Docker Container Logs Integration
Overview
Docker containers generate application and runtime logs essential for security monitoring. KYRA MDR collects Docker container logs via the syslog logging driver or Fluentd for centralized security analysis. Supports Docker Engine 20.x and later.
Prerequisites
- A KYRA MDR Collector installed and running
- Docker Engine installed on the host
- Root or docker group access on the Docker host
- Network connectivity from Docker host to the collector on port 514
Configuration
Configure Docker to send container logs via syslog:
- Edit
/etc/docker/daemon.json:
{ "log-driver": "syslog", "log-opts": { "syslog-address": "tcp://<collector-ip>:514", "syslog-facility": "local0", "tag": "{{.Name}}/{{.ID}}" }}- Restart Docker:
sudo systemctl restart dockerPer-container logging:
docker run --log-driver=syslog \ --log-opt syslog-address=tcp://<collector-ip>:514 \ --log-opt tag="{{.Name}}" <image>Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Container Stdout | Application standard output | Application monitoring |
| Container Stderr | Application errors | Error detection, debugging |
| Docker Events | Container lifecycle events | Container security monitoring |
| Health Checks | Container health status | Service availability |
| Security Events | Seccomp and AppArmor events | Container runtime security |
| Network Events | Container networking events | Network security analysis |
Troubleshooting
No container logs: Verify the syslog driver is configured in daemon.json. Check docker info to confirm the logging driver.
Existing containers unaffected: Changing the daemon configuration only affects new containers. Recreate existing containers.
Log format: Use the tag option to include the container name for proper identification.
Contact kyra@seekerslab.com for support.