iCompaas Support

Profile Applicability:

• Level 2

Description:

Centralized and remote logging should be configured for Docker to ensure that all container logs are aggregated in a central location, which enhances monitoring, troubleshooting, and incident response capabilities.

Rationale:

By default, Docker logs are stored locally on the host machine, but centralizing logs ensures that they are protected and can be accessed for analysis, even if the host system experiences an issue or is compromised. Remote logging also helps with compliance requirements for log management.

Impact:

Pros:

• Centralized logging improves the ability to monitor and troubleshoot containerized applications.
  

• Ensures that logs are stored securely and are available for incident investigations.
  

Cons:

• Requires additional configuration for remote log aggregation tools.
  

• May incur additional infrastructure costs for log storage and management.
  

Default Value:

By default, Docker logs are written locally to the host system in JSON format.

Pre-requisites:

• A centralized log server (e.g., ELK Stack, Graylog, Splunk, etc.) must be set up and accessible from the Docker host.
  

• Docker daemon needs to be configured to forward logs to the remote logging service.
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Check if Docker is configured to forward logs to a remote server by inspecting the Docker daemon configuration:
   

   cat /etc/docker/daemon.json

   
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   

2. Run the following command to check the logging configuration:
   

   cat /etc/docker/daemon.json

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Modify the /etc/docker/daemon.json file to configure Docker to forward logs to a remote server:
   

   {
     "log-driver": "syslog",
     "log-opts": {
       "syslog-address": "tcp://<syslog-server-ip>:514"
     }
   }

3. Restart Docker to apply the changes:
   

sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to configure Docker to send logs to a remote server and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"log-driver\": \"syslog\", \"log-opts\": {\"syslog-address\": \"tcp://<syslog-server-ip>:514\"}}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Revert the /etc/docker/daemon.json file to disable remote logging:
   

   {
     "log-driver": "json-file"
   }

3. Restart Docker:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the logging configuration and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"log-driver\": \"json-file\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

References:

• Docker Logging Documentation