Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you work with legacy apps (or maybe some not so legacy apps) in containers then you know about what a pain it is to read the all important event log. In this post I'll present a passable pattern that is good enough for occasional use, like when initially deploying or diagnosing an in-production failure.
Right up front: This is not ideal but it's not bad and it works. It's WAY better than viewing events in the Container CLI like I presented in here. If anybody knows how to remote the EventLog viewer right into the container please let me know and I'll update with credits.
The sequence is:
- We create a container with a shared volume and access the CLI on the container.
- On the container CLI we do whatever stuff we need to do, for instance maybe install and start up a Windows Service.
- Using the wevtutil utility, we snap a copy of the event log in which we are interested to a file on the shared volume.
- We return to the container host to access the event log file and view in the EventViewer GUI
- Repeat snap-read as necessary as you would do in the regular course of diagnostics
[on container host]
Open a Powershell sesion
Create a share directory
mkdir c:\shared
Create container with shared volume pointing to the c:\shared directory
docker run -it --name winservcoret2 -v c:\shared:c:\shared microsoft/windowsservercore
Since the container was started with the -it configuration, the PowerShell session will switch to the Container console
[on container]
Do things that create some events, then snap a copy of the event log to a file in the shared volume. In this case we snap the application log but you can snap any log present on the container.
wevtutil epl Application C:\shared\AppLogBackup.evtx
[on container host]
Open c:\shared\AppLogBackup.evtx directly or open it from an existing EventViewer
The Eventlog Viewer will open with the snapped event log
We have a number of options for filtering the events that get written to the .evtx file, for example this script which boxes on start and end dates:
$start = '1/1/2016' $end = '1/2/2017' function GetMilliseconds ($date) { $ts = New-TimeSpan -Start $date -End (Get-Date) [math]::Round($ts.TotalMilliseconds) } # end function $startDate = GetMilliseconds(Get-Date $start) $endDate = GetMilliseconds(Get-Date $end) wevtutil epl Application test.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) >= $endDate] and TimeCreated[timediff(@SystemTime) <= $startDate]]]"
- Anonymous
August 19, 2017
Or we can ask microsoft to enable "Server" service in container and we can pull those logs directly from running container. https://windowsserver.uservoice.com/forums/304624-containers/suggestions/17660338-enable-server-service-and-mmc-ui-management-capa- Anonymous
August 19, 2017
Do you have a example of how to do this? If so please share.
- Anonymous
- Anonymous
August 20, 2017
It's helpful.