All components of IRIS offers by-default logging in the docker instances.
Depending on the OS of the hosts, the location of these logs may differ.
For Debian-based distributions, the logs are usually in
The usually interesting logs in IRIS are the following:
iriswebapp_app: Contains the logs of core of IRIS, including major stack traces and access control output
iriswebapp_worker: Contains the logs of the worker and output of modules
iriswebapp_nginx: Contains the logs of the reverse proxy. Every request to IRIS is logged there.
Setting up forwarding
Logs of IRIS can be forwarded to a SIEM for monitoring. Below is discussed how to setup Splunk forwarding. Other drivers are available and detailed on the docker website.
- Enable HEC and get an HEC token from Splunk. See the Splunk documentation
- On the host where docker is running, create a file
/etc/docker/daemon.jsonand specify the following content:
- Reload the docker daemon:
systemctl reload docker. The logs should appear in the Splunk instance.