Add Docker metadataedit

Warning

This functionality is in beta and is subject to change. The design and code is considered to be less mature than official GA features. Elastic will take a best effort approach to fix any issues, but beta features are not subject to the support SLA of official GA features.

The add_docker_metadata processor annotates each event with relevant metadata from Docker containers:

  • Container ID
  • Name
  • Image
  • Labels
processors:
- add_docker_metadata:
    host: "unix:///var/run/docker.sock"
    #match_fields: ["system.process.cgroup.id"]
    #match_pids: ["process.pid", "process.ppid"]
    #match_source: true
    #match_source_index: 4
    #match_short_id: true
    #cleanup_timeout: 60
    # To connect to Docker over TLS you must specify a client and CA certificate.
    #ssl:
    #  certificate_authority: "/etc/pki/root/ca.pem"
    #  certificate:           "/etc/pki/client/cert.pem"
    #  key:                   "/etc/pki/client/cert.key"

It has the following settings:

host
(Optional) Docker socket (UNIX or TCP socket). It uses unix:///var/run/docker.sock by default.
ssl
(Optional) SSL configuration to use when connecting to the Docker socket.
match_fields
(Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
match_pids
(Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is ["process.pid", "process.ppid"].
match_source
(Optional) Match container ID from a log path present in the source field. Enabled by default.
match_short_id
(Optional) Match container short ID from a log path present in the source field. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example, /var/log/containers/b7e3460e2b21/*.log.
match_source_index
(Optional) Index in the source path split by / to look for container ID. It defaults to 4 to match /var/lib/docker/containers/<container_id>/*.log
cleanup_timeout
(Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.