From aeb96b7f3ca8c230b87c68f58e4ce1872ade13a9 Mon Sep 17 00:00:00 2001
From: George Tsigourakos <gtsigourakos@skroutz.gr>
Date: Tue, 5 Mar 2024 13:35:24 +0200
Subject: [PATCH] Use /var/log/containers/ dir for output

---
 Dockerfile                           | 3 +++
 cfg/cs.falconhoseclient.cfg.template | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index b6c26aa..729e61e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,11 +20,14 @@ RUN apt-get update && apt-get install -y gettext-base curl
 COPY deb/crowdstrike-cs-falconhoseclient_2.18.0_amd64.deb "${WORKDIR}/crowdstrike.deb"
 RUN dpkg -i "${WORKDIR}/crowdstrike.deb"
 
+RUN mkdir -p /var/log/containers
+
 # Prepare a simple user instead of root
 RUN groupadd -g 1000 user && useradd -r -u 1000 -g user user
 RUN chown -R user:user /var/log/crowdstrike/falconhoseclient
 RUN chmod -R 755 /var/log/crowdstrike/falconhoseclient
 RUN chown -R user:user /opt/crowdstrike/etc
+RUN chown -R user:user /var/log/containers
 
 WORKDIR "${WORKDIR}"
 
diff --git a/cfg/cs.falconhoseclient.cfg.template b/cfg/cs.falconhoseclient.cfg.template
index c186136..01d0caa 100644
--- a/cfg/cs.falconhoseclient.cfg.template
+++ b/cfg/cs.falconhoseclient.cfg.template
@@ -32,7 +32,7 @@ output_format = json
 # Will be true regardless if Syslog is not enabled
 # If path does not exist or user has no permission, log file will be used
 output_to_file = true
-output_path = /proc/self/fd/1
+output_path = /var/log/containers/falcon_output.log
 
 # Offset file full filepath and filename
 offset_path = /var/log/crowdstrike/falconhoseclient/stream_offsets