Importing Docker Logs with CrowdStrike Falcon LogScale Collector

Docker is the primary tool used for containerizing workloads. If your company wants to build containers with quality, then you’ll need access to your Docker container logs for debugging, validation and optimization.

While engineering teams can view container logs through straightforward CLI tools (think docker logs), these tools don’t provide a mechanism for storing or indexing logs over time. A central, remote location for gathering logs from Docker containers is necessary. Enter CrowdStrike Falcon® LogScale.

Falcon LogScale uses industry-standard protocols for Docker log ingestion. Although there are several log shipping options, we’ll focus on using the Falcon LogScale Collector.

Here’s what you’ll learn

In this how-to guide, we’ll demonstrate how to send logs from our Docker containers to Falcon LogScale. We’ll walk through the following steps:

  • Set up Docker and run an Nginx container as our demo container.
  • Set up a Falcon LogScale repository and create an ingest token.
  • Install and configure Falcon LogScale Collector.
  • Verify that our Docker logs are sent successfully to Falcon LogScale.

We’ll start simple and build in complexity as we go. Let’s dive in.

Setting Up Docker

We’ll create a simple Docker container based on the Nginx container image. With our container up and running, we’ll verify that we can see our Docker logs locally. Then, after we get Falcon LogScale Collector up and running, we’ll ship those logs to Falcon LogScale.

Installing Docker

For our example, we’re running on Ubuntu Jammy (22.04), so we’ll use Docker’s apt repository method to install Docker.

$ sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

For a quick sanity check, let’s run a sample “hello world” container to validate that we can pull images and run containers without issue:

$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.

Launching an Nginx container

Now, let’s verify that we can run an Nginx container locally.

Starting the container

Run the following command to start Nginx in detached mode (in the background) on port 8080

$ sudo docker run \
  --detach=true
  -e NGINX_ENTRYPOINT_QUIET_LOGS=1 \
  --name helloworld \
  -p 8080:80 \
  nginx

When we launch a web browser, we see the default Nginx landing page at localhost:8080.

Setting Up Falcon LogScale

To use Falcon LogScale, you will need an account. If you don’t have one, you can sign up for the Falcon LogScale Community Edition. You’ll get an email with your login information, and then you can log in with your identity provider of choice.

From there, you can view all of your Falcon LogScale repositories.

Creating a new Falcon LogScale repository

You’ll need to create a repository. Once created, you can get an ingest token for the repository. Click + Add New to create a repository.

Select Repository.

Note: Falcon LogScale Community Edition allows only one repository. If you already have an existing repository, you’ll need to remove it before you can add a new one.

Creating an ingest token

An ingest token is used to authenticate a service that wants to send log data to your repository. Navigate to the Ingest Tokens page of your repository settings. Click Add Token.

Provide a name and select how your logs should be parsed. For our example, we’ll use json, as that will match the default logging format for Docker containers.

After saving the token, view the token value and copy it down for safekeeping. We’ll use it in the Falcon LogScale Collector configuration later.

Setting Up the Falcon LogScale Collector

With Docker and our Falcon LogScale repository all set up, it’s time to connect our pieces with Falcon LogScale Collector.

Installing the Collector

Under the Ingest tokens section of our repository where you created the ingest token, you’ll see a convenient link that will take you directly to the download page for the Falcon LogScale Collector.

Click that link to head over to the download page. From there, you can choose the installer for your OS (in our case, Ubuntu).

Download and install the Collector:

$ sudo dpkg -i humio-log-collector_1.2.1_linux_amd64.deb
(Reading database ... 64390 files and directories currently installed.)
Preparing to unpack humio-log-collector_1.2.1_linux_amd64.deb ...
Unpacking humio-log-collector (1.2.1) over (1.2.1) ...
Setting up humio-log-collector (1.2.1) ...

Configuring the Collector

On Linux, the configuration for Falcon LogScale Collector can be found in /etc/humio-log-collector/config.yaml. That’s where the Falcon LogScale Collector will look for its configuration by default. We’ll modify the configuration file, telling the Falcon LogScale Collector to watch the Docker container directories and their respective logs.

dataDirectory: /var/lib/humio-log-collector
sources:
  container_logs:
    type: file
    include: /var/lib/docker/containers/*/*.log
    exclude: 
    sink: logscale
sinks:
  logscale:
    type: humio
    token: <PASTE FALCON LOGSCALE REPOSITORY INGEST TOKEN HERE>
    url: https://cloud.community.humio.com

Granting permission to the Collector for reading Docker logs

With the configuration set, there’s one last thing you’ll need to do before starting the Falcon LogScale Collector service. Since Docker runs as root (per the standard installation method), the container logs are owned by the root user and are not world-readable. We need to make sure the Collector service has permission to read these container logs. To do this, edit the systemd service file (/usr/lib/systemd/system/humio-log-collector.service). Make note of the addition below Group=humio-log-collector

[Unit]
Description=Humio Log Collector
After=network.target

[Service]
EnvironmentFile=/etc/default/humio-log-collector
ExecStart=/usr/bin/humio-log-collector -cfg ${CONFIG_FILE}
WorkingDirectory=/var/lib/humio-log-collector
User=humio-log-collector
Group=humio-log-collector
AmbientCapabilities=CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target

From here, configure the service to start at system boot, and then perform an initial startup of the service. This will start shipping your Docker logs to your Falcon LogScale repository.

$ sudo systemctl daemon-reload
$ sudo systemctl enable humio-log-collector.service
$ sudo systemctl start humio-log-collector.service

Now, when we log into Falcon LogScale and run a search, we can see logs from our Nginx container!

Conclusion

In this how-to guide, we walked through how to configure the Falcon LogScale Collector to send our Docker container logs to Falcon LogScale.

Rather than creating complicated, additional tooling, engineering teams can use Falcon LogScale, which simplifies the process of log ingestion and aggregation. This allows logs from a wide range of systems to be easily shipped to Falcon LogScale.

Docker is no doubt a critical piece of the tech stack in many of today’s distributed applications. When instrumenting your systems to send logs to a centralized solution like Falcon LogScale, you’re now equipped to ensure that Docker logs are included in that set of essential data.

Related Content

TRY CROWDSTRIKE FREE FOR 15 DAYS

GET STARTED WITH A FREE TRIAL