The below script can be used to clear the archived event logs in a group of Windows Servers, in a manual or automated fashion.

For optimal results, you should run this script in the PowerShell console in Administrator Mode and as a scheduled task.

Copy and paste the below script to notepad and save it as clear_evtlogarc.ps1. By default, the script will remove any logs older than 6 months. If you want to change this, change the $days to an amount that works for you.

You will need to create a text file named evtservers.txt containing the list of servers you want this script to check when it runs. One server per line. It can be the NetBIOS name (server01) or the DNS name (server01.domain.com)

If the above text file is not there, the script will not run.

Once you have created the text file, you can run this by typing .\clear_evtlogarc.ps1

The script will generate a transcript of activity at the location where the script is running to provide you details with what actions were performed for later review.

# -----------------------------------------------------------------
# Clear Event Log Archives
# Created by: Christopher Clai - www.syntaxbearror.io
# Using components from Josh Townsend (josh.townsend@clearpathsg.com) http://vmtoday.com/2012/12/cleanup-archived-event-logs-with-powershell/
# -----------------------------------------------------------------
# Version 1.0 (August 10th, 2018)
# -----------------------------------------------------------------
#
# Example of running the script:
# .\clear_evtlogarc.ps1 
#
#
# ##### CHANGELOG ########
# Version 1.0
# - 
#
#

# Edit"Days" for the amount of days you want to hold Archives on a system for.
$Days = "183" 

# Create a list of servers and save them as a text file. One server per line.
$servers = get-content evtservers.txt 


# -----
# DO NOT EDIT ANYTHING BELOW THIS LINE
# -----

#Format the date we want.
$Now = Get-Date 
$LastWrite = $Now.AddDays(-$days)

#Define the file filter
$filter = "Archive*.evtx" 

# Begin Transcript

    Start-Transcript -Path "results_clearevtlogarc.txt" -Append

#Write Log Entry

    Write-EventLog -LogName Application -Source "Syntax Bearror" -EntryType Information -EventID 10 -Message "Event Log Achive Cleaner has started as a scheduled task. Results written to results_clearevtlogarc.txt."

# Go through the loop
ForEach ($server in $servers) { 

Write-Host "Checking $server ... `n"

$locale = "\\$server\C$\Windows\System32\Winevt\Logs\"


    get-childitem -recurse "$locale" | Where-Object {($_.Name -like $filter) -and ($_.LastwriteTime -lt $LastWrite)}  | remove-item -recurse -force 

} 


# Complete the Transcript
Stop-Transcript

Leave a Comment

Your email address will not be published.