Docker FAQ & Troubleshooting Guide

Follow

Prerequisites:

  1. Confirm the Threat Stack Docker requirements and version compatibility here.
  2. Ensure you are running the most up-to-date version of the Threat Stack agent.
    • Agent changelog including latest version is here.
    • Instructions for upgrading the agent are here.
  3. Docker is only available as a part of the Investigate package.

Why are my Docker events not labeled as “Docker” and missing the container ID?

If you can’t see Docker labeled events, then you may not have enabled container monitoring properly.  

This does not mean you are not receiving Docker events, this means they are not being labeled as a Docker event within the Threat Stack application. A Docker event that does not map to the container displays as an ordinary host event. See “Example 2”.

Example 1: Event Mapped to Docker Container:

mapped_container.png

Example 2: Event Not mapped to Container:

Unmapped_Container.png

Check Setup on the Host

To check your setup on the host:

Run a cloudsight status to ensure the service runs `sudo cloudsight status`

Potential outcomes:

1. Run a cloudsight status to ensure the service works, run sudo cloudsight status:

Threat Stack Cloud Sight RUNNING (Process ID: 1872)
Threat Stack Connection CONNECTED
Threat Stack Audit Collection Service RUNNING (Process ID: 1490)
Threat Stack File Integrity Monitoring RUNNING (Process ID: 1930)
Threat Stack Containers Mapping Service   RUNNING (Process ID: 1931)

Service is running properly. Test using the following the instructions below.

2. The container mapping service does not exist:

Threat Stack Cloud Sight RUNNING (Process ID: 1872)
Threat Stack Connection CONNECTED
Threat Stack Audit Collection Service RUNNING (Process ID: 1490)
Threat Stack File Integrity Monitoring RUNNING (Process ID: 1930)

If the service does not exist, contact your Customer Success Manager for assistance adding the feature to your Threat Stack feature plan.

3. The service exists but does not run:

Threat Stack Cloud Sight RUNNING (Process ID: 1872)
Threat Stack Connection CONNECTED
Threat Stack Audit Collection Service RUNNING (Process ID: 1490)
Threat Stack File Integrity Monitoring RUNNING (Process ID: 1930)
Threat Stack Containers Mapping Service   STOPPED (Process ID: 1931)

If the service exists but does not run, attempt to restart the agent. sudo cloudsight restart

Collect logs and open a support ticket. You can locate the log files at opt/threatstack/cloudsight/logs, look for cloudsight.log and threatstack-containers.log. Alternatively, you may run the diagnostic script found here: https://github.com/threatstack/support-tools

Restart the Agent

To restart the agent run sudo cloudsight restart.

Test on the Threat Stack Application

After you have confirmed the service runs, log into a container on the monitored host and run a command to trigger an event in the Threat Stack application

Example: For this example we ran curl www.threatstack.com within the container

1. Navigate to the Events page on your Threat Stack application

2. In the Search field, search for the specific event that you created, command = "curl”

3. To ensure you're looking at the most recent data:

  • click the Date Picker
  • select Quick Jump
  • click the 15 Minute time period

Results: The Results Found section displays any matching events

4. Confirm the test events map to Docker Containers*

*If the test events do not map, confirm you are running the most up-to-date version of the Threat Stack agent:

  • Agent changelog including latest version is here
  • Instructions for upgrading the agent are here

Example 1: Curl Event on the Events page.

curl_event.png

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.