Getting Data In

How to collect data from a Windows Server Container?

hrottenberg_spl
Splunk Employee
Splunk Employee

We are migrating an existing Microsoft ASP.net application from running on a full OS to running in a Windows Server Container (on Server 2016), which is similar to Docker (and cross-compatible with Docker API & many of its management features). Today, we use a Universal Forwarder to collect system logs, event logs, and perfmon metrics. How can we do the same when the processes are running in a container, and container best practices rule out installing agents inside of the container?

1 Solution

hrottenberg_spl
Splunk Employee
Splunk Employee

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.

View solution in original post

outcoldman
Communicator

We are providing a solution for Monitoring Windows Containers in Splunk, that includes forwarding container logs and metrics, you can find the demo on our website https://www.outcoldsolutions.com/ and certified application on Splunk base https://splunkbase.splunk.com/app/3858/

hrottenberg_spl
Splunk Employee
Splunk Employee

Answering my own question after research and consulting with Microsoft:

  1. When an app writes to standard out, use the Docker Logging Driver for Splunk, which sends data to HEC. However, this is not as commonly done on Windows.
  2. When using logging libraries such as Log4Net or Log4J, or Splunk's logging tools, these can be easily reconfigured to send data to HEC.
  3. Event logs must be either pushed or pulled from the container, to another system. One approach that makes sense in a containerized environment is to use Windows Event Log Forwarding (WEF) to push logs from containers to the host OS. Use the Universal Forwarder on the host OS to collect these logs.
  4. Perfmon (performance metrics) objects may exist on the host which can be collected via UF. (This item needs further research.)
  5. Log files can be mounted using shared volumes (a WSC/docker feature, example here) to a separate container, or the host OS, and then use the standard file monitor feature in Splunk.
  6. More specific WSC troubleshooting techniques are outlined on docs.microsoft.com.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...