How do I access Windows eventlog of a Docker container

Question

How do I access the Windows Event Log of a Microsoft Docker container from the host?

I have a docker container under Windows Server 2016.

The container is based on image: microsoft/iis

I can get the ip address of the container with:

docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" my-running-site

How can I connect to it via the Event Viewer on the windows host?

good question! of course you can powershell into your container and use `get-eventlog` as expected, but connecting from the host to the container would mean that the container is listening to external request for the eventlog. If you check your container for listening ports there is only port 135 (RPC) listening, which MAY be the right. Next step is exposing that port to the outside with `docker run -p 135:135...` but during my try it did not work... how about posting that question in the docker or container forums or GitHub? — Falco Alexander, Dec 23 '16 at 10:23
I'm not sure that the eventlog is the way to go with logging inside of containers. Whilst it's a traditional tool in windows, the lightweight nature of containers makes redirecting to stdout and stderr better candidates for logging for containers. This has further benefits such as delegating log analysis to tools such logstash and elasticsearch. It's then easier to query multiple containers and store the logs centrally. Also redirecting to stdout and stderr allows you to easily run docker logs ... from the command line of your host to easily obtain logs. — Alex H, Dec 28 '16 at 16:10
I can't always control what gets logged to where. If I open port 135 I get 'Access Denied (5)'. — Greg Pagendam-Turner, Jan 03 '17 at 00:29
My current understanding of your question is: whether it is possible to let an application (such as IIS) running inside a container log events into Windows Event Log, and use Windows Event Viewer from the host to view those events. Am I understanding correctly? I'm also interested to know the answer. — robbie fan, Mar 13 '19 at 06:54
Me too. I'm also curious how can we make it? What about run a process keep writing logs to the the data folder, and the host can access that? — james, Mar 13 '19 at 13:58
@GregPagendam-Turner Have you received any solution or fixed the problem? I have tried many different approaches but **cannot copy the log files to my local drive** — , Feb 09 '21 at 07:37

score 21 · Answer 1 · edited Jul 16 '19 at 20:58

21

Create a powershell session for the container

docker exec -it  <container_id> powershell

Then from the container, get the latest event logs

Get-Eventlog -newest 20 application

Above command will help you to find the index,

(Get-Eventlog -index xxx application).message

edited Jul 16 '19 at 20:58

Maciej Jureczko

1,560
6
19
23

answered Jul 16 '19 at 19:23

Praveen Kumar

311
2
4

Not worked amigo. Gives "OCI runtime exec failed: exec failed: container_linux.go:370: starting container process caused: exec: "powershell": executable file not found in $PATH: unknown" – Feb 05 '21 at 18:24
Do you have PowerShell installed in the container. If not, try with bash or cmd – Praveen Kumar Feb 07 '21 at 02:48
I followed the steps above and I also fix the problem by installing powershell. However, I cannot copy log.json file from Docker contained to my local drive on Windows. I followed this approach. https://kb.sitecore.net/articles/383441 – Feb 07 '21 at 20:56
So, if it is possible to copy it, why cannot I copy and run these commands? I have a similar problem like on the following page. You may post your answer to it as I follow it. https://stackoverflow.com/questions/66055244/docker-error-no-such-containerpath-while-trying-to-copy-to-local-drive?noredirect=1#comment116814489_66055244 – Feb 07 '21 at 20:57
Have you received any solution or fixed the problem? I have tried many different approaches but **cannot copy the log files to my local drive** – Feb 09 '21 at 07:37

score 5 · Answer 2 · edited Jan 09 '20 at 00:38

5

On PWSH (Powershell Core):

Get-WinEvent -LogName Application

edited Jan 09 '20 at 00:38

Pang

9,564
146
81
122

answered Dec 06 '19 at 13:01

SteveSims

535
6
19

score 4 · Answer 3 · answered Aug 15 '17 at 14:03

4

The Docker Engine logs to the Windows 'Application' event log, rather than to a file. These logs can easily be read, sorted, and filtered using Windows PowerShell

For example, this will show the Docker Engine logs from the last 5 minutes starting with the oldest.

Get-EventLog -LogName Application -Source Docker -After (Get-Date).AddMinutes(-5) | Sort-Object Time

answered Aug 15 '17 at 14:03

user3411864

624
2
12
27

3

I don't think this is a solution, as you only get the source of Docker, not the process running inside the container. – james Mar 13 '19 at 14:00
Yeah, those aren't IIS logs. This is way simpler in Azure. – Triynko Apr 05 '19 at 13:41

How do I access Windows eventlog of a Docker container

3 Answers3

Linked