Container->Kernel Relationship wrt to logs

I’m trying to get a better understanding of containers in relation to expectations from my cyber team to treat them similar to VMs. Some environment data:

  • Host OS: Ubuntu
  • Orchestrator: Azure Kubernetes Service v1.22.11
  • CNI: Azure CNI
  • CRI: containerd
  • Container OS: RHEL 8

I’m being asked for log shipping from our containers to our local SIEM but /var/log in my containers is empty.

I understand that the container is isolated in the kernel w/namespaces (cgroups) and evidenced by “ps” returning practically nothing inside my container. However, for security/auditing requirements, should /var/log have files that aren’t empty? …should I be running auditd inside my container? does that data show up in the container logs or in the host logs for /var/log?


It doesn’t look like you’re using LXC or LXD here but instead Kubernetes containers using containerd, so we’re not really the right people to answer this :slight_smile:

Containers do share the kernel, so shipping kernel logs from a container is pretty redundant. For userspace logging, system containers like those provided by LXC and LXD, will generally come with journald and rsyslog, giving you the exact same logs as you’d normally get on any Linux systems.

Application containers tend to not bother running those services and therefore will not have any centralized logging facility, so no content in /var/log other than what the specific application you’re running may be writing (if it even writes those entries there).

Thanks @stgraber. I have this question a few places and am just not getting much interaction (might be the season). So this was a shot in the dark and I appreciate your feedback.