Log Monitor v2.2.0 Release Candidate Brings Major JSON Library Overhaul and AKS Integration

Microsoft has released the candidate version of Log Monitor v2.2.0, a significant update to their open-source tool that enables Windows containers to surface logs from multiple sources directly to container stdout. The tool, which supports Event Log, ETW providers, and log files, is now available on GitHub and brings several important improvements that enhance both performance and usability for containerized applications running on Kubernetes and Azure Container Apps.

The most substantial change in this release is the replacement of the Boost.JSON library with nlohmann/json, a lightweight, header-only C++ JSON library. This architectural decision removes the heavy Boost dependency, significantly reducing build complexity and simplifying vcpkg dependency management. The change maintains full backward compatibility with existing configuration files, ensuring that organizations can upgrade without modifying their current setups. This is particularly valuable for production environments where configuration stability is critical.

A new end-to-end example for running Log Monitor with IIS on Azure Kubernetes Service (AKS) has been added to the repository. This comprehensive example includes deployment manifests and step-by-step documentation, making it substantially easier for developers to implement log monitoring in production Kubernetes environments. The inclusion of this AKS-specific example demonstrates Microsoft's commitment to supporting enterprise container orchestration scenarios and provides a practical reference for teams deploying Windows workloads on Kubernetes.

The release candidate addresses several critical bugs in the configuration file parser. The eventFormatMultiLine option now correctly defaults to true when not specified, resolving a common configuration oversight. The waitInSeconds parameter for File log sources is now properly parsed, eliminating the previous behavior where it always defaulted to 300 seconds regardless of configuration. Additionally, the optional channel level now correctly defaults to Error when omitted, preventing parse failures that could disrupt log collection. The update also introduces graceful handling of invalid log sources within configuration files, allowing valid sources to continue processing even when errors are encountered.

Security improvements include a fixed path traversal vulnerability in the /Config command-line argument, addressing a potential attack vector that could have allowed unauthorized file access. The update also reduces unnecessary error log noise for ERROR_NOT_SUPPORTED cases, improving log readability and reducing alert fatigue for operations teams.

Upgrading from v2.1.x is designed to be seamless. The release maintains identical configuration file format, making it a true drop-in replacement. Organizations need only replace the LogMonitor.exe binary in their container image and run their existing LogMonitorConfig.json without modifications. This approach minimizes upgrade risk and operational disruption.

The build system has been modernized from a standalone Visual Studio solution to a CMake + vcpkg workflow. A single script, .uild.cmd, now handles the entire build process, automatically cloning vcpkg, bootstrapping it, installing nlohmann-json, configuring the project with CMake using Visual Studio 2022, and building both the main executable and test suite. This streamlined approach reduces the complexity of building from source and ensures consistent builds across different environments.

For developers upgrading from v2.1.x, it's important to note that the output path has changed. The binary is now located at LogMonitor\build\Release\LogMonitor.exe instead of the previous LogMonitor\x64\Release\LogMonitor.exe. This change affects any Dockerfiles or CI scripts that reference the binary by path and should be updated accordingly.

The release includes a comprehensive example configuration file that demonstrates monitoring Windows Event Log, an ETW provider, and a log file simultaneously. This configuration covers all three source types supported by Log Monitor and serves as an excellent starting point for customization. The example shows how to configure different log levels for various channels and demonstrates the flexibility of the tool in handling diverse logging scenarios.

Continuous integration and deployment pipelines have been updated to correctly install nlohmann/json via vcpkg before building, ensuring reliable builds across all CI environments. This improvement addresses potential build inconsistencies that could occur in automated build systems.

Log Monitor v2.2.0 represents a significant step forward in Windows container log management, combining performance improvements, security enhancements, and expanded documentation to support enterprise container deployments. The focus on backward compatibility and simplified build processes demonstrates Microsoft's understanding of the operational challenges faced by organizations running Windows containers at scale.

Organizations running Windows containers in Kubernetes or Azure Container Apps should evaluate this release candidate for their environments. The combination of reduced dependencies, improved security, and enhanced documentation makes it an attractive upgrade for teams seeking to optimize their container logging infrastructure.