Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Clear an Event Log

Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista

You can clear events in an event log by using Event Viewer or by using the wevtutil command on a command line.

To clear an event log by using Event Viewer

  1. Start Event Viewer.

  2. In the console tree, navigate to the event log you want to clear.

  3. On the Action menu, click Clear Log .

  4. You can either clear the event log or save a copy of the event log and then clear it.

    • To clear the event log without saving: Click Clear .

    • To clear the event log after saving: Click Save and Clear , type a name for the saved file in File name on the Save As dialog box and click Save .

To clear an event log by using a command line

  1. To open a command prompt, click Start , type cmd in the Start Search box, and then press Enter .

  2. Type the following command:

    wevtutil cl <LogName> [/bu: <backup_file_name>]

To learn more about the clear log option of the wevtutil command-line tool, type the following command at a command prompt:

wevtutil cl -?

Additional considerations

  • You must have Clear permission on the log to perform this operation. By default, Administrators have permission to clear event logs. To set the Clear permission on a log for other groups, type the following command at a command prompt:

    wevtutil sl <LogName> /ca:<SecurityDescriptor> 
    The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. For more information about SDDL syntax, see Security Descriptor Definition Language at the MSDN Web site.

    To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:

    • 1= Read

    • 2 = Write

    • 4 = Clear

    To see the SDDL string for a log, type the following command at a command prompt:

    wevtutil gl <LogName>
    The following example shows how to add Clear permission to the Application log for the Backup Operators group (A;;0x4;;;BO):

    wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x4;;;BO)

Additional references

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft