Docker JSON-File Container Logs

LinuxExecution EvidenceDockerDisk Image

Location

/var/lib/docker/containers/<container-id>/<container-id>-json.log

Description

Default Docker container log files written by the json-file logging driver. Stores stdout and stderr records emitted by the container process with timestamps and stream metadata.

Forensic Value

These host-side logs often preserve exploitation traces, runtime errors, shell output, data-transfer evidence, and staging activity even after an attacker deletes application-level logs inside the container. Because the logs exist on the host, they remain available when an attacker only cleans the container filesystem.

Tools Required

findcpjqdocker logs

Collection Commands

find

find /var/lib/docker/containers -name "*-json.log" -exec cp --parents {} /forensics/output/ \;

tar

tar czf /forensics/output/docker_json_logs.tar.gz /var/lib/docker/containers/

docker

for cid in $(docker ps -aq); do docker logs "$cid" > "/forensics/output/docker_logs_${cid}.txt" 2>&1; done

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
•JSON-file logs exist only when that log driver was enabled and the host has not already rotated or deleted the files.
•Logs capture stdout and stderr, not every filesystem or network side effect of the container workload.

MITRE ATT&CK Techniques

T1059T1041T1610

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service Docker JSON file logging driver

Acquisition Methods

tar Logical Collection

linux — logical

Docker Container Export

linux — container

UAC (Unix-like Artifacts Collector)

linux — triage

Velociraptor Offline Collector (Linux)

linux — triage