# Docker Logs

## Overview

Panther supports ingesting [Docker event](https://docs.docker.com/engine/reference/commandline/events/) logs by streaming them to an [HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http) after they are forwarded with [Fluent Bit.](https://docs.fluentbit.io/manual/)

## How to onboard Docker Events to Panther

### Step 1: Create a new Docker Events log source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for "Docker Events," then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\
   ![In the new log source onboarding flow in the Panther Console, the Docker Events page is shown. The "Transport Mechanism" dropdown has a value of "HTTP," and to its right is a "Start Setup" button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6927f28a036ffd191e4ea1467aee2752b2a4c4b5%2FScreenshot%202023-07-31%20at%203.31.46%20PM.png?alt=media)
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * When setting the **Auth method** for the source, we recommend using [**Shared Secret**](https://docs.panther.com/data-transports/http#shared-secret).
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

### Step 2: Configure Fluent Bit

1. Follow the [Getting Started with Fluent Bit instructions](https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit) to install Fluent Bit as a service.
2. Create a [Fluent Bit configuration file](https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file).
   * See sample configuration files for Linux and macOS below under [Example configuration files](#example-configuration-files).
3. Start Fluent Bit, passing the path to your new configuration file.
   * You must include the path to a `parser.conf` file that contains the `docker` parser. This is included by fluent-bit by default. On Linux, it can be found at `/etc/fluent-bit/parsers.conf`.
     * Example: `fluent-bit -c fluentbit.conf -R /etc/fluent-bit/parsers.conf`

#### Example configuration files

{% tabs %}
{% tab title="Linux" %}
Configure the following in your Fluent Bit configuration file:

* `[INPUT]` variables:
  * **Name**: Set this to `docker_events`.
  * **Parser**: Set this to `docker`.
* `[OUTPUT]` variables:
  * **Host**: Enter your Panther URL.
    * Example: `logs.instance-name.runpanther.net`
  * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with `/http/`.
    * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
  * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
  * **Name**: Set to `http`.
  * **TLS**: Set to `ON`.
  * **Port**: Set to `443`.

```editorconfig
[SERVICE]
  flush      1

[INPUT]
  name       docker_events
  parser     docker

[OUTPUT]
  name       http
  match      *
  host       logs.instance.runpanther.net
  port       443
  URI        /http/70c55034-13f1-4e08-a018-test5f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on
```

{% endtab %}

{% tab title="macOS" %}
Configure the following in your Fluent Bit configuration file:

* `[INPUT]` variables:
  * **Name**: Set this to `docker_events`.
    * On macOS, `docker_events` is not supported by fluent-bit. Instead you can use the [Exec input plugin](https://docs.fluentbit.io/manual/pipeline/inputs/exec). See the sample configuration for macOS below.
  * **Parser**: Set this to `docker`.
* `[OUTPUT]` variables:
  * **Host**: Enter your Panther URL.
    * Example: `logs.instance-name.runpanther.net`
  * **URI**: Enter the end of the HTTP Source URL (generated in Step 1 of this process), starting with `/http/`.
    * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
  * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
  * **Name**: Set to `http`.
  * **TLS**: Set to `ON`.
  * **Port**: Set to `443`.

```editorconfig
[SERVICE]
  flush      1

[INPUT]
  name         exec
  parser       docker
  Command      docker events --since 10s --until 0s --format '{{json .}}'
  Interval_Sec 10

[OUTPUT]
  name       http
  match      *
  host       logs.instance.runpanther.net
  port       443
  URI        /http/70c55034-13f1-4e08-a018-2c005f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on
```

{% endtab %}
{% endtabs %}

## Supported log types

### Docker.Events

The following defines the Docker events log schema:

```yaml
schema: Docker.Events
description: Docker events to audit system-level management operations against containers, images, networks, and volumes
referenceURL: https://docs.docker.com/engine/reference/commandline/events/
fields:
  - name: status
    description: String representing the status of this event's operation
    type: string
  - name: id
    description: Event id
    type: string
  - name: from
    description: Context of where the event originated
    type: string
  - name: Type
    description: Type of object being operated on. See reference for list of object types
    type: string
  - name: Action
    description: The action performed. Different Types have different possible actions. See reference for list of event types
    type: string
  - name: Actor
    description: The actor performing the event. Note in the context of Docker, this is not necessarily an end user, but can be the container itself
    type: object
    fields:
      - name: ID
        description: The actor ID
        type: string
        indicators:
          - actor_id
      - name: Attributes
        description: Event specific details
        type: json
  - name: scope
    description: Different event types have different scopes. Local scoped events are only seen on the node they take place on, and swarm scoped events are seen on all managers.
    type: string
  - name: time
    required: true
    description: Time the event occurred in unix seconds
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: timeNano
    description: Event time but in nanoseconds
    type: string
```