for local machine) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile Where " & _                                "Logfilename = '" & strLog & "'") if colLogs.Count <> 1 then    WScript.Echo "Fatal error.  Number of logs found: " & colLogs.Count    WScript.Quit end if for each objLog in colLogs    objLog.ClearEventLog    WScript.Echo strLog & " cleared" next

Discussion

Typically, you do not want to clear an event log unless you've backed up or archived the log. Clearing an event log without saving the events makes it very difficult to later track down and troubleshoot problems.

If you clear the Security event log, event 517 will be automatically generated in the Security log. This event indicates the log was cleared and is important from an auditing perspective. Without event 517, you wouldn't have an idea if the security log had previously been cleared. This doesn't occur for the other logs.