Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to collect data from a Windows Server Container?

hrottenberg_spl
Splunk Employee
Splunk Employee
‎11-30-2017 12:27 PM

We are migrating an existing Microsoft ASP.net application from running on a full OS to running in a Windows Server Container (on Server 2016), which is similar to Docker (and cross-compatible with Docker API & many of its management features). Today, we use a Universal Forwarder to collect system logs, event logs, and perfmon metrics. How can we do the same when the processes are running in a container, and container best practices rule out installing agents inside of the container?

Reply
1 Solution
Solved! Jump to solution
Solution

hrottenberg_spl
Splunk Employee
Splunk Employee
‎11-30-2017 12:42 PM

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.

View solution in original post

Reply
Solved! Jump to solution

outcoldman
Communicator
‎04-18-2018 07:05 PM

We are providing a solution for Monitoring Windows Containers in Splunk, that includes forwarding container logs and metrics, you can find the demo on our website https://www.outcoldsolutions.com/ and certified application on Splunk base https://splunkbase.splunk.com/app/3858/

Reply
Solved! Jump to solution
Solution

hrottenberg_spl
Splunk Employee
Splunk Employee
‎11-30-2017 12:42 PM

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...