Keep Log Collector running

Occasional Contributor

Hi,

 

I have deployed a log collector for Cloud App Security in a Docker container on a Windows Server 2019 VM. Our FortiGate firewall is pushing syslog messages to this log collector, which ingests the logs in MCAS. This works fine, as long as I have a logged in user session at the Windows VM which keeps the Docker container running. As soon as I log out of this session, the container stops running and there are no new logfiles in MCAS.

 

How can I keep the Docker container running when I log off?

3 Replies
don't logoff :)
A user must be signed in for Docker to collect logs. We recommend advising your Docker users to disconnect without signing out. from https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker-windows

@Dean Gross 

 

Keeping a disconnect user session in memory will allow an attacker to compromise the server. Wouldn't it be wise to always log off disconnected RDP sessions on servers, to reduce attack surface? Therefore, we have a GPO set, that logs off every RDP session on our servers that are disconnected for 10 minutes.

 

Isn't there a way to keep the container running as a service, while there is no user session active on the server?

@leoschroer not much options here:

 

JanBakker330_0-1608568599701.png

 

 

I would suggest that you add this system to your Tier 1 servers, and not applying any GPO that logs off users from disconnected sessions. It's best to use a dedicated server, with least privileged access, and well-documented procedures. 

www.000webhost.com