How to use PowerShell or any other option to delete certain DNS Analytical logs from event logs?

%3CLINGO-SUB%20id%3D%22lingo-sub-1483568%22%20slang%3D%22en-US%22%3EHow%20to%20use%20PowerShell%20to%20delete%20DNS%20Analytical%20logs%20from%20.evt%20format%20event%20logs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483568%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20requirement%20to%20enable%20and%20collect%20DNS%20Analytical%20logs%20from%20Event%20Viewer%20to%20ArcSight%20(SIEM%20tool).%20I%20am%20able%20to%20fetch%20the%20logs%20but%20I%20have%20select%20%22Do%20not%20overwrite%20events%20(Clear%20logs%20manually)%22%20because%20that%20is%20what%20is%20recommended.%20If%20I%20select%20the%20option%20of%20Overwriting%20logs%20and%20clear%20based%20on%20the%20old%20events%2C%20I%20am%20unable%20to%20fetch%20the%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn800669(v%3Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn800669(v%3Dws.11)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20above%20link%20is%20of%20the%20article%20which%20recommends%20to%20use%20the%20option%20of%20not%20overwriting%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20since%20the%20file%20size%20is%20huge%20and%20it%20is%20not%20feasible%20to%20delete%20older%20logs%20manually%2C%20we%20need%20some%20PowerShell%20script%20or%20some%20other%20mechanism%20to%20delete%20the%20old%20logs%20and%20that%20script%20can%20be%20scheduled%20using%20task%20scheduler%20to%20automate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20I%20can%20delete%20certain%20dated%20old%20logs%20(ex%3A%20logs%20older%20than%201%20hour)%20and%20achieve%20my%20requirement%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1483568%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EStorage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

Hi Everyone,

 

I have a requirement to enable and collect DNS Analytical logs from Event Viewer to ArcSight (SIEM tool). I am able to fetch the logs but I have select "Do not overwrite events (Clear logs manually)" because that is what is recommended. If I select the option of Overwriting logs and clear based on the old events, I am unable to fetch the logs.

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn...

 

The above link is of the article which recommends to use the option of not overwriting events.

 

Now, since the file size is huge and it is not feasible to delete older logs manually, we need some PowerShell script or some other mechanism to delete the old logs and that script can be scheduled using task scheduler to automate.

 

Is there any way I can delete certain dated old logs (ex: logs older than 1 hour) and achieve my requirement?

 

Regards,

Mitesh Agrawal

1 Reply
Highlighted

Sounds like you may be better off using file based logging.

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776361(v=ws....

 

Selective deletes from an active evtx may be problematic.