How can I remove specific events from the event log in Windows Server 2008?

Question

Do I need a third party tool for this?

I have a request for this, too. For example: RDP has some problems with one of my printers. It shows up in the App log with a big fat X which is then picked up ALL OVER (especially on domain controllers, e.g. dcdiag etc.) and causes WAY more problems. Maybe the better question is: how to suppress logging of certain types of errors? — Matt Rogish, May 14 '09 at 19:26
Evil, ha. I had an app accidentally write messages which were causing problems with a notification service. — JC., May 14 '09 at 19:30
@Matt Rogish the way to suppress logging of a certain type of error is to fix the error. The fact that it's logging some problem is indicating that something is wrong that should be fixed, and not a friendly reminder to fill your car up with gas. — mrTomahawk, May 14 '09 at 19:30
After thinking about it; I agree. There shouldn't be a way to muck with the event log. — Matt Rogish, May 14 '09 at 20:05
JC can you tell us a little more about what Event is being logged and to what Event Log....that is something that we can work with. — mrTomahawk, May 14 '09 at 20:36
It's my own service I wrote. I was just curious if it could be done. — JC., May 14 '09 at 20:58
@Matt - The printer error in RDP is because you have printer sharing ticket on your RDP client, which it is by default. Simplest way to fix the problem is to un-tick the box. The problem occurs because the machine your connecting to can't find the drivers for the printer since it is not a normal printer share. — BinaryMisfit, May 14 '09 at 21:29
Diago: Yep but for some reason RDP doesn't remember my settings and since I remote into 3-5 servers on a near daily basis I never remember and the log is rife with my little droppings :( — Matt Rogish, May 14 '09 at 23:11
@Zoredache, I am curious, can you tell us why you won't want this? — Pacerier, Feb 27 '15 at 23:05
@Pa Did you read the accepted answer? Because I don't want a person to be able to easily cover their tracks of doing bad things by selectively deleting the log entries. Logs should generally be write-once, and read-only from a security perspective. — Zoredache, Feb 27 '15 at 23:49
@mrTomahawk That's just silly. All kinds of mostly-useless informational messages get logged in the Windows event logs. Most of them do not indicate any error that needs fixing. — reirab, Jul 27 '16 at 16:24
@Zoredache I wanted to do this because my machine rebooted itself at work without my knowledge, and I accidentally put my password in the *username* field and pressed enter. Bang, a log entry was created with my password in plain text. Since I couldn't delete a single entry, I had to clear the entire log to prevent my password from being accessible to others. Don't you think it would have been better if I were able to delete the single, offending entry? — Jeff G, Oct 27 '16 at 20:10
@JeffG ... or you could just pay better attention to the dialog or change your password. Compromising your ability to audit by removing things from or clearing logs could actually put your job in jeopardy in the wrong environment. — JamieSee, Mar 30 '17 at 20:40
@JamieSee I agree that it would have been easier if I didn't ever make a mistake. However, I am a human being, and mistakes happen. I have come up with a system for generating passwords such that they are hard to guess but easy(ish) to remember. Publicizing one of my passwords, even if I changed it immediately, still leaks information about the process I use to generate and remember my passwords. For my money, I choose security over log history. Feel free to choose differently depending on your situation. — Jeff G, Apr 04 '17 at 01:07
@JamieSee Apparently, you're a person who's never made a typo. Congratulations to you. But for us, lesser mortals, we occasionally press tab out of habit, or even shift-tab, when in a hurry, type what we have in mind and press Enter. And while I'm quite careful when typing into a root terminal or Administrator cmdline, I don't tend to be super careful with a logon screen, because I rely on muscle memory. — user1628658, Dec 12 '19 at 14:25
Have you considered custom views? Or export to XML? That may go a long way in your quest. https://youtu.be/BFAff0pgBvg this is a well made tutorial — rrascal3, Jan 26 '20 at 03:35

score 37 · Answer 1 · edited Oct 24 '16 at 11:42

The OP's post is valid. The number one problem with logging, error reporting, and alerting is white noise. When too many "errors" are reported and most of them are low priority or of no concern at all, administrators tend to ignore ALL errors. Good or bad, this is just a fact of life.

