Skip to main content
Kofax

Windows Event Logs From Docker Containers

3025029

Question / Problem: 

How can event logs be collected in native format (evtx) from Docker containers?

Answer / Solution: 

Without regard to Docker, event logs can be exported from the commabnd line with the wevtutil command.  The docker cp command can be used to copy files, such as exported event logs, from the container to the host.

The attached PowerShell script will export the Application, Setup, and System event logs and copy them to the same folder as the script, named with the name of the container.  The script will either prompt for the name of the container, or if the script has been renamed to end in _NameOfContainer, it will use NameOfContainer.

ExportContainerEventLogs_Prompt.ps1

# get script name and folder
$scriptpath = $MyInvocation.MyCommand.Path
$scriptdir = Split-Path $scriptpath
$scriptname=[io.path]::GetFileNameWithoutExtension($scriptpath)

# consider last text after _ as a container name if present, otherwise prompt for it
$containername=$scriptname.Split("_") | Select-Object -Last 1
if (!($scriptname.Contains("_")) -or [string]::IsNullOrWhiteSpace($containername) -or $containername.ToLower() -eq "prompt")
{ 
    "Note: Change script name to end in _NameOfContainer to skip prompt.`n"
    $containername = Read-Host 'Name of running container (from docker ps -a) from which to export event logs?'
} else {
    "Based on filename of script, acting on container named $containername"
}

# dump eventlog within container and copy to current folder
"Deleting existing event log files..."
docker exec $containername cmd /c del C:\Application.evtx
docker exec $containername cmd /c del C:\Setup.evtx
docker exec $containername cmd /c del System C:\System.evtx
"Exporting new event log files..."
docker exec $containername wevtutil epl Application C:\Application.evtx
docker exec $containername wevtutil epl Setup C:\Setup.evtx
docker exec $containername wevtutil epl System C:\System.evtx
"Copying event log files from container to host (${scriptdir})..."
docker cp ${containername}:C:\Application.evtx ${scriptdir}\${containername}-Application.evtx 
docker cp ${containername}:C:\Setup.evtx ${scriptdir}\${containername}-Setup.evtx 
docker cp ${containername}:C:\System.evtx ${scriptdir}\${containername}-System.evtx 
"Done!`n"
Read-Host -Prompt "Press Enter to exit"

Applies to:  

Product Version
KTA All

 

 

  • Was this article helpful?