Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy Refund & Cancellation Acceptable Use Policy FAQ
Monitoring Docker

Security

This page covers what Collectord runs as, what it touches on the host, and what you can lock down. If you’re walking through a security review, this is the short version of the answers.

Collectord

Image

Starting from version 5.2, we build our image from scratch - a 0-size base. The Collectord image ships only what’s required to run: the collectord binary, a set of root certificates, and a timezone database. The binary itself is statically compiled in Go with no dynamic runtime, so it can only do what we programmed it to do - there’s no shell, no package manager, no interpreter to pivot from.

Container configuration

To collect logs and metrics from the host, Collectord needs access to the host filesystem - that’s why the container requires privileged access. Collectord treats the host as read-only. The only thing it writes back is acknowledgement state in the form of a small database, which by default lives under /var/lib/collectorfordocker. If you configure a volume database, it goes in the volume root instead.

If you skip the volume database, you can drop the host filesystem to read-only - but you’ll still need write access to Collectord’s primary database directory (the data folder).

Collectord also requires read-only access to the Docker API.

Internet access

The default license requires internet access so license clients can verify against our license server. If your environment doesn’t allow outbound traffic, we can issue a license that doesn’t require verification - reach out and we’ll set you up.

Collectord also forwards anonymous telemetry to our license server. You can turn that off in the configuration.

Connection to Splunk HTTP Event Collector

We recommend SSL for the connection to Splunk HEC - see the Splunk output guide for how to configure a secure SSL connection between Collectord and HEC.

FIPS 140 compliance

Available since Collectord version 26.04

For environments under FedRAMP, FIPS 140-3, or other federal/finance/healthcare compliance regimes, Collectord ships a FIPS-validated container image. The FIPS build is the same Collectord agent - it differs only in how cryptographic operations are routed: instead of Go’s standard crypto packages, the binary calls into the FIPS-validated module from Go’s crypto/fips140 (Go 1.24+).

Pulling the FIPS image

The FIPS images carry a -fips suffix on the tag, alongside the usual architecture suffix. Both amd64 and arm64 variants are published:

bash
1docker pull outcoldsolutions/collectorfordocker:26.04.3-fips-amd64
2docker pull outcoldsolutions/collectorfordocker:26.04.3-fips-arm64

To run the FIPS image, change the image tag in your docker run command (or your compose file) from :26.04.3-amd64 to :26.04.3-fips-amd64 (or the arm64 equivalent). No other configuration changes are required.

FIPS-enabled vs FIPS-enforced

Collectord supports two FIPS modes, controlled by the standard Go runtime variable GODEBUG:

  • FIPS-enabled (default for the FIPS image) - the FIPS-validated module is loaded and used for cryptography, but the Go runtime will still fall back to non-FIPS algorithms if a caller explicitly requests one. Suitable for most compliance regimes.
  • FIPS-enforced - set GODEBUG=fips140=only on the container. Any code path that would use a non-FIPS algorithm panics instead of falling back. Required for the strictest compliance interpretations.

To run the agent FIPS-enforced, pass -e GODEBUG=fips140=only to docker run.

Verifying the mode is active

At startup, Collectord logs whether FIPS mode is enabled or enforced and which validated module version is in use:

bash
1docker logs <container> | grep -i fips

You should see a line like FIPS 140 mode enabled (v1.0.0) or FIPS 140 mode enforced (v1.0.0).

The collectord verify and collectord diag commands also report the FIPS state in their output - useful for support bundles and audit evidence:

bash
1docker exec <container> /collectord verify | grep -i fips

What the FIPS image does not change

The FIPS image is about cryptographic algorithms only. It doesn’t alter Collectord’s host access, Docker API behavior, or feature set. Container labels, configuration files, and dashboards work identically. Performance is within a few percent of the non-FIPS build.

If you need an air-gapped license (no outbound to our license server) for a FIPS-restricted environment, reach out - we issue them on request.