https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316355#M59153 <P>Answering my own question after research and consulting with Microsoft:</P> <OL> <LI>When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.</LI> <LI>When using logging libraries such as Log4Net or Log4J, or <A href="http://dev.splunk.com/tools">Splunk's logging tools</A>, these can be easily reconfigured to send data to HEC.</LI> <LI>Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use <A href="https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection">Windows Event Log Forwarding</A> (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.</LI> <LI>Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)</LI> <LI>Log files can be mounted using shared volumes (a WSC/docker feature, <A href="https://blogs.msdn.microsoft.com/containerstuff/2017/08/18/using-the-windows-eventviewer-gui-to-view-eventlogs-in-containers/">example here</A>) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk. </LI> <LI>More specific WSC troubleshooting techniques are outlined on <A href="https://docs.microsoft.com/en-us/virtualization/windowscontainers/troubleshooting">docs.microsoft.com</A>.</LI> </OL> Thu, 30 Nov 2017 20:42:54 GMT hrottenberg_spl 2017-11-30T20:42:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316354#M59152 <P>We are migrating an existing Microsoft ASP.net application from running on a full OS to running in a <A href="https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/">Windows Server Container</A> (on Server 2016), which is similar to Docker (and cross-compatible with Docker API &amp; many of its management features). Today, we use a Universal Forwarder to collect system logs, event logs, and perfmon metrics. How can we do the same when the processes are running in a container, and container best practices rule out installing agents inside of the container?</P> Thu, 30 Nov 2017 20:27:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316354#M59152 hrottenberg_spl 2017-11-30T20:27:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316355#M59153 <P>Answering my own question after research and consulting with Microsoft:</P> <OL> <LI>When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.</LI> <LI>When using logging libraries such as Log4Net or Log4J, or <A href="http://dev.splunk.com/tools">Splunk's logging tools</A>, these can be easily reconfigured to send data to HEC.</LI> <LI>Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use <A href="https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection">Windows Event Log Forwarding</A> (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.</LI> <LI>Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)</LI> <LI>Log files can be mounted using shared volumes (a WSC/docker feature, <A href="https://blogs.msdn.microsoft.com/containerstuff/2017/08/18/using-the-windows-eventviewer-gui-to-view-eventlogs-in-containers/">example here</A>) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk. </LI> <LI>More specific WSC troubleshooting techniques are outlined on <A href="https://docs.microsoft.com/en-us/virtualization/windowscontainers/troubleshooting">docs.microsoft.com</A>.</LI> </OL> Thu, 30 Nov 2017 20:42:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316355#M59153 hrottenberg_spl 2017-11-30T20:42:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316356#M59154 <P>We are providing a solution for Monitoring Windows Containers in Splunk, that includes forwarding container logs and metrics, you can find the demo on our website <A href="https://www.outcoldsolutions.com/">https://www.outcoldsolutions.com/</A> and certified application on Splunk base <A href="https://splunkbase.splunk.com/app/3858/">https://splunkbase.splunk.com/app/3858/</A></P> Thu, 19 Apr 2018 02:05:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-collect-data-from-a-Windows-Server-Container/m-p/316356#M59154 outcoldman 2018-04-19T02:05:31Z