Keep Log Collector running

leoschroer · ‎Nov 25 2020

Hi,

I have deployed a log collector for Cloud App Security in a Docker container on a Windows Server 2019 VM. Our FortiGate firewall is pushing syslog messages to this log collector, which ingests the logs in MCAS. This works fine, as long as I have a logged in user session at the Windows VM which keeps the Docker container running. As soon as I log out of this session, the container stops running and there are no new logfiles in MCAS.

How can I keep the Docker container running when I log off?

Dean Gross · ‎Dec 21 2020

don't logoff :)
A user must be signed in for Docker to collect logs. We recommend advising your Docker users to disconnect without signing out. from https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker-windows

leoschroer · ‎Dec 21 2020

@Dean Gross

Keeping a disconnect user session in memory will allow an attacker to compromise the server. Wouldn't it be wise to always log off disconnected RDP sessions on servers, to reduce attack surface? Therefore, we have a GPO set, that logs off every RDP session on our servers that are disconnected for 10 minutes.

Isn't there a way to keep the container running as a service, while there is no user session active on the server?

JanBakkerOrphaned · ‎Dec 21 2020

@leoschroer not much options here:

I would suggest that you add this system to your Tier 1 servers, and not applying any GPO that logs off users from disconnected sessions. It's best to use a dedicated server, with least privileged access, and well-documented procedures.

Keep Log Collector running

Keep Log Collector running

Re: Keep Log Collector running

Re: Keep Log Collector running

Re: Keep Log Collector running

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Keep Log Collector running