Getting Data In

How to collect data from a Windows Server Container?

hrottenberg_spl
Splunk Employee
Splunk Employee

We are migrating an existing Microsoft ASP.net application from running on a full OS to running in a Windows Server Container (on Server 2016), which is similar to Docker (and cross-compatible with Docker API & many of its management features). Today, we use a Universal Forwarder to collect system logs, event logs, and perfmon metrics. How can we do the same when the processes are running in a container, and container best practices rule out installing agents inside of the container?

1 Solution

hrottenberg_spl
Splunk Employee
Splunk Employee

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.

View solution in original post

outcoldman
Communicator

We are providing a solution for Monitoring Windows Containers in Splunk, that includes forwarding container logs and metrics, you can find the demo on our website https://www.outcoldsolutions.com/ and certified application on Splunk base https://splunkbase.splunk.com/app/3858/

hrottenberg_spl
Splunk Employee
Splunk Employee

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...