In the past, large-scale computing projects were limited to individuals and enterprises that owned large physical data centers with towering racks of computers. Now, distributed computing allows anyone with the resources to buy server space to run as many instances of their preferred computing device as desired. Further efficiency improvements have been introduced in the form of application containers that allow administrators to run applications without requiring the resources necessary to simulate an entire virtualized operating system for each virtualized application. Containers may reduce the processing requirements for each application, allowing greater numbers of applications to be run on the same host. Containers are often used for short-lived operations and may be used for as little as minutes. In this context it is difficult, if not impossible, to provide a fine-grained view as to what happened at a given time in a given container.
Traditional forensic systems may analyze logs in order to provide clues as to what machine or service was the initial entry point of an attacker. Because traditional container systems may not log events or processes running in a container, if the attacker's initial entry point were a container or a process running in a container, then no detailed traces may be left to analyze. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for logging processes within containers.