i'd like to ship winlogbeat as a sibling/sidecar container to an app container to ship an app's event logs, rather than as a windows service running within the app container. this would fit well with a current setup where filebeat runs alongside an app container and reads/ships the app's logs from a shared logs volume.
i've set up a playground repo where i try to do this by mounting the app's event log directory to a shared volume and having winlogbeat read from those files, but since they're live evtx files, it seems that windows has an exclusive lock, restricting winlogbeat from reading them.
here's the readme from the playground for easy view:
winlogbeat-sidecar
playground for trying to get a winlogbeat sidecar job to read event logs from an app container as a filebeat sidecar would read text logs.
current approach is to mount the app's C:\Windows\System32\winevt\Logs to a shared volume and have winlogbeat read from those .evtx files, but it seems that those files have a restrictive lock:
{"level":"warn","timestamp":"2020-01-30T17:24:18.342Z","caller":"beater/eventlogger.go:113","message":"EventLog[c:\\alloc\\data\\Application.evtx] Open() error. No events will be read from this source. failed to get handle to event log file c:\\alloc\\data\\Application.evtx: The process cannot access the file because it is being used by another process."}
{"level":"warn","timestamp":"2020-01-30T17:24:18.344Z","caller":"beater/eventlogger.go:113","message":"EventLog[c:\\alloc\\data\\System.evtx] Open() error. No events will be read from this source. failed to get handle to event log file c:\\alloc\\data\\System.evtx: The process cannot access the file because it is being used by another process."}
{"level":"warn","timestamp":"2020-01-30T17:24:18.344Z","caller":"beater/eventlogger.go:113","message":"EventLog[c:\\alloc\\data\\Security.evtx] Open() error. No events will be read from this source. failed to get handle to event log file c:\\alloc\\data\\Security.evtx: The process cannot access the file because it is being used by another process."}
interested in any approaches to make this work (if it's possible)!
setup
run: docker-compose up
containers:
app: powershell script that logs both to a log file and an event log on a loop
winlogbeat: winlogbeat container that tries to read from mounted evtx event log files from app, outputs to console
filebeat: example filebeat container that successfully reads from mounted .log file from app, outputs to console
notes
this follows an example in the winlogbeat FAQs for reading from .evtx, though in that case winlogbeat reads from archived .evtx files, hence no lock conflict
To read from live event logs Winlogbeat uses the Windows Event Log API to communicate directly to the event log subsystem as opposed to using the filesystem to read from the evtx file.
So if an app is writing to the hosts event log using the Windows API then perhaps you can configure Winlogbeat without going straight to the evtx file. Like use Get-WinEvent -ListLog * to get the event log name and then setup Winlogbeat to read that channel.
I'm assume this wouldn't work at all with Hyper-V isolation mode for the container, but perhaps it works in process isolation mode.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.