Using the Windows EventViewer GUI to view Eventlogs in Containers

  • Article

If you work with legacy apps (or maybe some not so legacy apps) in containers then you know about what a pain it is to read the all important event log. In this post I'll present a passable pattern that is good enough for occasional use, like when initially deploying or diagnosing an in-production failure.

Right up front: This is not ideal but it's not bad and it works. It's WAY better than viewing events in the Container CLI like I presented in here. If anybody knows how to remote the EventLog viewer right into the container please let me know and I'll update with credits.

The sequence is:

  • We create a container with a shared volume and access the CLI on the container.
  • On the container CLI we do whatever stuff we need to do, for instance maybe install and start up a Windows Service.
  • Using the wevtutil utility, we snap a copy of the event log in which we are interested to a file on the shared volume.
  • We return to the container host to access the event log file and view in the EventViewer GUI
  • Repeat snap-read as necessary as you would do in the regular course of diagnostics

[on container host]

Open a Powershell sesion

Create a share directory
mkdir c:\shared

Create container with shared volume pointing to the c:\shared directory
docker run -it --name winservcoret2 -v c:\shared:c:\shared microsoft/windowsservercore

Since the container was started with the -it configuration, the PowerShell session will switch to the Container console

[on container]

Do things that create some events, then snap a copy of the event log to a file in the shared volume. In this case we snap the application log but you can snap any log present on the container.
wevtutil epl Application C:\shared\AppLogBackup.evtx

[on container host]

Open c:\shared\AppLogBackup.evtx directly or open it from an existing EventViewer

The Eventlog Viewer will open with the snapped event log

We have a number of options for filtering the events that get written to the .evtx file, for example this script which boxes on start and end dates:

$start = '1/1/2016' $end = '1/2/2017' function GetMilliseconds ($date) { $ts = New-TimeSpan -Start $date -End (Get-Date) [math]::Round($ts.TotalMilliseconds) } # end function $startDate = GetMilliseconds(Get-Date $start) $endDate = GetMilliseconds(Get-Date $end) wevtutil epl Application test.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) >= $endDate] and TimeCreated[timediff(@SystemTime) <= $startDate]]]"