通过脚本清理事件日志

Question 1

您无法执行正在尝试的操作。您可以保存或清除事件日志。清除时，您可以选择在清除之前保存事件。

编辑

再看看，这没什么用。如果不删除所有事件，您就无法从事件日志中删除某些事件。但是，您可以根据过滤器导出某些事件。例如，以下命令将导出过去 24 小时内记录到系统事件日志的所有事件：

wevtutil epl system c:\system.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"

这是否更接近您的期望？如果不是，您能否说明我们是否能提供更多帮助？

Answer

您无法执行正在尝试的操作。您可以保存或清除事件日志。清除时，您可以选择在清除之前保存事件。

编辑

再看看，这没什么用。如果不删除所有事件，您就无法从事件日志中删除某些事件。但是，您可以根据过滤器导出某些事件。例如，以下命令将导出过去 24 小时内记录到系统事件日志的所有事件：

wevtutil epl system c:\system.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"

这是否更接近您的期望？如果不是，您能否说明我们是否能提供更多帮助？

Question 2

发现了这个：

If WScript.Arguments.Count > 1 Then
    WScript.Echo
    WScript.Echo "Usage: cscript ""Clear Event Logs.vbs"" [computer name]"
    WScript.Echo
    WScript.Quit
End If

Dim strComputer ' As String

If WScript.Arguments.Count > 0 Then
    strComputer= WScript.Arguments(0)
Else
    strComputer= "localhost"
End If

ClearEventLogs strComputer

WScript.Echo "Done"

Private Sub ClearEventLogs( _
    strComputer)

    WScript.Echo "Clearing event logs on " & strComputer & "..."

    Set objWMIService = GetObject( _
        "winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" _
            & strComputer & "\root\cimv2")

    Set colLogFiles = objWMIService.ExecQuery( _
        "Select * from Win32_NTEventLogFile")

    For Each objLogfile in colLogFiles
        ClearEventLog strComputer, objLogfile.LogfileName
    Next
End Sub

Private Sub ClearEventLog( _
    strComputer, _
    strEventLogName)

    WScript.Echo "Clearing '" & strEventLogName & "' event log on " _
        & strComputer & "..."

    Set objWMIService = GetObject( _
        "winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" _
            & strComputer & "\root\cimv2")

    Set colLogFiles = objWMIService.ExecQuery( _
        "Select * from Win32_NTEventLogFile where LogFileName='" _
            & strEventLogName & "'")

    For Each objLogfile in colLogFiles
    Dim backupFilename
    backupFilename= "C:\" & strEventLogName & "_" & GetFormattedTimestamp() _
        & ".evt"

        errBackupLog = objLogFile.BackupEventLog(backupFilename)
        If errBackupLog <> 0 Then        
            WScript.Echo "The " & strEventLogName & " event log on " _
                & strComputer & " could not be backed up."
        Else
            objLogFile.ClearEventLog()
        End If
    Next
End Sub

Private Function GetFormattedTimestamp()
    Dim timestamp
    timestamp = Now

    GetFormattedTimestamp = Year(timestamp) _
        & LPad(Month(timestamp), 2, "0") _
        & LPad(Day(timestamp), 2, "0") _
        & "_" & Replace(FormatDateTime(timestamp, 4), ":", "")

End Function

Private Function LPad( _
    strValue, _
    nLength, _
    strPadCharacter)

    Dim strPaddedValue

    strPaddedValue = strValue

    While (Len(strPaddedValue) < nLength)
        strPaddedValue = strPadCharacter & strPaddedValue
    WEnd

    LPad = strPaddedValue
End Function

这里：http://blogs.msdn.com/b/jjameson/archive/2011/03/01/script-to-clear-and-save-event-logs.aspx

博客中的另一个注释：使用 cscript 而不是 wscript 来运行它。

Answer

发现了这个：

If WScript.Arguments.Count > 1 Then
    WScript.Echo
    WScript.Echo "Usage: cscript ""Clear Event Logs.vbs"" [computer name]"
    WScript.Echo
    WScript.Quit
End If

Dim strComputer ' As String

If WScript.Arguments.Count > 0 Then
    strComputer= WScript.Arguments(0)
Else
    strComputer= "localhost"
End If

ClearEventLogs strComputer

WScript.Echo "Done"

Private Sub ClearEventLogs( _
    strComputer)

    WScript.Echo "Clearing event logs on " & strComputer & "..."

    Set objWMIService = GetObject( _
        "winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" _
            & strComputer & "\root\cimv2")

    Set colLogFiles = objWMIService.ExecQuery( _
        "Select * from Win32_NTEventLogFile")

    For Each objLogfile in colLogFiles
        ClearEventLog strComputer, objLogfile.LogfileName
    Next
End Sub

Private Sub ClearEventLog( _
    strComputer, _
    strEventLogName)

    WScript.Echo "Clearing '" & strEventLogName & "' event log on " _
        & strComputer & "..."

    Set objWMIService = GetObject( _
        "winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" _
            & strComputer & "\root\cimv2")

    Set colLogFiles = objWMIService.ExecQuery( _
        "Select * from Win32_NTEventLogFile where LogFileName='" _
            & strEventLogName & "'")

    For Each objLogfile in colLogFiles
    Dim backupFilename
    backupFilename= "C:\" & strEventLogName & "_" & GetFormattedTimestamp() _
        & ".evt"

        errBackupLog = objLogFile.BackupEventLog(backupFilename)
        If errBackupLog <> 0 Then        
            WScript.Echo "The " & strEventLogName & " event log on " _
                & strComputer & " could not be backed up."
        Else
            objLogFile.ClearEventLog()
        End If
    Next
End Sub

Private Function GetFormattedTimestamp()
    Dim timestamp
    timestamp = Now

    GetFormattedTimestamp = Year(timestamp) _
        & LPad(Month(timestamp), 2, "0") _
        & LPad(Day(timestamp), 2, "0") _
        & "_" & Replace(FormatDateTime(timestamp, 4), ":", "")

End Function

Private Function LPad( _
    strValue, _
    nLength, _
    strPadCharacter)

    Dim strPaddedValue

    strPaddedValue = strValue

    While (Len(strPaddedValue) < nLength)
        strPaddedValue = strPadCharacter & strPaddedValue
    WEnd

    LPad = strPaddedValue
End Function

这里：http://blogs.msdn.com/b/jjameson/archive/2011/03/01/script-to-clear-and-save-event-logs.aspx

博客中的另一个注释：使用 cscript 而不是 wscript 来运行它。

通过脚本清理事件日志

答案1

答案2

相关内容