Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to collect data from a Windows Server Container?

hrottenberg_spl
Splunk Employee
Splunk Employee
‎11-30-2017 12:27 PM

We are migrating an existing Microsoft ASP.net application from running on a full OS to running in a Windows Server Container (on Server 2016), which is similar to Docker (and cross-compatible with Docker API & many of its management features). Today, we use a Universal Forwarder to collect system logs, event logs, and perfmon metrics. How can we do the same when the processes are running in a container, and container best practices rule out installing agents inside of the container?

Reply
1 Solution
Solved! Jump to solution
Solution

hrottenberg_spl
Splunk Employee
Splunk Employee
‎11-30-2017 12:42 PM

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.

View solution in original post

Reply
Solved! Jump to solution

outcoldman
Communicator
‎04-18-2018 07:05 PM

We are providing a solution for Monitoring Windows Containers in Splunk, that includes forwarding container logs and metrics, you can find the demo on our website https://www.outcoldsolutions.com/ and certified application on Splunk base https://splunkbase.splunk.com/app/3858/

Reply
Solved! Jump to solution
Solution

hrottenberg_spl
Splunk Employee
Splunk Employee
‎11-30-2017 12:42 PM

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...