as i tried to establish a reasonable way to write my own eventlogs i stumbled across eventlog rotation.
There was a script that established a way of copying the evtx-files from $env:systemdrive\windows\system32\winevt\logs\* to somewhere else for each logfile and then cleared every eventlog.
But it has several drawbacks and in this case powershell has no built-in solution, but read next:
I found three ways to rotate the EventLogs:
1. Copy away the .evtx file of the corresponding eventlog and then do a clear -> Copy-Eventlog
2. Use wevtutil cl $logname /bu:$Path -> wevtutil
3. Use .NET [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ExportLogAndMessages("$Logname",'LogName','*',"$Path")
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("$Logname") -> .NET
In the first scenario i recognized the biggest gap between exporting and clearing the log -> EventLogGap
Randomly i had no events in the exported file, if i start with a fresh eventlog and also generate some events before i export and delete them. It seems that events are not written directly into the evtx-file but somewhere in a buffer -> EventLogNirvana
So we have two objectives to cover:
- EventLogGap gets bigger, as the file grows or the content in the file is, which is more likely to be when using the way of "Copy-Eventlog"
- EventLogNirvana seems also just to happen, when copying the underlying .evtx file, which has not been written completely
Conclusion would be to use wevtutil as this seems to be the only reliable method. The .NET-Method produced some unneccessary additional entries for each eventlog entry.
Followed is a script is use to rotate eventlogs: