Docker Container Logs
Overview
Section titled “Overview”Evidence: Docker Container Logs
Description: Collect Docker Container Logs
Category: Applications
Platform: linux
Short Name: dcl
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Docker container logs capture stdout/stderr output from containerized applications. Log data provides runtime behavior, error messages, access patterns, and potential indicators of compromise within container workloads.
Data Collected
Section titled “Data Collected”This collector gathers structured data about docker container logs.
Collection Method
Section titled “Collection Method”This collector queries the Docker daemon via Docker Engine API to retrieve logs from each container. It captures stdout and stderr output with timestamps for forensic analysis of application behavior and security events.
Forensic Value
Section titled “Forensic Value”Container logs reveal application errors, authentication attempts, command execution, data access patterns, and exploitation attempts. Analyzing logs helps identify suspicious activities, trace attacker actions, detect data exfiltration, and reconstruct incident timelines in containerized environments.