Skip to content

What does the Container Audit & Logs mean

What does the Container Audit & Logs mean

image info

  • The screen displays the Alert Summary and the logs being generated from the VAE core. 

  • After a model is trained for a container, the container is monitored and VAE calculates the reconstruction error for that model. 

  • Reconstruction error: In the testing phase, Anomaly detection compares the container’s current behavior with the model that has been created and calculates a mean squared error called the reconstruction error.

  • Since the behavior of the container cannot be exactly the same as it was during the training period, a baseline of value 10 is used to filter out false positives. If the reconstruction error goes above 10, then the behavior is considered anomalous and an alert log is sent out. The alert log consists of the value of the reconstruction error along with the summary of the container during that timestamp. The summary includes:

  • General information (container name, node, cluster, container_id, status of container, command issued at the given timestamp)

  • Container resource information (CPU, memory, read/write block, process count)

  • Process activities (forked, executed, and killed process count)

  • File activities (opened, deleted, created, etc. file count)

  • Network activities ( inbound/outbound connections, port counts, etc.)

  • On the left side of the container audit log screen, we can see an Alert summary of each container consisting of container name, Alert counts, and severities.

  • Select any container in the alert summary to see the detailed forensic view of the particular container.

  • Container Audit & Logs screen visualises the reconstruction error over time in a graph. This way, the user can look at the graph and see if the container has been in an anomalous state for a long period of time. 

  • Along with the reconstruction error, other information about the container is also sent out like container name, container ID, timestamp, commands, etc.

Back to top