Rotate Windows Event Logs with PowerShell or CMD Batch


Whenever you're dealing with log management, you often end up wanting to do log rotation — where the existing logs are archived somewhere out-of-the-way, and the active logs are cleared. These are scripts that will handle that, for both Event Viewer logs, and ordinary text file logs.


This was originally written as a CMD batch file (sometimes called BAT or DOS, although this is NT-only). Later, I rewrote it in PowerShell.

Both PowerShell and CMD batch versions are provided here. The PowerShell version is recommended unless you have a good reason not to use it; it does have a few improvements.

The PowerShell version follows the CMD version fairly closely, with improvements generally localized to the same portions vs the CMD original. It thus also provides an example of how to convert a script from CMD to PowerShell.

Download PowerShell: Rotate-Logs.ps1

Download CMD Batch: rotate_logs.CMD


Both scripts have documentation embedded at the start of the file. For PowerShell, this is available using Get-Help as well.

Here a few examples to get you started. (These are using the PowerShell variation, but the CMD flavor would be the same, except for the name.)

Rotate-Logs C:\logs ALL

Attempt to rotate every Windows log on the system. Archives are placed in a folder under C:\logs with subfolder names based on the hostname and date.

Rotate-Logs C:\logs WIN*System WIN*Application WIN*Security

Rotate only the three traditional Windows Event logs. Archive the same way.

Rotate-Logs C:\logs FILE*C:\Windows\SETUPACT.log*Active_Setup.LOG

Rotate the SETUPACT.LOG file, renaming it as Active_Setup.LOG in the process.

Rotate-Logs \\SERVER1\logs \\SERVER1\logs\loglist.txt

Rotate logs listed in a file on a file server, archiving to subfolders on the same file server. Since the subfolders include the hostname (computer name), this same command can be used on every computer on a domain, without file name collisions. This makes it easier to use in a command pushed from a central computer or policy, for example.

This assumes \\SERVER1\logs\loglist.txt exists, of course. If the file does not exist, the argument is assumed to be a logspec, leading to an error, since a bare file name/path cannot be valid logspec syntax.

See the docs for more information.

PowerShell Shortliner

This is a much less sophisticated solution, that has the advantage of being easier to type in from memory or paper. This rotates all Windows Event Viewer logs, archiving them to files in the current directory. It's up to you to make the directory.

(Shortliner is my own term. It is similar to a one-liner, except we trade line-breaks for intelligibility.)

$x = '[^-_A-Za-z0-9]'
$s = New-Object System.Diagnostics.Eventing.Reader.EventLogSession

Get-WinEvent -EA SilentlyContinue -Force -ListLog * | where RecordCount -gt 0 |%{
        $n = $_.LogName
        $f = $n -replace $x, '_'
        $f = $pwd.Path + '\' + $f + '.evtx'
        $s.ClearLog($n, $f)