1

I am trying to figure out a way to delete only a single entry (identified via EventRecordID, found in the Details > XML View) from a Windows Log file (.evtx extension).

Tried so far via PowerShell, but you can delete, with the latest version, only via EventID, but there is the case where multiple records may have the same eventID.

There are no restriction regarding the language of the script. Currently testing on 2012R2.

Thanks in advance!

BasicDave
  • 11
  • 1
  • Get the list, search the dataset for a specific unique string, then delete that one. – postanote Oct 30 '20 at 19:56
  • @postanote I've tried using .Net Framework, but the functionality provided by the framework is limited. I think the only way is to iterate with the EventRecord Class and create a new log file with all the records except that one entry, all done with EventLog.WriteEntry(...) function. Considering this way, I am not missing important information from the original log file? Also, thank you for your guidance, but I require something more... practical (code for example) – BasicDave Oct 31 '20 at 09:05
  • You say you've tried. *** Post the code you tired.*** You are not saying what event what log, forcing folks to guess. Thus, making it hard to help. Unless you have a unique string of interest in the target entry to delete. You are in a catch 22, since you'd have nothing to filter for. PowerShell has built-in cmdlet event view cmdlets [ Get-Command -Name 'Get-*event*' | Format-Table -AutoSize]. Specifically Get-WinEvent. See the help file examples. You have to filter for the eventID and a specific unique string. So, this means parsing the message part of the event. Many examples exist online. – postanote Nov 03 '20 at 07:40

0 Answers0