Evidence: Docker Logs
Description: Collect Docker Logs on Filesystem
Category: Applications
Platform: linux
Short Name: dckl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Docker container logs on Linux are stored as JSON files within the Docker data directory. Each container has its own log file containing stdout/stderr output from the containerized application.
Data Collected
This collector gathers structured data about docker logs.
Collection Method
This collector gathers Docker container JSON log files from /var/lib/docker///, which contain container output logs organized by container ID.
Forensic Value
Docker logs are essential for investigating containerized application activities, malicious container behavior, data exfiltration, command execution, and understanding attack chains in containerized environments.
