Overview

I always prefer using Docker Compose instead of Docker commands since compose files are self-documenting. That’s why it drives me crazy when someone–especially large companies–only give documentation in docker commands. Microsoft does this when you attempt to deploy an on-prem connector for Defender for Cloud Apps. Here’s how to use a docker compose file instead.

Process

During setup, Microsoft will give you a command to run like this:

(echo $TOKEN) | docker run --name $COLLECTOR_NAME$ -p 514:514/udp -p 21:21 -p 20000-20099:20000-20099 -e "PUBLICIP='192.168.x.x'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE=XXXX.us3.portal.cloudappsecurity.com" -e "COLLECTOR=COLLECTOR_NAME" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i mcr.microsoft.com/mcas/logcollector starter

This command can become this YAML file:

services:
  COLLECTOR_NAME:
    image: mcr.microsoft.com/mcas/logcollector
    container_name: COLLECTOR_NAME
    environment:
      - PUBLICIP=192.168.x.x
      - PROXY=
      - SYSLOG=true
      - CONSOLE=XXXX.us3.portal.cloudappsecurity.com
      - COLLECTOR=COLLECTOR_NAME
    ports:
      - "514:514/udp"
      - "21:21"
      - "20000-20099:20000-20099"
    stdin_open: true
    tty: true
    restart: unless-stopped
    security_opt:
      - apparmor:unconfined
    cap_add:
      - SYS_ADMIN
    command: /bin/sh -c 'echo "$TOKEN$" | starter'

The secret sauce is the command line at the bottom of the file, since the way the collector is linked to your tenant is through a token that is piped over stdin.