Docker FAQ & Troubleshooting Guide

Prerequisites

  1. Confirm the F5 Distributed Cloud App Infrastructure Protection (AIP) Docker requirements and version compatibility.
  2. Ensure you are running the most up-to-date version of the Distributed Cloud AIP Agent.
  3. Be aware that Docker is only available as a part of the Investigate package.

Why are my Docker events not labeled as “Docker” and missing the container ID?

If you can’t see Docker labeled events, then you may not have enabled Container Monitoring properly.

This does not mean you are not receiving Docker events; this means they are not being labeled as a Docker event within Distributed Cloud AIP. A Docker event that does not map to the container displays as a host event. See Example 2.

Example 1: Event mapped to Docker container:

mapped_container.png

Example 2: Event not mapped to container:

Unmapped_Container.png

Check Setup on the Host

  1. Run the following command to ensure the service runs: sudo cloudsight status.

Potential Outcomes

  • Service is running properly:
Distributed Cloud AIP Cloud Sight RUNNING (Process ID: 1872)
Distributed Cloud AIP Connection CONNECTED
Distributed Cloud AIP Audit Collection Service RUNNING (Process ID: 1490)
Distributed Cloud AIP File Integrity Monitoring RUNNING (Process ID: 1930)
Distributed Cloud AIP Containers Mapping Service  RUNNING (Process ID: 1931)
  • The container mapping service does not exist
Distributed Cloud AIP Cloud Sight RUNNING (Process ID: 1872)
Distributed Cloud AIP Connection CONNECTED
Distributed Cloud AIP Audit Collection Service RUNNING (Process ID: 1490)
Distributed Cloud AIP File Integrity Monitoring RUNNING (Process ID: 1930)

If the service does not exist, contact Support for assistance adding the feature to your Distributed Cloud AIP feature plan.

  • The service exists but does not run
Distributed Cloud AIP Cloud Sight RUNNING (Process ID: 1872)
Distributed Cloud AIP Connection CONNECTED
Distributed Cloud AIP Audit Collection Service RUNNING (Process ID: 1490)
Distributed Cloud AIP File Integrity Monitoring RUNNING (Process ID: 1930)
Distributed Cloud AIP Containers Mapping Service   STOPPED (Process ID: 1931)

If the service exists but does not run, attempt to restart the Agent with the following command: sudo cloudsight restart.

  • Collect logs and open a support ticket.
    • Locate the log files at opt/threatstack/cloudsight/logs. Look for cloudsight.log and threatstack-containers.log.
  • Alternatively, run the diagnostic script

Restart the Agent

To restart the Agent, run the following command: sudo cloudsight restart.

Test on the Distributed Cloud AIP Application

After you have confirmed the service runs, log into a container on the monitored host and run a command to trigger an event in the Distributed Cloud AIP application.

Example: For this example, we ran curl www.threatstack.comwithin the container.

  1. Log into Distributed Cloud AIP.
  2. In the left navigation pane, click Events. The All Events page displays.
  3. In the Search field, search for the specific event that you created: command = "curl”.
  4. Ensure that you are viewing the most recent data:
    1. Click the Date Picker.
    2. Select Quick Jump.
    3. Click the 15 Minute time period.
  5. From the results page, confirm the test events map to Docker Containers.
    1. If the test events do not map, confirm you are running the most up-to-date version of the Distributed Cloud AIP Agent.

Example: Curl event on the Events page:

curl_event.png

Why am I seeing Docker events when containerd monitoring is on and Docker monitoring is off?

The Docker runtime is built on top of the containerd runtime. As a result, any Docker activity reports through the containerd runtime event stream when you enable F5 Distributed Cloud App Infrastructure Protection (AIP) containerd monitoring.

I am not receiving data from Docker, but the Docker Monitoring Service shows UP status. Why?

Check the tsagentd.log files for error messages relating to docker.sock or containerd.sock.

Was this article helpful?
0 out of 0 found this helpful