< Back
Remove-EventLog
Post
NAME Remove-EventLog
SYNOPSIS
Deletes an event log or unregisters an event source.
SYNTAX
Remove-EventLog [-LogName] <String[]> [[-ComputerName] <String[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-EventLog [[-ComputerName] <String[]>] [-Confirm] [-Source <String[]>] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can
also use this cmdlet to unregister event sources without deleting any event logs.
The cmdlets that contain the EventLog noun, the EventLog cmdlets, work only on classic event logs. To get events from logs that use the Windows
Event Log technology in Windows Vista and later versions of the Windows operating system, use Get-WinEvent.
CAUTION: This cmdlet can delete operating system event logs, which might cause application failures and unexpected system behavior.
PARAMETERS
-ComputerName <String[]>
Specifies a remote computer. The default is the local computer.
Type the NetBIOS name, an IP address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer
name, a dot (.), or localhost.
This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Remove-EventLog even if your computer
is not configured to run remote commands.
Required? false
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-LogName <String[]>
Specifies the event logs. Enter the log name of one or more event logs, separated by commas. The log name is the value of the Log property,
not the LogDisplayName , Wildcard characters are not permitted. This parameter is required.
Required? true
Position? 0
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Source <String[]>
Specifies the event sources that this cmdlet unregisters. Enter the source names, not the executable name, separated by commas.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
None
This cmdlet does not return any output.
NOTES
To use Remove-EventLog * on Windows Vista and later versions of the Windows operating system, start Windows PowerShell by using the Run as
administrator option.
If you remove an event log and then re-create the log, you will not be able to register the same event sources. Applications that used the
events sources to write entries to the original log will not be able to write to the new log.
* When you unregister an event source for a particular log, the event source might be prevented from writing entries in other event logs.
Example 1: Remove an event log from the local computer
PS C:\\>Remove-EventLog -LogName "MyLog"
This command deletes the MyLog event log from the local computer and unregisters its event sources.
Example 2: Remove an event log from several computers
PS C:\\>Remove-EventLog -LogName "MyLog", "TestLog" -ComputerName "Server01", "Server02", "localhost"
This command deletes the MyLog and TestLog event logs from the local computer and the Server01 and Server02 remote computers. The command also
unregisters the event sources for these logs.
Example 3: Delete an event source
PS C:\\>Remove-EventLog -Source "MyApp"
This command deletes the MyApp event source from the logs on the local computer. When the command finishes, the MyApp program cannot write to any
event logs.
Example 4: Remove an event log and confirm the action
The first command lists the event logs on the local computer.
PS C:\\>Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteAsNeeded 22,923 Application
15,168 0 OverwriteAsNeeded 53 DFS Replication
15,168 7 OverwriteOlder 0 Hardware Events
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
30,016 0 OverwriteAsNeeded 50,060 Security
15,168 0 OverwriteAsNeeded 27,592 System
15,360 0 OverwriteAsNeeded 18,355 Windows PowerShell
15,168 7 OverwriteAsNeeded 12 ZapLog
The second command deletes the ZapLog event log.
PS C:\\>Remove-EventLog -LogName "ZapLog"
The third command lists the event logs again. The ZapLog event log no longer appears in the list.
PS C:\\>Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteAsNeeded 22,923 Application
15,168 0 OverwriteAsNeeded 53 DFS Replication
15,168 7 OverwriteOlder 0 Hardware Events
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
30,016 0 OverwriteAsNeeded 50,060 Security
15,168 0 OverwriteAsNeeded 27,592 System
15,360 0 OverwriteAsNeeded 18,355 Windows PowerShell
These commands show how to list the event logs on a computer and verify that a Remove-EventLog command was successful.
Example 5: Remove an event source and confirm the action
PS C:\\>Get-WmiObject win32_nteventlogfile -Filter "logfilename='TestLog'" | foreach {$_.sources}
MyApp
TestApp
PS C:\\> Remove-Eventlog -Source "MyApp"
PS C:\\> Get-WmiObject win32_nteventlogfile -Filter "logfilename='TestLog'"} | foreach {$_.sources}
TestApp
These commands use the Get-WmiObject cmdlet to list the event sources on the local computer. You can these commands to verify the success of a
command or to delete an event source.
The first command gets the event sources of the TestLog event log on the local computer. MyApp is one of the sources.
The second command uses the Source parameter of Remove-EventLog to delete the MyApp event source.
The third command is identical to the first. It shows that the MyApp event source was deleted.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=821615
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog
SYNOPSIS
Deletes an event log or unregisters an event source.
