github.com/sijibomii/docker@v0.0.0-20231230191044-5cf6ca554647/docs/admin/logging/etwlogs.md

github.com/sijibomii/docker@v0.0.0-20231230191044-5cf6ca554647/docs/admin/logging/etwlogs.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "ETW logging driver"
     4  description = "Describes how to use the etwlogs logging driver."
     5  keywords = ["ETW, docker, logging, driver"]
     6  [menu.main]
     7  parent = "smn_logging" 
     8  weight=2
     9  +++
    10  <![end-metadata]-->
    11  
    12  
    13  # ETW logging driver
    14  
    15  The ETW logging driver forwards container logs as ETW events. 
    16  ETW stands for Event Tracing in Windows, and is the common framework
    17  for tracing applications in Windows. Each ETW event contains a message
    18  with both the log and its context information. A client can then create
    19  an ETW listener to listen to these events. 
    20  
    21  The ETW provider that this logging driver registers with Windows, has the 
    22  GUID identifier of: `{a3693192-9ed6-46d2-a981-f8226c8363bd}`. A client creates an 
    23  ETW listener and registers to listen to events from the logging driver's provider. 
    24  It does not matter the order in which the provider and listener are created. 
    25  A client can create their ETW listener and start listening for events from the provider, 
    26  before the provider has been registered with the system. 
    27  
    28  ## Usage
    29  
    30  Here is an example of how to listen to these events using the logman utility program 
    31  included in most installations of Windows:
    32  
    33     1. `logman start -ets DockerContainerLogs -p {a3693192-9ed6-46d2-a981-f8226c8363bd} 0 0 -o trace.etl`
    34     2. Run your container(s) with the etwlogs driver, by adding `--log-driver=etwlogs` 
    35     to the Docker run command, and generate log messages.
    36     3. `logman stop -ets DockerContainerLogs`
    37     4. This will generate an etl file that contains the events. One way to convert this file into 
    38     human-readable form is to run: `tracerpt -y trace.etl`. 
    39     
    40  Each ETW event will contain a structured message string in this format:
    41  
    42      container_name: %s, image_name: %s, container_id: %s, image_id: %s, source: [stdout | stderr], log: %s
    43  
    44  Details on each item in the message can be found below:
    45  
    46  | Field                | Description                                     |
    47  -----------------------|-------------------------------------------------|
    48  | `container_name`     | The container name at the time it was started.  |
    49  | `image_name`         | The name of the container's image.              |
    50  | `container_id`       | The full 64-character container ID.             |
    51  | `image_id`           | The full ID of the container's image.           |
    52  | `source`             | `stdout` or `stderr`.                           |
    53  | `log`                | The container log message.                      |
    54  
    55  Here is an example event message:
    56  
    57      container_name: backstabbing_spence, 
    58      image_name: windowsservercore, 
    59      container_id: f14bb55aa862d7596b03a33251c1be7dbbec8056bbdead1da8ec5ecebbe29731, 
    60      image_id: sha256:2f9e19bd998d3565b4f345ac9aaf6e3fc555406239a4fb1b1ba879673713824b, 
    61      source: stdout, 
    62      log: Hello world!
    63  
    64  A client can parse this message string to get both the log message, as well as its 
    65  context information. Note that the time stamp is also available within the ETW event. 
    66  
    67  **Note**  This ETW provider emits only a message string, and not a specially 
    68  structured ETW event. Therefore, it is not required to register a manifest file 
    69  with the system to read and interpret its ETW events.