Docker FAQ & Troubleshooting Guide

Prerequisites:

  1. Confirm the F5 Distributed Cloud App Infrastructure Protection (AIP) Docker requirements and version compatibility here.
  2. Ensure you are running the most up-to-date version of the Distributed Cloud AIP agent.
    • Agent changelog including latest version is here.
    • Instructions for upgrading the agent are here.
  3. Docker is only available as a part of the Investigate package.

Why are my Docker events not labeled as “Docker” and missing the container ID?

If you can’t see Docker labeled events, then you may not have enabled container monitoring properly.  

This does not mean you are not receiving Docker events, this means they are not being labeled as a Docker event within the Distributed Cloud AIP application. A Docker event that does not map to the container displays as an ordinary host event. See “Example 2”.

Example 1: Event Mapped to Docker Container:

mapped_container.png

Example 2: Event Not mapped to Container:

Unmapped_Container.png

Check Setup on the Host

To check your setup on the host:

Run a cloudsight status to ensure the service runs `sudo cloudsight status`

Potential outcomes:

1. Run a cloudsight status to ensure the service works, run sudo cloudsight status:

Distributed Cloud AIP Cloud Sight RUNNING (Process ID: 1872)
Distributed Cloud AIP Connection CONNECTED
Distributed Cloud AIP Audit Collection Service RUNNING (Process ID: 1490)
Distributed Cloud AIP File Integrity Monitoring RUNNING (Process ID: 1930)
Distributed Cloud AIP Containers Mapping Service   RUNNING (Process ID: 1931)

Service is running properly. Test using the following the instructions below.

2. The container mapping service does not exist:

Distributed Cloud AIP Cloud Sight RUNNING (Process ID: 1872)
Distributed Cloud AIP Connection CONNECTED
Distributed Cloud AIP Audit Collection Service RUNNING (Process ID: 1490)
Distributed Cloud AIP File Integrity Monitoring RUNNING (Process ID: 1930)

If the service does not exist, contact your Customer Success Manager for assistance adding the feature to your Distributed Cloud AIP feature plan.

3. The service exists but does not run:

Distributed Cloud AIP Cloud Sight RUNNING (Process ID: 1872)
Distributed Cloud AIP Connection CONNECTED
Distributed Cloud AIP Audit Collection Service RUNNING (Process ID: 1490)
Distributed Cloud AIP File Integrity Monitoring RUNNING (Process ID: 1930)
Distributed Cloud AIP Containers Mapping Service   STOPPED (Process ID: 1931)

If the service exists but does not run, attempt to restart the agent. sudo cloudsight restart

Collect logs and open a support ticket. You can locate the log files at opt/threatstack/cloudsight/logs, look for cloudsight.log and threatstack-containers.log. Alternatively, you may run the diagnostic script found here: https://github.com/threatstack/support-tools

Restart the Agent

To restart the agent run sudo cloudsight restart.

Test on the Distributed Cloud AIP Application

After you have confirmed the service runs, log into a container on the monitored host and run a command to trigger an event in the Distributed Cloud AIP application

Example: For this example we ran curl www.threatstack.com within the container

1. Navigate to the Events page on your Distributed Cloud AIP application

2. In the Search field, search for the specific event that you created, command = "curl”

3. To ensure you're looking at the most recent data:

  • click the Date Picker
  • select Quick Jump
  • click the 15 Minute time period

Results: The Results Found section displays any matching events

4. Confirm the test events map to Docker Containers*

*If the test events do not map, confirm you are running the most up-to-date version of the Distributed Cloud AIP agent:

  • Agent changelog including latest version is here
  • Instructions for upgrading the agent are here

Example 1: Curl Event on the Events page.

curl_event.png

Was this article helpful?
0 out of 0 found this helpful