One of the errors he is talking about is (I think) event ID 1111. It simply means that you have a printer mapped with a driver that is not available on the server to which you are connected. It is an error of no concern in most cases ... there is nothing to "fix" as it is not a problem.

If you want to find actual problems and you have specific event ID's that you don't care to weed through, create a custom view with the following steps:

In your event log click on "Filter Current Log" in the action pane.
About half way down the dialog box that pops up, you will find a text box with <All Event IDs>
Replace this text with your filter needs.
- If you want only a certain event, put that event ID in there.
- If you have multiples, use commas to separate.
- If you wish to exclude, use a minus sign.
- In this case we would use "-1111" (without the quotes of course).
Click "OK" on the dialog box.
In the action pane you now click "Save Filter to Custom View".

Now when you wish to look at your event log, use your custom view and only the information you are truly concerned with will be displayed.

I know that this is a late post to a dead thread but hopefully it helps someone else who is Googling this more than posts of "[Working as intended, n00b!]" ;-)

That's filtering, not removing. You gave a great (and useful) answer to a question that wasn't asked, to be honest. — mfinni, Mar 22 '11 at 15:00
@mfinni, And to be honest he hadn't given any answer to the question **asked**. The question 35k visitors to this page are asking. — Pacerier, Feb 27 '15 at 23:08
This is a great and useful answer which matches the *intent* of the original question about as well as possible, given the limitations Microsoft impose. — MikeBeaton, Mar 02 '15 at 17:26
I think comments on both sides are valid. Info on filtering is much more helpful than simply leaving an answer at "you can't". The accepted answer is the right answer and I +1'd it. The answer by @chad-patrick is also very helpful, and I +1'd this one too. But there is a flaw in Chad's answer, you shouldn't *just* use a minus sign on *event IDs*, as some apps use the same numbers. More rigorous filtering is required on the Provider And the event ID. Since detail on this is out of context, here's a starter link: http://bit.ly/1d9seDp — TonyG, Apr 24 '15 at 15:12

score 20 · Accepted Answer · edited Jan 12 '19 at 10:20

20

Microsoft purposely prevents you from doing this. The whole concept of the Event Viewer is to present to you certain events that may require your attention. If one could go in and delete any random event, then the system could - in a sense - be compromised without you knowing, therefore making it unsafe.

If you have an error event logged, find out what is causing the problem and fix it. You don't want to patch a hole in a dam by sticking a wad of gum in the hole.

If something is logging informational or caution events too often, then many times the event log source (either Microsoft or a third-party) has some setting that indicates how often or to what level of logging is configured for the application. That is where you go to minimize the logging, not by doing surgery on the event log.

edited Jan 12 '19 at 10:20

kasperd

29,894
16
72
122

answered May 14 '09 at 19:36

mrTomahawk

1,119
1
10
17

4

Only an administrator should be able to access logs, and if a malicious user has acquired administrative privileges to your box then you're already f'd. – bambams Sep 16 '13 at 18:20
3

@mrTomahawk, This is irrelevant. Apparently someone asking *"How can I remove specific events from the event log in Windows Server 2008?"* wants to do it. So how can we do it? If it's not possible, why? How could it be possible that it's not possible? – Pacerier Feb 27 '15 at 23:09
You have a valid point. But how does one filter out the events, rather than delete the events? If we get a lot of noise from something, and we are working on it, but we also want to see what else is having problems how do we do that? – John Rocha Jul 22 '16 at 16:21
1

@JohnRocha From a quick search, it appears that there is no "not" operator in their filtering. Which seems absurd. – reirab Jul 27 '16 at 16:23
1

