Getting Data In

How to collect data from a Windows Server Container?

hrottenberg_spl
Splunk Employee
Splunk Employee

We are migrating an existing Microsoft ASP.net application from running on a full OS to running in a Windows Server Container (on Server 2016), which is similar to Docker (and cross-compatible with Docker API & many of its management features). Today, we use a Universal Forwarder to collect system logs, event logs, and perfmon metrics. How can we do the same when the processes are running in a container, and container best practices rule out installing agents inside of the container?

1 Solution

hrottenberg_spl
Splunk Employee
Splunk Employee

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.

View solution in original post

outcoldman
Communicator

We are providing a solution for Monitoring Windows Containers in Splunk, that includes forwarding container logs and metrics, you can find the demo on our website https://www.outcoldsolutions.com/ and certified application on Splunk base https://splunkbase.splunk.com/app/3858/

hrottenberg_spl
Splunk Employee
Splunk Employee

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...