From 9a75396174c183f72812d48d8fad2c6ed7f8ff26 Mon Sep 17 00:00:00 2001 From: George Tsigourakos Date: Tue, 5 Mar 2024 14:55:49 +0200 Subject: [PATCH] Use symbolic link as a hacky way to output to stdout --- Dockerfile | 4 +--- cfg/cs.falconhoseclient.cfg.template | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 729e61e..3349af1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,14 +20,12 @@ RUN apt-get update && apt-get install -y gettext-base curl COPY deb/crowdstrike-cs-falconhoseclient_2.18.0_amd64.deb "${WORKDIR}/crowdstrike.deb" RUN dpkg -i "${WORKDIR}/crowdstrike.deb" -RUN mkdir -p /var/log/containers - # Prepare a simple user instead of root RUN groupadd -g 1000 user && useradd -r -u 1000 -g user user +RUN ln -s /proc/self/fd/1 /var/log/crowdstrike/falconhoseclient/output RUN chown -R user:user /var/log/crowdstrike/falconhoseclient RUN chmod -R 755 /var/log/crowdstrike/falconhoseclient RUN chown -R user:user /opt/crowdstrike/etc -RUN chown -R user:user /var/log/containers WORKDIR "${WORKDIR}" diff --git a/cfg/cs.falconhoseclient.cfg.template b/cfg/cs.falconhoseclient.cfg.template index 820f432..930537b 100644 --- a/cfg/cs.falconhoseclient.cfg.template +++ b/cfg/cs.falconhoseclient.cfg.template @@ -32,10 +32,10 @@ output_format = json # Will be true regardless if Syslog is not enabled # If path does not exist or user has no permission, log file will be used output_to_file = true -output_path = /var/log/containers/falcon_output.log +output_path = /var/log/crowdstrike/falconhoseclient/output # Offset file full filepath and filename -offset_path = /var/log/containers/falcon_offsets.log +offset_path = /var/log/crowdstrike/falconhoseclient/stream_offsets [Output_File_Rotation] # If the output is writing to a file, then the settings below will govern output file rotation