@JohnRocha Doing custom queries against the event log uses a limited subset of XPath 1.0 to write queries in an XML format. XPath expressions in the Select element determine what you retrieve. The Suppress element follows the Select and removes items you don't want. – JamieSee Mar 31 '17 at 20:32
@mrTomahawk I don't require Microsoft to tell me how to Administrate my system. The requirement to delete only certain logs for perfectly legal [ all-round ] purposes for example: I want to delete the oldest 5% INFO level event logs, because I'm debugging a problem and a possible cause of a module not starting properly is a full Event log. The module is crucial, this "fix" is a part of the analysis so I can potentially request a change from the 3rd party vendor. But I don't want to delete EVERYTHING, because if I did, I could as well turn it off altogether. – user1628658 Dec 12 '19 at 14:15

score 4 · Answer 3 · answered May 14 '09 at 19:16

The only thing you can do in Windows is clear the whole log. I only found one third party app that claims to do this -Winzapper, however I have never used it and it states it is for NT and 2000 so I do not know if it will work for server 2003/2008. Be aware that there is potential for corruption of the Event log when using these, so tread carfeully.

score 1 · Answer 4 · answered May 14 '09 at 20:30

What might solve your problem is to change the audit policies in group policy. Without knowing what specifically you want to not show up, I'm not sure if there's a setting for it, but here's an example.

In GPMC, drill down through Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy. There's not a TON of granularity here, but maybe you can get rid of what's filling up your logs. (My DCs aren't 2008, so this is what I've got from a 2003 AD perspective, hopefully it's not completely different)

Good point, but I don't this deletes the **existing** logs. It only affects future logs. — Pacerier, Feb 27 '15 at 23:12

JamieSee · Answer 5 · 2019-12-20T23:36:36.583

There is no supported way to delete individual log entries from Windows Event Logs. This is purposely designed that way for a number of very good reasons.

The best way to address undesired log entries is to handle the events that generate them appropriately within the application. Also, selecting the appropriate log level, i.e. verbose, information, warning, error, and critical error, for each message being written is an important component in providing logs that are easy to filter. Some logging frameworks also provide the ability to roll up repeated identical events to a single log entry with a count.

Unfortunately, I have seen quite a few comments from people who appear to be missing a fundamental grasp of key computer security concepts. The events in a log, especially a security event log, are immutable for a reason. If events in the security event log could be deleted you would be lessening the security of the computer far more than having someone's password in the log because they typed it into the wrong text box. Good OS designers know understand that people make mistakes and that a user's password may show up in the security event log. It is one of the reasons why security event logs are only allowed to be viewed by Administrators.

Providing the ability to delete individual events from the security log, however, allows an attacker to conceal their activities in a way that is much more difficult to spot than when clearing the entire log is the only delete-type operation that is provided. As a case in point refer to the Cover Tracks section on the Open Web Application Security Project (OWASP) site's Error Handling, Auditing and Logging page which states:

Cover Tracks

The top prize in logging mechanism attacks goes to the contender who can delete or manipulate log entries at a granular level, "as though the event never even happened!". Intrusion and deployment of rootkits allows an attacker to utilize specialized tools that may assist or automate the manipulation of known log files. In most cases, log files may only be manipulated by users with root / administrator privileges, or via approved log manipulation applications. As a general rule, logging mechanisms should aim to prevent manipulation at a granular level since an attacker can hide their tracks for a considerable length of time without being detected. Simple question; if you were being compromised by an attacker, would the intrusion be more obvious if your log file was abnormally large or small, or if it appeared like every other day's log?

I would further argue that anyone who has administrative access to a system should be engaging in a higher level of caution and attention to detail to begin with. Part of that is double-checking work as it is performed and stopping to read even common dialog boxes to safeguard against damaging mistakes.

How can I remove specific events from the event log in Windows Server 2008?

7 Answers7