Skip to main content
Kofax

Windows Event Logs From Docker Containers

Article # 3025029 - Page views: 448

Issue

Event logs can be collected from docker containers using the following commands.

Solution

Without regard to Docker, event logs can be exported from the command line with the wevtutil command.  The docker cp command can be used to copy files, such as exported event logs, from the container to the host.

The attached PowerShell script will export the Application, Setup, and System event logs and copy them to the same folder as the script, named with the name of the container.  The script will either prompt for the name of the container, or if the script has been renamed to end in _NameOfContainer, it will use NameOfContainer.

ExportContainerEventLogs_Prompt.ps1

# get script name and folder
$scriptpath = $MyInvocation.MyCommand.Path
$scriptdir = Split-Path $scriptpath
$scriptname=[io.path]::GetFileNameWithoutExtension($scriptpath)

# consider last text after _ as a container name if present, otherwise prompt for it
$containername=$scriptname.Split("_") | Select-Object -Last 1
if (!($scriptname.Contains("_")) -or [string]::IsNullOrWhiteSpace($containername) -or $containername.ToLower() -eq "prompt")
{ 
    "Note: Change script name to end in _NameOfContainer to skip prompt.`n"
    $containername = Read-Host 'Name of running container (from docker ps -a) from which to export event logs?'
} else {
    "Based on filename of script, acting on container named $containername"
}

# dump eventlog within container and copy to current folder
"Deleting existing event log files..."
docker exec $containername cmd /c del C:\Application.evtx
docker exec $containername cmd /c del C:\Setup.evtx
docker exec $containername cmd /c del System C:\System.evtx
"Exporting new event log files..."
docker exec $containername wevtutil epl Application C:\Application.evtx
docker exec $containername wevtutil epl Setup C:\Setup.evtx
docker exec $containername wevtutil epl System C:\System.evtx
"Copying event log files from container to host (${scriptdir})..."
docker cp ${containername}:C:\Application.evtx ${scriptdir}\${containername}-Application.evtx 
docker cp ${containername}:C:\Setup.evtx ${scriptdir}\${containername}-Setup.evtx 
docker cp ${containername}:C:\System.evtx ${scriptdir}\${containername}-System.evtx 
"Done!`n"
Read-Host -Prompt "Press Enter to exit"

 

Level of Complexity 

Easy

 

Applies to  

Product Version Build Environment Hardware
KTA All      

 

Article # 3025029