除了打开事件查看器并以交互方式逐个清除日志外,还有哪些不同的选项可以清除 Windows 2003 中的事件日志?我不认为 powershell 是一个选项,因为它也需要下载。
答案1
您可以使用 VB 脚本和 WMI (均内置于 Windows)...
此 VBS 代码将尝试将每个日志备份到 C:\temp,然后清除它们(如果它们已成功备份):
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For Each objLogfile in colLogFiles
logfileName = objLogFile.LogfileName
Wscript.Echo "Processing " + logfileName + " log..."
errBackupLog = objLogFile.BackupEventLog("c:\temp\" + objLogFile.FileName + ".evt")
If errBackupLog <> 0 Then
Wscript.Echo "The " + logfileName + " event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
将其保存到文本文件中(即LogClear.vbs
:),然后cscript LogClear.vbs
从命令行执行它。
答案2
来源服务器故障回答保存和清除事件日志ServerFault 的答案巴特·德·沃斯
现在您可以使用 SysInternals 工具来实现这一点,它叫日志列表. 它取代了 Windows 2K 中的 EventLog.pl。
您需要使用 -c 选项清除命令后的日志,并使用 -g 选项指定文件。(由于某些奇怪的原因,-g 不在使用帮助中)。
usage: psloglist [- ] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog>
@file Execute the command on each of the computers listed in the file.
-a Dump records timestamped after specified date.
-b Dump records timestamped before specified date.
-c Clear the event log after displaying.
-d Only display records from previous n days.
-c Clear the event log after displaying.
-e Exclude events with the specified ID or IDs (up to 10).
-f Filter event types with filter string (e.g. "-f w" to filter warnings).
-h Only display records from previous n hours.
-i Show only events with the specified ID or IDs (up to 10).
-l Dump records from the specified event log file.
-m Only display records from previous n minutes.
-n Only display the number of most recent entries specified.
-o Show only records from the specified event source (e.g. \"-o cdrom\").
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-q Omit records from the specified event source or sources (e.g. \"-q cdrom\").
-r SDump log from least recent to most recent.
-s This switch has PsLogList print Event Log records one-per-line, with comma delimited fields. This format is convenient for text searches, e.g. psloglist | findstr /i text, and for importing the output into a spreadsheet.
-t The default delimeter is a comma, but can be overriden with the specified character.
-u Specifies optional user name for login to remote computer.
-w Wait for new events, dumping them as they generate (local system only).
-x Dump extended data
eventlog eventlog
如果您需要可以远程执行的命令,则需要如下命令:
psexec \\servername -c psloglist.exe -c -g application.evt application