Docker Logging

Details on Docker Logging Capabilities With InsightCloudSec

By default, Docker globally uses the json-file driver to log to a flat file inside of the container. This can make retrieving log data cumbersome. Docker’s logging driver can be configured at both the global and container level. Global log settings are convenient but lack the customization provided at the per container level.

Note: Global logging options are defined in /etc/docker/daemon.json and Container-level logging options are defined in docker-compose.yml

External Logging Options

External logging options include the following:

  • Syslog

    • Globally
    • By Container
  • CloudWatch

    • Container (with permissions granted via instance assume role)
    • Container (with permissions granted via IAM/API Key)
  • Splunk

    • Globally
    • By Container
    • Globally and Container

Prerequisites

📘

DivvyCloud vs. InsightCloudSec

Note that the content on this page may reference either DivvyCloud (in examples or provided content) or InsightCloudSec - the functionality is the same.

Before getting started with these instructions, ensure you have the following:

  • A functioning InsightCloudSet platform
  • The appropriate permissions to obtain the logs

Note: The content/steps provided on this page apply to self-hosted customers. For hosted customers we recommend that you contact your CSM or through the Customer Support Portal with any questions or concerns.

Syslog

Globally

{
    "log-driver": "syslog",
    "log-opts": {
        "syslog-address": "tcp://1.2.3.4:514”
    }
}

By Container

Each process can be given a unique tag, among other options. See the Docker documentation here for a full listing.

Enabling Web Server Logs

interfaceserver: 
    image: divvycloud/divvycloud:latest 
    logging: 
        driver: "syslog" options: 
        syslog-address: "tcp://1.2.3.4:514" 
        tag: "Divvy-InterfaceServer" 
        links: 
            - redis:redis 
            - mysql:mysql 
        env_file: 
            - ./prod.env 
    environment: 
        VIRTUAL_ENV: / 
    ports: 
        - 8001:8001/tcp 
    command: 
        - divvyinterfaceserver - -n 
    volumes: 
        - ./plugins:/plugins 
    restart: always

CloudWatch

Using the awslogs driver for Docker will require the use of an IAM role associated with an EC2 instance (a.k.a. EC2 Instance Profile) or API secret/access keys.

The JSON below should be used to create a policy (e.g., "CloudWatch-RW-Limited") within IAM, granting limited CloudWatch access.

{ 
    "Version":"2012-10-17", 
    "Statement": [ 
        { 
            "Action": [ 
                "logs:CreateLogStream", 
                "logs:PutLogEvents" 
            ], 
            "Effect": "Allow", 
            "Resource": "*" 
        } 
    ] 
}

Once you have created the policy, you can either associate it with an IAM user or use it as the basis for your EC2 Instance Profile. Below are short videos that demonstrate this process.

Policy Creation

EC2 Instance Profile/Role Creation and Association (with above policy)

With appropriate policies in place, you can configure Docker, as shown below (either Globally or Logging by Container)

Globally

{ 
        "log-driver": "awslogs", 
        "log-opts": { 
            "awslogs-region": "us-east-1" 
        } 
    }

Logging by Container (Using an Instance Role)

Each process can be given its own stream, among other options. Refer to the full list here

#Web Server
interfaceserver: 
    image: divvycloud/divvycloud:latest 
    logging: 
        driver: "awslogs" 
        options: 
            awslogs-region: "us-east-1" 
            awslogs-group: "username-docker" 
            awslogs-stream: "InterfaceServer" 
        links: 
            - redis:redis 
            - mysql:mysql 
        env_file: 
            - ./prod.env environment: 
    VIRTUAL_ENV: / 
    ports: 
        - 8001:8001/tcp command: 
        - divvyinterfaceserver - -n 
    volumes: 
        - ./plugins:/plugins 
    restart: always

Logging by Container (Using IAM User API Keys)

If you wish to use a set of access/secret keys to authenticate against AWS CloudWatch, you will need to provide these credentials in a file on the local system.
In this example, the file will be called aws.env and contain the following:

  • AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxx
  • AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxx

With the credentials file located in your Docker/InsightCloudSec working directory, you can reference it in the env_file section below.

# Web Server 
interfaceserver: 
    image: divvycloud/divvycloud:latest 
    logging: 
        driver: "awslogs" 
        options: 
            awslogs-region: "us-east-1" 
            awslogs-group: "username-docker" 
            awslogs-stream: "InterfaceServer" 
    links: 
        - redis:redis 
        - mysql:mysql 
    env_file: 
        - ./prod.env 
        - ./aws.env 
    environment: 
        VIRTUAL_ENV: / 
    ports: 
       - 8001:8001/tcp 
    command: 
        - divvyinterfaceserver - -n 
    volumes: 
        - ./plugins:/plugins 
    restart: always

Splunk

In order to use the "Splunk" log driver, you must create a listener inside of the Splunk application. Refer to the steps below.

1. Navigate to Settings → Data Inputs
2. Select HTTP Event Collector → Add New
3. Select a New Token and configure InsightCloudSec as a listener with the following parameters:

  • Name - InsightCloudSec
  • Description - InsightCloudSec Docker Logs

4. Click "Next" to create a new index with the following parameters:

  • Click on "Select"
  • From the "Select Source Type" drop-down, choose the category that best represents the source type you want
  • Select the "App Context" - this setting determines the context in which the input should collect data
  • Clicking the drop-down list and selecting the application context you want
  • Click on "Review" - review changes made
  • Click in "Submit"

5. For Global Settings select “Enable All Token" and click "Save"

With these steps complete you should be able to enable your listener to conduct the following:

Enable Global Logging

{ 
    "log-driver": "splunk", 
    "log-opts": { 
        "splunk-token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", 
        "splunk-url": "https://splunk-server-ip:8088", 
        "splunk-insecureskipverify": "true" 
    } 
}

Enable Logging by Container

# WebServer 
interfaceserver: 
    image: divvycloud/divvycloud:latest 
    logging: 
        driver: splunk 
    options: 
        splunk-token: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
        splunk-url: https://splunk-server-ip:8088 
        splunk-insecureskipverify: "true" 
        tag: "{{.Name}}/{{.ID}}" 
    links: 
        - redis:redis 
        - mysql:mysql 
    env_file: 
        - ./prod.env 
    environment: 
        VIRTUAL_ENV: / 
    ports: 
        - 8001:8001/tcp 
    command: 
        - divvyinterfaceserver - -n 
    volumes: 
        - ./plugins:/plugins 
    restart: always

Enable Logging Globally and by Container

You can also use a combination of the global and per container parameters simultaneously. If you specify your universally appropriate config items via global, you can supplement the configuration at the container level as follows:

# Web Server 
interfaceserver: 
    image: divvycloud/divvycloud:latest 
    logging: 
        options: 
            tag: "{{.Name}}/{{.ID}}" 
    links: 
        - redis:redis 
        - mysql:mysql 
    env_file: 
        - ./prod.env 
    environment: 
        VIRTUAL_ENV: / 
    ports: 
        - 8001:8001/tcp 
    command: 
        - divvyinterfaceserver - -n 
    volumes: 
        - ./plugins:/plugins 
    restart: always

Did this page help you?