Clear eventlog

I’ve been testing the new Sysmon tool from Sysinternals written by Mark Russinovich and Thomas Garnier I’ve already mentioned in this post.

It has been recently updated to version 1.01.
Since I updated from version 1.0 to 1.01, events written by the previous driver aren’t readable anymore using the “general view” of eventvwr.exe:

Fortunately, the xml data can still be parsed 🙂

Anyway, I wanted to clear the log after I upgraded.
The built-in Clear-EventLog doesn’t help in this case 😦

The built-in Get-WinEvent cmdlet returns a System.Diagnostics.Eventing.Reader.EventLogConfiguration .Net object that hasn’t any method to clear the content of the log.

Get-WinEvent -ListLog * | 
Where LogName -match "sysmon" | Get-Member -Force

The System.Diagnostics.Eventing.Reader.EventLogSession .Net class has however a method that can clear logs:

The first method to clear the log is by just giving a logName as parameter

(New-Object System.Diagnostics.Eventing.Reader.EventLogSession).
ClearLog("Microsoft-Windows-Sysmon/Operational")

The second method to clear the log is by passing a logName and a backupath

(New-Object System.Diagnostics.Eventing.Reader.EventLogSession).
ClearLog(
 "Microsoft-Windows-Sysmon/Operational",
 "C:\windows\temp\sysmon.evtx"
)

Both methods generate a 104 event ID in the System log.

Get-WinEvent -FilterHashtable @{ LogName = 'System' ; Id = 104} -MaxEvents 2 | 
Sort TimeCreated | Foreach {
 ([xml]($_.ToXml())).Event.UserData.LogFileCleared
}


With event 104 we can see what account cleared what log and whether it’s been saved to any BackupPath.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s