Using Docker’s ETW log driver in Windows

2017-09-20

September 20, 2017

1 minute

In Docker’s ETW logging driver doc, it uses the tool logman to view the logs. In this article, I will show you how to use mftrace to view Docker ETW logs in real-time.

First, here’s a simple application written in Go that logs to STDERR every second.

	package main

	import (
	"log"
	"time"
	)

	func main() {
	log.SetFlags(0)

	for {
	log.Println("time now:", time.Now())
	time.Sleep(time.Second * 1)
	}
	}

view raw blog_20170920_stdoutlog.go hosted with ❤ by GitHub

Next, let’s create a Docker image (Windows) using the Dockerfile below.

	FROM golang:1.8.3-nanoserver

	ADD . /go/src/demoapp
	WORKDIR /go/src/demoapp
	RUN go build -v
	ENTRYPOINT ["/go/src/demoapp/demoapp"]

view raw blog_20170920_dockerfilewin hosted with ❤ by GitHub

# assuming the code above is saved in a directory called 'demoapp'
$ docker build -t demoapp .

To use mftrace, we need a config file.

	<?xml version='1.0' encoding='utf-8'?>
	<providers>
	<provider level="5" ID="a3693192-9ed6-46d2-a981-f8226c8363bd" >
	<keyword ID="0xF"/>
	</provider>
	</providers>

view raw blog_20170920_mftraceconfig.xml hosted with ❤ by GitHub

Open a command prompt (or Powershell) and run the following command.

$ mftrace.exe -c config.xml

Then open another command prompt (or Powershell) window and run the Docker image.

$ docker run -d --log-driver=etwlogs --name demoapp demoapp:latest

You should be able to view the application logs in the mftrace window.

You can use this repo instead of creating your own folder structure. Instructions are provided in the README as well as an x86 version of mftrace.