Docker Logs

Overview

Evidence: Docker Logs Description: Collect Docker Logs on Filesystem Category: Applications Platform: macos Short Name: dckl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Docker Desktop for Mac stores logs for both the VM and host components within user Library containers. These logs capture Docker daemon activities, container operations, networking events, and system interactions.

Data Collected

This collector gathers structured data about docker logs.

Collection Method

This collector gathers Docker logs from user-specific Library/Containers directories, including both VM logs (Linux VM running containers) and host logs (Docker Desktop application on macOS).

Forensic Value

Docker logs are valuable for investigating containerized application activities, suspicious container deployments, privilege escalation attempts, network communications, and understanding container-based attacks or data exfiltration.