Docker Logs (Beta)

Stream Docker event logs directly to Panther over HTTPS


Docker log ingestion is in open beta starting with Panther version 1.77, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Docker event logs by streaming them to an HTTP Source after they are forwarded with Fluent Bit.

How to onboard Docker Events to Panther

Step 1: Create a new Docker Events log source in Panther

  1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Docker Events," then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

  4. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.

Step 2: Configure Fluent Bit

  1. Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.

  2. Create a Fluent Bit configuration file.

  3. Start Fluent Bit, passing the path to your new configuration file.

    • You must include the path to a parser.conf file that contains the docker parser. This is included by fluent-bit by default. On Linux, it can be found at /etc/fluent-bit/parsers.conf.

      • Example: fluent-bit -c fluentbit.conf -R /etc/fluent-bit/parsers.conf

Example configuration files

Configure the following in your Fluent Bit configuration file:

  • [INPUT] variables:

    • Name: Set this to docker_events.

    • Parser: Set this to docker.

  • [OUTPUT] variables:

    • Host: Enter your Panther URL.

      • Example:

    • URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.

      • Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a

    • Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.

    • Name: Set to http.

    • TLS: Set to ON.

    • Port: Set to 443.

  flush      1

  name       docker_events
  parser     docker

  name       http
  match      *
  port       443
  URI        /http/70c55034-13f1-4e08-a018-test5f2bb0a8
  Header     x-panther-secret {YOUR_SECRET_HERE}
  Format     json_lines
  TLS        on
  TLS.Verify on

Supported log types


The following defines the Docker events log schema:

schema: Docker.Events
description: Docker events to audit system-level management operations against containers, images, networks, and volumes
  - name: status
    description: String representing the status of this event's operation
    type: string
  - name: id
    description: Event id
    type: string
  - name: from
    description: Context of where the event originated
    type: string
  - name: Type
    description: Type of object being operated on. See reference for list of object types
    type: string
  - name: Action
    description: The action performed. Different Types have different possible actions. See reference for list of event types
    type: string
  - name: Actor
    description: The actor performing the event. Note in the context of Docker, this is not necessarily an end user, but can be the container itself
    type: object
      - name: ID
        description: The actor ID
        type: string
          - actor_id
      - name: Attributes
        description: Event specific details
        type: json
  - name: scope
    description: Different event types have different scopes. Local scoped events are only seen on the node they take place on, and swarm scoped events are seen on all managers.
    type: string
  - name: time
    required: true
    description: Time the event occurred in unix seconds
    type: timestamp
      - unix
    isEventTime: true
  - name: timeNano
    description: Event time but in nanoseconds
    type: string

Last updated