[BUG] [LOGMONITOR] ERROR: Failed to enable event channel system: 0x6BA

[joshmahar-ts]

Describe the bug
LogMonitor running either via ENTRYPOINT or SHELL errors when connecting to the event channels. Flat file logging works normally. If I shell into the container after startup and run LogMonitor.exe manually, it is able to read the Event Viewer normally.

2023-07-19 20:22:19 [2023-07-20T01:22:19.000Z][LOGMONITOR] ERROR: Failed to enable event channel system: 0x6BA
2023-07-19 20:22:19 [2023-07-20T01:22:19.000Z][LOGMONITOR] ERROR: Failed to enable event channel application: 0x6BA
2023-07-19 20:22:19 [2023-07-20T01:22:19.000Z][LOGMONITOR] ERROR: Failed to subscribe to event log channel. Error: 1722.
2023-07-19 20:22:19 [2023-07-20T01:22:19.000Z][LOGMONITOR] ERROR: Failed to start event log monitor. Error: 1722

To Reproduce
Steps to reproduce the behavior:

1. Build image using mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 base image
2. Set ENTRYPOINT C:\LogMonitor\LogMonitor.exe ...
3. Launch container
4. Observe STDOUT for LOGMONITOR exceptions

Expected behavior
Ability to connect to event log channels using one of the following:
SHELL ["C:\LogMonitor\LogMonitor.exe", "cmd"]
ENTRYPOINT C:\LogMonitor\LogMonitor.exe cmd.exe

Configuration
Container image mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019
Running latest Docker Desktop on Windows 10 22H2
LogMonitor v2.0 with example .json config from this repo

[bobsira]

Hello, I am unable to repro this bug

Dockerfile

FROM mcr.microsoft.com/dotnet/framework/runtime:4.8

WORKDIR /LogMonitor
COPY LogMonitorConfig.json .
COPY LogMonitor.exe .

ENTRYPOINT C:\LogMonitor\LogMonitor.exe

LogMonitorConfig.json

{
  "LogConfig": {
    "sources": [
      {
        "type": "EventLog",
        "startAtOldestRecord": true,
        "eventFormatMultiLine": false,
        "channels": [
          {
            "name": "system",
            "level": "Information"
          },
          {
            "name": "application",
            "level": "Error"
          }
        ]
      },
      {
        "type": "File",
        "directory": "c:\\inetpub\\logs",
        "filter": "*.log",
        "includeSubdirectories": true
      },
      {
        "type": "ETW",
        "eventFormatMultiLine": false,
        "providers": [
          {
            "providerName": "IIS: WWW Server",
            "providerGuid": "3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83",
            "level": "Information"
          },
          {
            "providerName": "Microsoft-Windows-IIS-Logging",
            "providerGuid": "7E8AD27F-B271-4EA2-A783-A47BDE29143B",
            "level": "Information"
          }
        ]
      }
    ]
  }
}

Sample logs

PS C:\Users\bosira> docker logs c4acd1c2c64e
[2023-08-07T14:33:09.000Z][LOGMONITOR] ERROR: Failed to open log directory handle. Directory: \\?\c:\inetpub\logs Error=0
{"Source":"Process","LogEntry":{"Logline":"Pinging c4acd1c2c64e [::1] with 32 bytes of data:"},"SchemaVersion":"1.0.0"}
{"Source":"Process","LogEntry":{"Logline":"Reply from ::1: time<1ms "},"SchemaVersion":"1.0.0"}
{"Source": "EventLog","LogEntry": {"Time": "2023-07-05T16:28:21.000Z","Channel": "Application","Level": "Error","EventId": 8198,"Message": "License Activation (slui.exe) failed with the following error code:\r\nhr=0x80040154\r\nCommand-line arguments:\r\nRuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=d839f159-1128-480b-94b6-77fa9943a16a;NotificationInterval=1440;Trigger=UserLogon;SessionId=1"}}
{"Source": "EventLog","LogEntry": {"Time": "2023-07-05T23:26:40.000Z","Channel": "System","Level": "Information","EventId": 12,"Message": "The operating system started at system time ‎2023‎-‎07‎-‎05T23:26:40.497675700Z."}}
{"Source": "EventLog","LogEntry": {"Time": "2023-07-05T16:27:08.000Z","Channel": "System","Level": "Information","EventId": 6009,"Message": "Microsoft (R) Windows (R) 10.00. 14393  Multiprocessor Free."}}
{"Source": "EventLog","LogEntry": {"Time": "2023-07-05T16:27:08.000Z","Channel": "System","Level": "Information","EventId": 6005,"Message": "The Event log service was started."}}

I've been watching the logs and I can not see the error you are facing. Is there anything I am missing on my end?

[heathdavies-eaton]

Hello @bobsira, I also am unable to reproduce the bug with the dockerfile and config file you used, however I have the exact same error as @joshmahar-ts when I use the following base image:

mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019

Note: I am using v2.0 of LogMonitor.exe downloaded from https://github.com/microsoft/windows-container-tools/releases/download/v2.0/LogMonitor.exe.

[joshmahar-ts]

Thank you both for updates/investigation on this issue. I misspoke in my original report in that my base image was actually:

mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019

I will try with mcr.microsoft.com/dotnet/framework/runtime:4.8 instead but this does suggest to a potential issue with servercore or ltsc2019 images.

[joshmahar-ts]

mcr.microsoft.com/dotnet/framework/runtime:4.8

I can confirm the errors originally reported do NOT occur with this image.

[wasPrime]

Hello @bobsira, I also am unable to reproduce the bug with the dockerfile and config file you used, however I have the exact same error as @joshmahar-ts when I use the following base image:

mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019

Note: I am using v2.0 of LogMonitor.exe downloaded from https://github.com/microsoft/windows-container-tools/releases/download/v2.0/LogMonitor.exe.

I also have same issue with the same environment:

• base image: mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019
• v2.0 of LogMonitor.exe

[bobsira]

@heathdavies-eaton @joshmahar-ts and @wasPrime let me investigate this and get back to you folks! Thanks!

[bobsira]

@heathdavies-eaton , @joshmahar-ts @wasPrime thanks for bringing this up. I'm able to repro this issue. We will investigate this and come back with a way forward!

[bobsira]

Just to update this thread, I've noticed that this problem does not appear in mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2022 or mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2016image. We are trying to narrow down why this issue occurs in ltsc2019. Feel free to update to 2022 if this does not result into breaks on your end.

Opening this with the windows containers team to help with investigation and closing it here.

[bobsira]

@heathdavies-eaton , @joshmahar-ts @wasPrime is the ltcs2022 working for you?

[wasPrime]

@bobsira Due to company's deployment policy, our inner environment is limited on ltcs2019. So we are unable to switch to ltcs2022. Looking forward to fixing this issue on ltcs2019. Thanks!

[heathdavies-eaton]

@bobsira I have the same issue as @wasPrime. Our docker hosts are ltcs2019.

[bobsira]

PR to unblock this issue:

#158

#159

[bobsira]

This issue has been fixed with PR #159. Download the latest version of Log Monitor with the fix to unblock.

[heathdavies-eaton]

Many thanks for this fix @bobsira. Could you let me know when an official release will be available containing this fix? I have verified the fix using the .exe that you attached to #159 but as we download the .exe automatically as part of our docker build this is not really convenient for us.

[iankingori]

Thanks for validating the fix @heathdavies-eaton, I'm pushing tags for v2.0.2 with this fix and should release later today

[bobsira]

Hiya, please find the latest release with this change here: https://github.com/microsoft/windows-container-tools/releases/tag/v2.0.2

Thanks everyone!