Clear-EventLog odd issue

I have an odd issue and not finding much in google.

If I execute “Clear-EventLog” against a remote host using

Clear-EventLog -ComputerName 'remotehost' -LogName 'Application'

I get the following error for any log I attempt to clear and the log is NOT cleared:

“The operating system reported an error when writing the event entry to the event log. A windows error code is not available”

If I execute the following, it works:

Invoke-Command -ComputerName 'remotehost' -ScriptBlock {Clear-EventLog -LogName 'Application'}

I should point out this is a part of a very large script that works fine against 99.99% of the remote hosts, but for some reason, I have about 15 systems where this fails. Any ideas?

Hi Tony. Are you able to connect to these few machines through event viewer? (Right click → connect to a different computer) It is my understanding that the cmdlets with computername parameter use that components api. (Service, task scheduler, wmi, etc) Invoke-command uses wsman over port 5985/5986 (unless custom) so my initial thought is the firewall isn’t allowing the remote event log traffic

Thanks you Crazy Doug :slight_smile:

These systems are all hardened, so that may very well be the case. Another obstacle is that I am not at the site where this is occurring and walking the auditor through checking what you suggest will be a challenge as we have Skype chat only, and the auditor is not very technical. But, I will give it a wack and see if those ports are open. I am trying to avoid changing the script for a small percentage of the hosts.

Thanks again, I will report back what I find … might be a day or two.

Crazy Doug, here is the latest.

Had the user open EventVeiwer on the remote system without any issues or errors.
Tested the ports you mentioned using “Test-NetConnection”, no issues there, ports open.
The user is a member of a global group defined in the local admininstrators on the remote system so they do have admin
Had them test the following:

Invoke-Command -ComputerName 'hostname' -ScriptBlock {Write-EventLog -LogName 'Application' -Source "ESNT" -EntryType 'Information' -EventId 100 -Message 'Testing 123'

There were no errors and the entry was validated in the Application log, so no issues there either.

However, then had them execute:

Write-EventLog -LogName 'Application' -Source "ESNT" -EntryType 'Information' -EventId 100 -Message 'Testing 123' -ComputerName 'hostname'

And the following error was returned.
“write-eventlog : The registry key for the log “application” for source “ESENT” could not be opened”

I am stumped at this point. Any ideas? Seems like registry permissions??

BTW, thanks for the help.

Based on your words it’s not clear you tested what I suggested. What I suggest is from a system (preferably the system calling the script) open the event viewer. Then inside that event viewer right click at the top and choose “connect to another computer.” If that’s what was tested, I apologize. This will tell you if the event viewer api is available remotely.

Yes Doug, we did that with no issues. Sorry for not being clear on that.

“Had the user open EventVeiwer on the remote system without any issues or errors”

What I should have said was

“Had the user open EventVeiwer and connect to the remote system without any issues or errors”

Sorry for my error.

That is also how we validated the event creation with did using “Invoke-Command”

Yeah that would have been my first guess. Weird. I look forward to hearing the solution.

Thanks Doug. Not sure I will ever get this resolved as I am not at the system(s) which are on the right coast, I am left coast and the systems air gapped so I have to go through a non technical intermediary. The workaround I am likely going with is if Clear-EventLog fails using -ComputerName, I will then try Clear-EventLog via Inovke-Command which does work.

Odd one indeed. The systems are hardened and it could be any number of security controls causing this and I just don’t have the resources to troubleshoot much.

Again, thanks for your input. If I somehow get this figured, I will surely post the solution.