SYNTAX
Remove-EventLog [-LogName] <String[]> [[-ComputerName] <String[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-EventLog [[-ComputerName] <String[]>] [-Confirm] [-Source <String[]>] [-WhatIf] [<CommonParameters>]
DESCRIPTION
The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can
also use this cmdlet to unregister event sources without deleting any event logs.
The cmdlets that contain the EventLog noun, the EventLog cmdlets, work only on classic event logs. To get events from logs that use the Windows
Event Log technology in Windows Vista and later versions of the Windows operating system, use Get-WinEvent.
CAUTION: This cmdlet can delete operating system event logs, which might cause application failures and unexpected system behavior.
PARAMETERS
-ComputerName <String[]>
Specifies a remote computer. The default is the local computer.
Type the NetBIOS name, an IP address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer
name, a dot (.), or localhost.
This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Remove-EventLog even if your computer
is not configured to run remote commands.
Required? false
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-LogName <String[]>
Specifies the event logs. Enter the log name of one or more event logs, separated by commas. The log name is the value of the Log property,
not the LogDisplayName , Wildcard characters are not permitted. This parameter is required.
Required? true
Position? 0
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Source <String[]>
Specifies the event sources that this cmdlet unregisters. Enter the source names, not the executable name, separated by commas.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
None
This cmdlet does not return any output.
NOTES
To use Remove-EventLog * on Windows Vista and later versions of the Windows operating system, start Windows PowerShell by using the Run as
administrator option.
If you remove an event log and then re-create the log, you will not be able to register the same event sources. Applications that used the
events sources to write entries to the original log will not be able to write to the new log.
* When you unregister an event source for a particular log, the event source might be prevented from writing entries in other event logs.
Example 1: Remove an event log from the local computer
PS C:\\>Remove-EventLog -LogName "MyLog"
This command deletes the MyLog event log from the local computer and unregisters its event sources.
Example 2: Remove an event log from several computers
PS C:\\>Remove-EventLog -LogName "MyLog", "TestLog" -ComputerName "Server01", "Server02", "localhost"
This command deletes the MyLog and TestLog event logs from the local computer and the Server01 and Server02 remote computers. The command also
unregisters the event sources for these logs.
Example 3: Delete an event source
PS C:\\>Remove-EventLog -Source "MyApp"
This command deletes the MyApp event source from the logs on the local computer. When the command finishes, the MyApp program cannot write to any
event logs.
Example 4: Remove an event log and confirm the action
The first command lists the event logs on the local computer.
PS C:\\>Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteAsNeeded 22,923 Application
15,168 0 OverwriteAsNeeded 53 DFS Replication
15,168 7 OverwriteOlder 0 Hardware Events
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
30,016 0 OverwriteAsNeeded 50,060 Security
15,168 0 OverwriteAsNeeded 27,592 System
15,360 0 OverwriteAsNeeded 18,355 Windows PowerShell
15,168 7 OverwriteAsNeeded 12 ZapLog
The second command deletes the ZapLog event log.
PS C:\\>Remove-EventLog -LogName "ZapLog"
The third command lists the event logs again. The ZapLog event log no longer appears in the list.
PS C:\\>Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteAsNeeded 22,923 Application
15,168 0 OverwriteAsNeeded 53 DFS Replication
15,168 7 OverwriteOlder 0 Hardware Events
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
30,016 0 OverwriteAsNeeded 50,060 Security
15,168 0 OverwriteAsNeeded 27,592 System
15,360 0 OverwriteAsNeeded 18,355 Windows PowerShell
These commands show how to list the event logs on a computer and verify that a Remove-EventLog command was successful.
Example 5: Remove an event source and confirm the action
PS C:\\>Get-WmiObject win32_nteventlogfile -Filter "logfilename='TestLog'" | foreach {$_.sources}
MyApp
TestApp
PS C:\\> Remove-Eventlog -Source "MyApp"
PS C:\\> Get-WmiObject win32_nteventlogfile -Filter "logfilename='TestLog'"} | foreach {$_.sources}
TestApp
These commands use the Get-WmiObject cmdlet to list the event sources on the local computer. You can these commands to verify the success of a
command or to delete an event source.
The first command gets the event sources of the TestLog event log on the local computer. MyApp is one of the sources.
The second command uses the Source parameter of Remove-EventLog to delete the MyApp event source.
The third command is identical to the first. It shows that the MyApp event source was deleted.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?LinkId=821615
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog