microsoft/windows-container-tools

Filter Event Log by Event Source

Opened this issue · 2 comments

JaredShaver commented

Is your feature request related to a problem? Please describe.
The Application Event Log has many useful messages for troubleshooting but it is also very noisy. When working with the Windows Event logs in a normal server situation, the Event Viewer and the APIs for allow for robust filtering. When working with Windows Containers, due to their ephemeral nature, event logs must be pushed out of the container and into some log aggregation tool like Azure Monitor. The LogMonitor gives an all/nothing experience for working with the Event Logs with no filtering or fine grain control.

Describe the solution you'd like
Event Log entries to also emit the Event Source name as appears in the Windows Event Log. Additionally, a way to define a list of Event Source names, and only those matching would be emitted by LogMonitor. Example: An ASP.NET application may only be interested in Event sources ASP.NET 4.0.30319.0 and IIS-W3SVC-WP.

Describe alternatives you've considered
Since the Event Source is not emitted the only alternative would be to create some custom fork of LogMon which is not ideal for ongoing maintenance/support.

Additional context
See also #168 for a similar request for files.

bobsira commented
  1. On your query for Event Log entries to also emit the Event Source name as appears in the Windows Event Log. This is possible in Log Monitor. This PR should contain the fix for the ask. #182
  2. On your second query, I believe we can also have a better filtering mechanism based on Event Source name if this is something that customers would desire and would help out with your logging experience. The team will look into it and get back to you.

cc @CharityKathure @iankingori

kamranayub commented

+1 to this. Use case: I have a ASP.NET Framework app I'm modernizing and it's running in a container. I love that I can wrap it in LogMonitor and see my app logs (NLog file logger), but I don't love that I have to subscribe to the full Application event log, and I can't filter down to only the ASP.NET 4.0.30319.0 source. It doesn't help that it's a Warning level and not an Error if my app throws a fatal error either.