I can't help answer your question, since we haven't migrated to the app host architecture yet (as I imagine you have from the issue).
Possibly a future solution to this issue, without a ton of knowledge on the architecture, is to configure rsyslog for the docker containers, so you could view the logs from your SIEM once the container is refreshed. How to do this might require a bit of research, but is something we'll keep in mind from this issue when we migrate over.
Might be a good reference:
https://www.simulmedia.com/blog/2016/02/19/centralized-docker-logging-with-rsyslog/#:~:text=Docker%20containers%20send%20their%20logs,in%2Dline%20with%20one%20another.It's also possible there's still a centralized log file on the server that they're sent to, in which case this wouldn't be necessary. Curious to hear from others/devs...
------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------
Original Message:
Sent: Fri May 21, 2021 03:31 PM
From: Liam Mahoney
Subject: App Host Logs Question
All,
I'm wondering if anyone knows if it's possible to get the logs of a previous instance of an app?
This may explain it better: I just updated the configuration file for one of our apps and restarted it, when I restarted it I noticed it pushed a bunch of new incidents into Resilient from a couple of days ago. This leads me to believe the app had errored out before I had restarted it. I don't know of a way to get the logs of the app that errored though.
This was for the Microsoft security graph integration.
Any thoughts?
Thanks,
Liam
------------------------------
Liam Mahoney
------------------------------