< Back

Remove-EventLog

Tue Jan 29, 2019 10:20 pm

NAME Remove-EventLog



SYNOPSIS

Deletes an event log or unregisters an event source.





SYNTAX

Remove-EventLog [-LogName] <String[]> [[-ComputerName] <String[]>] [-Confirm] [-WhatIf] [<CommonParameters>]



Remove-EventLog [[-ComputerName] <String[]>] [-Confirm] [-Source <String[]>] [-WhatIf] [<CommonParameters>]





DESCRIPTION

The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can

also use this cmdlet to unregister event sources without deleting any event logs.



The cmdlets that contain the EventLog noun, the EventLog cmdlets, work only on classic event logs. To get events from logs that use the Windows

Event Log technology in Windows Vista and later versions of the Windows operating system, use Get-WinEvent.



CAUTION: This cmdlet can delete operating system event logs, which might cause application failures and unexpected system behavior.





PARAMETERS

-ComputerName <String[]>

Specifies a remote computer. The default is the local computer.



Type the NetBIOS name, an IP address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer

name, a dot (.), or localhost.



This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Remove-EventLog even if your computer

is not configured to run remote commands.



Required? false

Position? 1

Default value None

Accept pipeline input? False

Accept wildcard characters? false



-Confirm [<SwitchParameter>]

Prompts you for confirmation before running the cmdlet.



Required? false

Position? named

Default value False

Accept pipeline input? False

Accept wildcard characters? false



-LogName <String[]>

Specifies the event logs. Enter the log name of one or more event logs, separated by commas. The log name is the value of the Log property,

not the LogDisplayName , Wildcard characters are not permitted. This parameter is required.



Required? true

Position? 0

Default value None

Accept pipeline input? False

Accept wildcard characters? false



-Source <String[]>

Specifies the event sources that this cmdlet unregisters. Enter the source names, not the executable name, separated by commas.



Required? false

Position? named

Default value None

Accept pipeline input? False

Accept wildcard characters? false



-WhatIf [<SwitchParameter>]

Shows what would happen if the cmdlet runs. The cmdlet is not run.



Required? false

Position? named

Default value False

Accept pipeline input? False

Accept wildcard characters? false



<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,

ErrorAction, ErrorVariable, WarningAction, WarningVariable,

OutBuffer, PipelineVariable, and OutVariable. For more information, see

about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).



INPUTS

None

You cannot pipe input to this cmdlet.





OUTPUTS

None

This cmdlet does not return any output.





NOTES





To use Remove-EventLog * on Windows Vista and later versions of the Windows operating system, start Windows PowerShell by using the Run as

administrator option.



If you remove an event log and then re-create the log, you will not be able to register the same event sources. Applications that used the

events sources to write entries to the original log will not be able to write to the new log.



* When you unregister an event source for a particular log, the event source might be prevented from writing entries in other event logs.



Example 1: Remove an event log from the local computer



PS C:\\>Remove-EventLog -LogName "MyLog"



This command deletes the MyLog event log from the local computer and unregisters its event sources.

Example 2: Remove an event log from several computers



PS C:\\>Remove-EventLog -LogName "MyLog", "TestLog" -ComputerName "Server01", "Server02", "localhost"



This command deletes the MyLog and TestLog event logs from the local computer and the Server01 and Server02 remote computers. The command also

unregisters the event sources for these logs.

Example 3: Delete an event source



PS C:\\>Remove-EventLog -Source "MyApp"



This command deletes the MyApp event source from the logs on the local computer. When the command finishes, the MyApp program cannot write to any

event logs.

Example 4: Remove an event log and confirm the action



The first command lists the event logs on the local computer.

PS C:\\>Get-EventLog -List

Max(K) Retain OverflowAction Entries Log

------ ------ -------------- ------- ---

15,168 0 OverwriteAsNeeded 22,923 Application

15,168 0 OverwriteAsNeeded 53 DFS Replication

15,168 7 OverwriteOlder 0 Hardware Events

512 7 OverwriteOlder 0 Internet Explorer

20,480 0 OverwriteAsNeeded 0 Key Management Service

30,016 0 OverwriteAsNeeded 50,060 Security

15,168 0 OverwriteAsNeeded 27,592 System

15,360 0 OverwriteAsNeeded 18,355 Windows PowerShell

15,168 7 OverwriteAsNeeded 12 ZapLog



The second command deletes the ZapLog event log.

PS C:\\>Remove-EventLog -LogName "ZapLog"



The third command lists the event logs again. The ZapLog event log no longer appears in the list.

PS C:\\>Get-EventLog -List

Max(K) Retain OverflowAction Entries Log

------ ------ -------------- ------- ---

15,168 0 OverwriteAsNeeded 22,923 Application

15,168 0 OverwriteAsNeeded 53 DFS Replication

15,168 7 OverwriteOlder 0 Hardware Events

512 7 OverwriteOlder 0 Internet Explorer

20,480 0 OverwriteAsNeeded 0 Key Management Service

30,016 0 OverwriteAsNeeded 50,060 Security

15,168 0 OverwriteAsNeeded 27,592 System

15,360 0 OverwriteAsNeeded 18,355 Windows PowerShell



These commands show how to list the event logs on a computer and verify that a Remove-EventLog command was successful.

Example 5: Remove an event source and confirm the action



PS C:\\>Get-WmiObject win32_nteventlogfile -Filter "logfilename='TestLog'" | foreach {$_.sources}

MyApp

TestApp

PS C:\\> Remove-Eventlog -Source "MyApp"

PS C:\\> Get-WmiObject win32_nteventlogfile -Filter "logfilename='TestLog'"} | foreach {$_.sources}

TestApp



These commands use the Get-WmiObject cmdlet to list the event sources on the local computer. You can these commands to verify the success of a

command or to delete an event source.



The first command gets the event sources of the TestLog event log on the local computer. MyApp is one of the sources.



The second command uses the Source parameter of Remove-EventLog to delete the MyApp event source.



The third command is identical to the first. It shows that the MyApp event source was deleted.



RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=821615

Clear-EventLog

Get-EventLog

Limit-EventLog

New-EventLog

Remove-EventLog

Show-EventLog

Write-EventLog