Docker Logs

Overview

Evidence: Docker Logs
Description: Collect Docker Logs on Filesystem
Category: Applications
Platform: linux
Short Name: dckl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes

Background

Docker container logs on Linux are stored as JSON files within the Docker data directory. Each container has its own log file containing stdout/stderr output from the containerized application.

Data Collected

This collector gathers structured data about docker logs.

Collection Method

This collector gathers Docker container JSON log files from /var/lib/docker///, which contain container output logs organized by container ID.

Forensic Value

Docker logs are essential for investigating containerized application activities, malicious container behavior, data exfiltration, command execution, and understanding attack chains in containerized environments.