Processing Docker logs for well-known applications

[Ali]

Hi

I am using the Mailcow Docker deployment which includes standard server technologies like NGINX, Postfix, Dovecot, MariaDB, ClamAV etc.

I've configured Docker to generate syslog format log files, each tagged with the Docker container creating it, as per the instructions here: https://wazuh.com/blog/monitoring-docker-container-logs-with-wazuh/

However, these logs will also contain the standard Postfix logs with the Docker prefix, for example:

Aug 31 15:50:40 antenna-pub docker/mailcowdockerized-postfix-mailcow-1[3880874]: Aug 31 16:50:40 91232cdefbc9 postfix/smtps/smtpd[10630]: warning: unknown[39.165.96.236]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

What I want to do is be able to chop off the Docker stuff at the beginning and run the normal log itself through the Postfix built-in decoder.  If I do this manually with logtest, it works but I cannot understand how to chain the Docker decoder to the Postfix decoder to get the requisite alerts.

Can anyone advise?

Thanks,

Ali

[Mario Andres Ruiz Hernandez]

Hi Ali, 

I think this documentation can help you on this endeavor: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/sibling-decoders.html

Please give it a look and let me know if it helps you the way you are looking for.