Implementing LogMonitor
Unlike Linux, the Windows operating system (OS) uses Event Tracing for Windows (ETW) and event logs as log outputs:
- ETW: This is a kernel-level tracing that allows you to log kernel and application events to a log file.
- Event logs: These logs stores application and Windows service logs in a file that can be consumed by different sources as well as by Event Viewer.
The same happens at the Windows container level. By default, all logs generated are locally stored as a file and are available to be consumed using Event Viewer:
Figure 11.1 – Windows OS log destination
However, container runtimes such as Docker or log processors such as Fluent Bit or Fluentd fetch containers logs from the default Linux STDOUT. STDOUT is a data stream used by command line programs to output values, logs, and so on. As a result, logs from a Windows container aren’t available to the container runtime.
Do you want to test...
