# Docker Logs

## Overview

**Evidence:** Docker Logs\
**Description:** Collect Docker Logs on Filesystem\
**Category:** Applications\
**Platform:** linux\
**Short Name:** dckl\
**Is Parsed:** No\
**Sent to Investigation Hub:** No\
**Collect File(s):** Yes

## Background

Docker container logs on Linux are stored as JSON files within the Docker data directory. Each container has its own log file containing stdout/stderr output from the containerized application.

## Data Collected

This collector gathers structured data about docker logs.

## Collection Method

This collector gathers Docker container JSON log files from /var/lib/docker/*/*/, which contain container output logs organized by container ID.

## Forensic Value

Docker logs are essential for investigating containerized application activities, malicious container behavior, data exfiltration, command execution, and understanding attack chains in containerized environments.