header image

Event log cleanup

Posted by: | May 24, 2011 | No Comment |

If we look at the event logs

 

PS> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Log
  —— —— ————–        ——- —
  20,480      0 OverwriteAsNeeded      19,975 Application
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
   8,192      0 OverwriteAsNeeded           0 Media Center
     128      0 OverwriteAsNeeded       1,033 OAlerts
  20,480      0 OverwriteAsNeeded           0 Scripts
                                              Security
  20,480      0 OverwriteAsNeeded      56,535 System
  15,360      0 OverwriteAsNeeded      18,907 Windows PowerShell

 

If we look at a single log from this list in detail

PS> Get-EventLog -List | select -f 1 | fl *

Entries              : {RSLAPTOP01, RSLAPTOP01, RSLAPTOP01, RSLAPTOP01…}
LogDisplayName       : Application
Log                  : Application
MachineName          : .
MaximumKilobytes     : 20480
OverflowAction       : OverwriteAsNeeded
MinimumRetentionDays : 0
EnableRaisingEvents  : False
SynchronizingObject  :
Source               :
Site                 :
Container            :

 

So in the first display we get the number of entries but in the second we get the list of entries.  I want to be able to clean up my logs with lots of entries.

The difference between the two displays is due to the formatting engine in PowerShell. It is creating the entries count column. We know that the .NET object we are interested in is System.Diagnostics.EventLog so we can search for it.

Select-String -Path $pshome\*.ps1xml -Pattern "System.Diagnostics.EventLog" –SimpleMatch

 

The result comes back that we want to look at DotNetTypes.format.ps1xml.

Open that file – BE VERY CAREFUL THAT YOU DON’T ALTER THIS FILE OR BAD THINGS WILL HAPPEN. The sun will go nova, the earth will plunge into a black hole and oh yeah – even worse PowerShell will stop working.

If we search for System.Diagnostics.EventLog and look at the formatting options we will eventually find an entry that matches the first table above.  The Entries property is found as $_.Entries.Count.ToString(‘N0’)

This means I can do this

Get-EventLog -List | where {$_.Entries.Count -gt 10000}

Max(K) Retain OverflowAction        Entries Log
—— —— ————–        ——- —
20,480      0 OverwriteAsNeeded      19,976 Application
20,480      0 OverwriteAsNeeded      56,543 System
15,360      0 OverwriteAsNeeded      18,907 Windows PowerShell

 

I can now do my clean up

Get-EventLog -List | where {$_.Entries.Count -gt 10000} | foreach {Clear-EventLog -LogName $_.Log}

 

but you have to be running PowerShell with elevated privileges.

 

Remembering how the formatting system works and how some of the displays are formatted can save a lot of effort sometimes.

under: PowerShellV2