Docker¶

Docker

About¶

Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.

Product Details¶

Vendor URL: Docker

Product Type: PaaS

Product Tier: Tier III

Integration Method: Syslog

Integration URL: n/a

Log Guide: n/a

Parser Details¶

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: DOCKER

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
"Docker"	metadata.vendor_name
"Docker Container"	metadata.product_name
msg	metadata.description
observer	observer.hostname
process	principal.application
pid	principal.process.pid
module	target.application
container	target.resource.product_object_id
"CONTAINER"	target.resource.type
namespace	target.namespace
daemonShuttingDown	additional.fields
hasBeenManuallyStopped	additional.fields
restartCount	additional.fields
topic	security_result.description
type	security_result.summary
level	security_result.severity_details
level	security_result.severity

Product Event Types¶

Product Event	UDM Event
All events	GENERIC_EVENT

Log Sample¶

{"cyderes_log_type":"DOCKER","message":"Apr 29 21:17:38 hostname dockerd[1759]: time=\"2024-04-29T21:17:38.642927944+02:00\" level=info msg=\"ignoring event\" container=containerID module=libcontainerd namespace=moby topic=/tasks/delete type=\"*events.TaskDelete\""}

Sample Parsing¶

metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Docker"
metadata.product_name = "Docker Container"
metadata.description = "ignoring event"
observer.hostname = "hostname"
principal.process.pid = "1759"
principal.application = "dockerd"
target.namespace = "moby"
target.application = "libcontainerd"
target.resource.type = "CONTAINER"
target.product_object_id = "containerID"
security_result.summary = "*events.TaskDelete"
security_result.description = "/tasks/delete"
security_result.severity = INFORMATIONAL
security_result.severity_details = "info"