Docker Container Logs

Overview

Evidence: Docker Container Logs Description: Collect Docker Container Logs Category: Applications Platform: linux Short Name: dcl Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Docker container logs capture stdout/stderr output from containerized applications. Log data provides runtime behavior, error messages, access patterns, and potential indicators of compromise within container workloads.

Data Collected

This collector gathers structured data about docker container logs.

Collection Method

This collector queries the Docker daemon via Docker Engine API to retrieve logs from each container. It captures stdout and stderr output with timestamps for forensic analysis of application behavior and security events.

Forensic Value

Container logs reveal application errors, authentication attempts, command execution, data access patterns, and exploitation attempts. Analyzing logs helps identify suspicious activities, trace attacker actions, detect data exfiltration, and reconstruct incident timelines in containerized environments.