Docker
This module allows the Security Engine
to acquire logs from running containers, in one-shot and streaming mode.
Configuration example
To monitor a given container name or ID:
source: docker
container_name:
- my_container_name
container_id:
- 843ee92d231b
labels:
type: log_type
To monitor containers name or ID matching a regex:
source: docker
container_name_regexp:
- my_containers_*
container_id_regexp:
- i-*
labels:
type: log_type
Look at the configuration parameters
to view all supported options.
Parameters
container_name
List of containers names to monitor.
container_id
List of containers IDs to monitor.
container_name_regexp
List of regexp matching containers names to monitor.
container_id_regexp
List of regexp matching containers ID to monitor.
docker_host
Docker host.
Default: unix:///var/run/docker.sock
until
Read logs until timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes).
since
Read logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes).
check_interval
Relative interval (e.g. 5s for 5 seconds) to check for new containers matching the configuration.
Default: 1s
follow_stdout
Follow stdout
containers logs.
Default: true
follow_stderr
Follow stderr
container logs.
Default: true
DSN and command-line
docker datasource implements a very approximative DSN, as follows : docker://<docker_name_or_id>?[args]
Supported args are :
log_level
: set log level of moduleuntil
: read logs until timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)since
: read logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)docker_host
: docker host, can be a remote docker host or a path to another container socketfollow_stderr
: followstderr
container logsfollow_stdout
: followstdout
container logs
A 'pseudo DSN' must be provided:
crowdsec -type nginx -dsn 'docker://my_nginx_container_name'
You can specify the log_level
parameter to change the log level for the acquisition :
crowdsec -type nginx -dsn 'docker://my_nginx_container_name?log_level=debug'
Notes
Containers watching
This module will automatically read the logs of containers specified in the configuration, even if they have been started after crowdsec start.
Reading podman containers
Don't forget to start podman service with sudo systemctl start podman
.
Run your podman containers as root
, else CrowdSec
will not be able to read the logs.
If you want to read Podman containers logs, you can set the docker_host
to unix:///run/podman/podman.sock
or to the path of your Podman socket.
source: docker
container_name_regexp:
- my_containers_*
container_id_regexp:
- i-*
labels:
type: log_type
docker_host: unix:///var/run/podman/podman.sock
crowdsec -type nginx -dsn 'docker://my_nginx_container_name?docker_host=unix:///run/podman/podman.sock&log_level=debug'