Summary: Learn how to use Windows PowerShell to check disk space used by logs, and to clear those logs to reclaim space.
Microsoft Scripting Guy Ed Wilson here. One of the things I found as I was researching ways to enable and to disable the ETW trace logs is that a seemingly large number of people wanted a way to clear out all the logs. Before I get too carried away, you might want to review some of the other articles in this series about using Windows PowerShell to work with the Windows trace logs.
In Saturday’s Weekend Scripter post, I talked about working with Event Tracing for Windows (ETW) logs. I discussed how to enable and disable the logs, and how to use the Get-WinEvent cmdlet to find and to read the trace. On Monday, I continued the ETW discussion by examining the datetime stamp that is generated for each event. On Tuesday, I explored parsing the message property of the WMI Activity Trace log. On Wednesday, I talked about using Windows PowerShell to troubleshoot software installation. Yesterday, I talked about automating the enabling and disabling of trace logs to assist in troubleshooting specific problems.
One thing I feel I should do before showing you the one-line command to clear all event logs and trace logs on your system is to say I do not think it is a great idea. Some of the things I read seem to indicate there are massive disk space gains to be achieved by emptying all the logs. I do not think this is necessarily true. On my Windows 7 ultimate workstation that is a relatively fresh install and maintains all of the defaults in regard to logging, my log and trace files consume on 68 MB of disk space. On my heavily managed corporate laptop with a two-year-old install of Windows 7 Enterprise, the amount of disk space consumed is 221 MB. The disk space savings are therefore miniscule.
On the other hand, if you ever need to do troubleshooting or security analysis, the logs are your primary source of information. In case you want to know, the following command is what I ran to get the amount of space consumed by the logs. The % sign is an alias for the ForEach-Object cmdlet. The += operator means to take the value stored in the $size variable, and add the amount in the filesize property of each log as it streams over the pipeline. The semicolon character begins a new command, and I use the 1 MB administrative constant to convert the bytes stored in the $size variable into megabytes.
Get-WinEvent -ListLog * -Force | % { $size += $_.filesize } ; $size/1MB
Digression aside, as is often the case with things on the Internet, it seems one person had written a batch file to clear all of the log files, and then his or her solution has been replicated to dozens of other sites. The batch file was several hundred lines long, and unfortunately, the author missed several logs. As a result, the file did not accomplish everything it purported to do.
Using Windows PowerShell, it does not take several hundred lines of code to clear all the logs and trace files on the system. It takes a single line of code. The first thing to do is to get a listing of all the logs on the system. I have used this portion of code numerous times this week and will therefore not add additional commentary. Here is the code that retrieves all the logs:
Get-WinEvent -ListLog * -Force
When I have a collection of log objects, I pipe them to the ForEach-Object cmdlet (% is an alias for the ForEach-Object cmdlet, and it is commonly used when working interactively on the Windows PowerShell console). As each log object comes across the pipeline, I use the wevtutil command to clear each log. I pass the logname property from the current object to the utility. That is it. The completed command is shown here:
Get-WinEvent -ListLog * -Force | % { Wevtutil.exe cl $_.logname }
On my system, an error appears. The error states that it is unable to clear the DebugChannel log. That is not a problem however, and is actually expected when clearing 492 logs. After I have run the command to clear all the logs, I go back and run the command to obtain the current log size. I have reduced space utilization from 68 MB to 9 MB—woohoo! The commands and associated output are shown in the following figure.
Well, this concludes Troubleshooting Windows Week. Join me tomorrow for Weekend Scripter. We have a guest article by Windows PowerShell MVP Sean Kearney.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
0 comments