Docker Logs

Stream Docker event logs directly to Panther over HTTPS

Overview

Panther supports ingesting Docker event logs by streaming them to an HTTP Source after they are forwarded with Fluent Bit.

How to onboard Docker Events to Panther

Step 1: Create a new Docker Events log source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Docker Events," then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- When setting the Auth method for the source, we recommend using Shared Secret.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

Step 2: Configure Fluent Bit

Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.
Create a Fluent Bit configuration file.
- See sample configuration files for Linux and macOS below under Example configuration files.
Start Fluent Bit, passing the path to your new configuration file.
- You must include the path to a parser.conf file that contains the docker parser. This is included by fluent-bit by default. On Linux, it can be found at /etc/fluent-bit/parsers.conf.
  - Example: fluent-bit -c fluentbit.conf -R /etc/fluent-bit/parsers.conf

Example configuration files

Configure the following in your Fluent Bit configuration file:

[INPUT] variables:
- Name: Set this to docker_events.
- Parser: Set this to docker.
[OUTPUT] variables:
- Host: Enter your Panther URL.
  - Example: logs.instance-name.runpanther.net
- URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.
  - Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
- Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
- Name: Set to http.
- TLS: Set to ON.
- Port: Set to 443.

[SERVICE]
  flush      1

[INPUT]
  name       docker_events
  parser     docker

[OUTPUT]
  name       http
  match      *
  host       logs.instance.runpanther.net
  port       443
  URI        /http/70c55034-13f1-4e08-a018-test5f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on

Configure the following in your Fluent Bit configuration file:

[INPUT] variables:
- Name: Set this to docker_events.
  - On macOS, docker_events is not supported by fluent-bit. Instead you can use the Exec input plugin. See the sample configuration for macOS below.
- Parser: Set this to docker.
[OUTPUT] variables:
- Host: Enter your Panther URL.
  - Example: logs.instance-name.runpanther.net
- URI: Enter the end of the HTTP Source URL (generated in Step 1 of this process), starting with /http/.
  - Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
- Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
- Name: Set to http.
- TLS: Set to ON.
- Port: Set to 443.

[SERVICE]
  flush      1

[INPUT]
  name         exec
  parser       docker
  Command      docker events --since 10s --until 0s --format '{{json .}}'
  Interval_Sec 10

[OUTPUT]
  name       http
  match      *
  host       logs.instance.runpanther.net
  port       443
  URI        /http/70c55034-13f1-4e08-a018-2c005f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on

Supported log types

Docker.Events

The following defines the Docker events log schema:

schema: Docker.Events
description: Docker events to audit system-level management operations against containers, images, networks, and volumes
referenceURL: https://docs.docker.com/engine/reference/commandline/events/
fields:
  - name: status
    description: String representing the status of this event's operation
    type: string
  - name: id
    description: Event id
    type: string
  - name: from
    description: Context of where the event originated
    type: string
  - name: Type
    description: Type of object being operated on. See reference for list of object types
    type: string
  - name: Action
    description: The action performed. Different Types have different possible actions. See reference for list of event types
    type: string
  - name: Actor
    description: The actor performing the event. Note in the context of Docker, this is not necessarily an end user, but can be the container itself
    type: object
    fields:
      - name: ID
        description: The actor ID
        type: string
        indicators:
          - actor_id
      - name: Attributes
        description: Event specific details
        type: json
  - name: scope
    description: Different event types have different scopes. Local scoped events are only seen on the node they take place on, and swarm scoped events are seen on all managers.
    type: string
  - name: time
    required: true
    description: Time the event occurred in unix seconds
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: timeNano
    description: Event time but in nanoseconds
    type: string

PreviousCrowdStrike Event Streams NextDropbox Logs

Last updated 1 month ago

Was this helpful?

How to onboard Docker Events to Panther

Step 1: Create a new Docker Events log source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

Click Create New.

Search for "Docker Events," then click its tile.

In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

Click Start Setup.

Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

When setting the Auth method for the source, we recommend using Shared Secret.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

Step 2: Configure Fluent Bit

Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.

Create a Fluent Bit configuration file.

See sample configuration files for Linux and macOS below under Example configuration files.

Start Fluent Bit, passing the path to your new configuration file.

You must include the path to a parser.conf file that contains the docker parser. This is included by fluent-bit by default. On Linux, it can be found at /etc/fluent-bit/parsers.conf.
- Example: fluent-bit -c fluentbit.conf -R /etc/fluent-bit/parsers.conf

Example configuration files

Configure the following in your Fluent Bit configuration file:

[INPUT] variables:
- Name: Set this to docker_events.
- Parser: Set this to docker.
[OUTPUT] variables:
- Host: Enter your Panther URL.
  - Example: logs.instance-name.runpanther.net
- URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.
  - Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
- Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
- Name: Set to http.
- TLS: Set to ON.
- Port: Set to 443.

[SERVICE]
  flush      1

[INPUT]
  name       docker_events
  parser     docker

[OUTPUT]
  name       http
  match      *
  host       logs.instance.runpanther.net
  port       443
  URI        /http/70c55034-13f1-4e08-a018-test5f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on

Configure the following in your Fluent Bit configuration file:

[INPUT] variables:
- Name: Set this to docker_events.
  - On macOS, docker_events is not supported by fluent-bit. Instead you can use the Exec input plugin. See the sample configuration for macOS below.
- Parser: Set this to docker.
[OUTPUT] variables:
- Host: Enter your Panther URL.
  - Example: logs.instance-name.runpanther.net
- URI: Enter the end of the HTTP Source URL (generated in Step 1 of this process), starting with /http/.
  - Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
- Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
- Name: Set to http.
- TLS: Set to ON.
- Port: Set to 443.

[SERVICE]
  flush      1

[INPUT]
  name         exec
  parser       docker
  Command      docker events --since 10s --until 0s --format '{{json .}}'
  Interval_Sec 10

[OUTPUT]
  name       http
  match      *
  host       logs.instance.runpanther.net
  port       443
  URI        /http/70c55034-13f1-4e08-a018-2c005f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on

Supported log types

Docker.Events

The following defines the Docker events log schema:

schema: Docker.Events
description: Docker events to audit system-level management operations against containers, images, networks, and volumes
referenceURL: https://docs.docker.com/engine/reference/commandline/events/
fields:
  - name: status
    description: String representing the status of this event's operation
    type: string
  - name: id
    description: Event id
    type: string
  - name: from
    description: Context of where the event originated
    type: string
  - name: Type
    description: Type of object being operated on. See reference for list of object types
    type: string
  - name: Action
    description: The action performed. Different Types have different possible actions. See reference for list of event types
    type: string
  - name: Actor
    description: The actor performing the event. Note in the context of Docker, this is not necessarily an end user, but can be the container itself
    type: object
    fields:
      - name: ID
        description: The actor ID
        type: string
        indicators:
          - actor_id
      - name: Attributes
        description: Event specific details
        type: json
  - name: scope
    description: Different event types have different scopes. Local scoped events are only seen on the node they take place on, and swarm scoped events are seen on all managers.
    type: string
  - name: time
    required: true
    description: Time the event occurred in unix seconds
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: timeNano
    description: Event time but in nanoseconds
    type: string