EventLog/Clear-WinEvent.ps1
|
function Clear-WinEvent { <# .SYNOPSIS Clears events from event logs and event tracing log files on local and remote computers. .DESCRIPTION Clear-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. A path and file name can be specified to save the contents of the eventlog before it is cleared. .EXAMPLE PS C:\> Clear-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -Path c:\sysmonlogs.evtx Save and clear all events from the Sysmon eventlog. .INPUTS Inputs (if any) #> [CmdletBinding(DefaultParameterSetName = "Local")] param ( # Eventlog name to clear. [Parameter(Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [string] $LogName, # Specifies a path to one or more locations. [Parameter(Mandatory=$false, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, HelpMessage="Path to location where to store eventlog before clearing.")] [Alias("PSPath")] [ValidateNotNullOrEmpty()] [string[]] $Path, # Clear a given EventLog from the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. # To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access. [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Remote')] [string] $ComputerName, # Specifies a user account that has permission to perform this action. # # Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will # be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password. [Parameter(Mandatory = $false, ParameterSetName = 'Remote')] [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential ) begin {} process { $VerboseMessage = "Saving Log $($LogName) as $($Path) and clearing." switch ($PSCmdlet.ParameterSetName) { "Local" { $EvtSession = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogSession } "Remote" { $VerboseMessage = "Saving Log $($LogName) as $($Path) and clearing on $( $ComputerName )." if ($PSBoundParameters.Keys -contains "Credential") { $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New($ComputerName, $Credential.Username, $Credential.GetNetworkCredential().password ) } else { $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New($ComputerName) } } Default {} } if ($PSBoundParameters.Keys -contains "Path") { $FullPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path) $Location = Split-Path -Path $FullPath if (Test-Path -Path $Location ) { Write-Verbose -Message $VerboseMessage $EvtSession.ClearLog($LogName, $Path) Write-Verbose -Message "Log Cleared." } else { Write-Error -Exception ([System.IO.DirectoryNotFoundException]::New('Directory for the file specified was not found.')) -ErrorAction Stop } } else { Write-Verbose -Message "Clearing log $($LogName)." $EvtSession.ClearLog($LogName) Write-Verbose -Message "Log Cleared." } } end {} } |