Any way to remove all entries from the Windows event logs (Application, System & Software) apart from the last 24 hours?
Via command line such as batch file.
On Windows 2008 R2 Server & Windows 7
Windows – Clean up event log by script
windowswindows-event-log
Related Solutions
For Windows Vista, 7 and 2008:
The Windows-Eventcollector service (wecsvc) on the source-computers, which forwards the events to the collector-computer(s) if you are using Source-initiated Subscription, runs as "Network Service" account. But the Network-Service account does not have access to the Security event log. The local group "Event Log Readers" has access to all logs. That means on each source-computer you need to add the "Network Service" account to the local "Event Log Readers" group so the Windows-Eventcollector service has access to the Security event log and so it can forward it to the collector-computer(s).
Using SDDL (Security Descriptor Definition Language) you can also redefine the permissions on the different event logs using wevtutil, but that is more complex, which means you could easily break something or cause unwanted effects if you don't read up on this and carefully formulate the SDDL before you do anything.
Related Topic
- Windows – Totally removing Windows Event Logs
- Windows – How to export all System event logs of a definite time period
- Can you view an individual events size in the Windows Event Log
- Windows Server – Restart/Shutdown History
- Windows event log export – how to get general description
- Windows – Why is the Application event log getting cleared every night
- Powershell – Reporting Event Log content via triggered Email Windows 2012
- Windows – Grant access to Event Viewer “Application and Services Logs” via GPO
Best Answer
You can't do what you are trying to do. You can either save or clear an event log. When you clear, you can optionally save the events before clearing.
EDIT
Looking again, that wasn't very helpful. You can't remove some events from an event log without removing them all. You can, however, export some events based on a filter. For example, the following command will export all events logged to the System event log in the last 24 hours:
wevtutil epl system c:\system.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"Does this get closer to what you want? If not, can you clarify if there is something more we can help with?