In the November 2001 issue, you describe Arne Vidstrom's WinZapper—a GUI tool that can selectively delete log entries from the Windows NT Event Viewer log files. Do you know a command-line tool I can use to clear all events from, for example, the Security log? If such a tool exists, can I use it to delete the log files from remote machines? Which privileges would I need to delete the files? Also, could intruders use the tool to cover up their tracks?
You can use Jesper Lauritsen's ELSave (elsave.exe) tool to delete entire event logs. You can download this tool from Lauritsen's Web site at http:// www.ibt.ku.dk/jesper/elsave. You can also use ELSave to delete the event logs on a remote machine. For example, to clear the entire Security log on a machine named Tiger, type the command
elsave -s \\tiger -l system -C -q
where the -s switch specifies the servername, the -l switch specifies the event log (i.e., System, Application, or Security) you're targeting, the -C switch tells ELSave to clear the log, and the -q switch forces ELSave to write an error to the local event log if something goes wrong. This command works only if you can resolve the name of the machine and you have sufficient privileges on the Tiger machine. To test name resolution, use the machine's machinename to try to ping it. To access the event logs, you need at least Administrator access. Unless intruders can access your system's Administrator account, they can't use ELSave to cover their tracks. (Similarly, intruders would need Administrator access to use WinZapper to cover their tracks.) For some tips about how to protect your NT Administrator accounts, read my March 2001 NT Gatekeeper column, InstantDoc ID 19932.