search

microsoft / windows-container-tools

Collection of tools to improve the Windows Containers experience
MIT License
236 stars 66 forks source link

Custom Log Format #124

Closed CharityKathure closed 1 year ago

CharityKathure commented 1 year ago

Summary

In addition to getting logs in XML and JSON formats, a user should have the flexibility to customize their windows container logs, dictating how the logs should look like and the specific fields that should appear in log entries.

For Example: To display the timestamp, source, severity and message of an event in STDOUT, a user can specify the following format: [%TimeStamp%] [%Source%] [%Severity%] %Message%

Examples:

1. Event Logs Configuration: "customLogFormat": "[%TimeStamp%] [%Source%] [%Severity%] %Message%" Output: _

[2023-02-17T02:35:42.000Z] [EventLog] [Information] Successfully logged OS information

2. ETW Logs Configuration: "customLogFormat": "[%TimeStamp%] [%Source%] [%Severity%] [%ProviderId%] [%ProviderName%] [%EventId%] %EventData%" Output: _

[2023-03-10T07:27:59.000Z] [ETW] [Information] [{DAA6A96B-F3E7-4D4D-A0D6-31A350E6A445}] [Microsoft-Windows-WLAN-Driver] [1] FrameUniqueID: 462621 QueueLength: 0 QueueState: false Status: 0 CustomData1: 0 CustomData2: 0 CustomData3: 0

3. File Logs Configuration: "[%TimeStamp%] [%Source%] [%FileName%] %Message%" Output: 

[2023-03-10T07:31:08.000Z] [File] [Trial.log] Testing file log entry on STDOUT

Sample Config used in testing:

{
  "LogConfig": {
    "logFormat": "custom",
    "sources": [
      {
        "type": "File",
        "directory": "c:\\inetpub\\logs",
        "filter": "*.log",
        "includeSubdirectories": true,
        "customLogFormat": "[%TimeStamp%] [%Source%] [%FileName%] %Message%"
      },
      {
        "type": "ETW",
        "eventFormatMultiLine": false,
        "providers": [
          {
            "providerName": "Microsoft-Windows-WLAN-Drive",
            "providerGuid": "DAA6A96B-F3E7-4D4D-A0D6-31A350E6A445",
            "level": "Information"
          }
        ],
        "customLogFormat": "[%TimeStamp%] [%Source%] [%Severity%] [%ProviderId%] [%ProviderName%] [%DecodingSource%] [%ExecutionProcessId%] [%ExecutionThreadId%] [%EventId%] %eventdata%"
      }
    ]
  }
}
bobsira commented 1 year ago

FYI, pressing CTRL + C results in the following flow:

'LogMonitor.exe' (Win32): Loaded 'C:\windows-container-tools\LogMonitor\x64\Debug\LogMonitor.exe'. Symbols loaded. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\ntdll.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\kernel32.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\KernelBase.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\advapi32.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\msvcrt.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\sechost.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\rpcrt4.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\ole32.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\msvcp_win.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\ucrtbase.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\gdi32.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\win32u.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\gdi32full.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\user32.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\combase.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\shlwapi.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\wevtapi.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\tdh.dll'. 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\imm32.dll'. The thread 0x6c1c has exited with code 0 (0x0). Exception thrown at 0x00007FF9278A267E (KernelBase.dll) in LogMonitor.exe: 0x40010005: Control-C.

The thread 0x960c has exited with code 0 (0x0). Exception thrown at 0x00007FF9278A267E (KernelBase.dll) in LogMonitor.exe: 0x40010005: Control-C.

The thread 0x6174 has exited with code 0 (0x0). The thread 0x5a8c has exited with code 0 (0x0). 'LogMonitor.exe' (Win32): Loaded 'C:\Windows\System32\kernel.appcore.dll'. The thread 0x563c has exited with code 0 (0x0). The thread 0x74e8 has exited with code 0 (0x0). The program '[37976] LogMonitor.exe' has exited with code 0 (0x0).