How do I access Windows eventlog of a Docker container

26
votes

How do I access the Windows Event Log of a Microsoft Docker container from the host?

I have a docker container under Windows Server 2016.

The container is based on image: microsoft/iis

I can get the ip address of the container with:

docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" my-running-site

How can I connect to it via the Event Viewer on the windows host?

3
dockerwindows-server-2016
good question! of course you can powershell into your container and use get-eventlog as expected, but connecting from the host to the container would mean that the container is listening to external request for the eventlog. If you check your container for listening ports there is only port 135 (RPC) listening, which MAY be the right. Next step is exposing that port to the outside with docker run -p 135:135... but during my try it did not work... how about posting that question in the docker or container forums or GitHub?Falco Alexander
I'm not sure that the eventlog is the way to go with logging inside of containers. Whilst it's a traditional tool in windows, the lightweight nature of containers makes redirecting to stdout and stderr better candidates for logging for containers. This has further benefits such as delegating log analysis to tools such logstash and elasticsearch. It's then easier to query multiple containers and store the logs centrally. Also redirecting to stdout and stderr allows you to easily run docker logs ... from the command line of your host to easily obtain logs.Alex H
I can't always control what gets logged to where. If I open port 135 I get 'Access Denied (5)'.Greg Pagendam-Turner
My current understanding of your question is: whether it is possible to let an application (such as IIS) running inside a container log events into Windows Event Log, and use Windows Event Viewer from the host to view those events. Am I understanding correctly? I'm also interested to know the answer.robbie fan
Me too. I'm also curious how can we make it? What about run a process keep writing logs to the the data folder, and the host can access that?james

3 Answers

15
votes

Create a powershell session for the container

docker exec -it  <container_id> powershell

Then from the container, get the latest event logs

Get-Eventlog -newest 20 application

Above command will help you to find the index, 

(Get-Eventlog -index xxx application).message
3
votes

The Docker Engine logs to the Windows 'Application' event log, rather than to a file. These logs can easily be read, sorted, and filtered using Windows PowerShell

For example, this will show the Docker Engine logs from the last 5 minutes starting with the oldest.

Get-EventLog -LogName Application -Source Docker -After (Get-Date).AddMinutes(-5) | Sort-Object Time
2
votes

On PWSH (Powershell Core):

Get-WinEvent -LogName Application