Add Docker metadataedit

The add_docker_metadata processor annotates each event with relevant metadata from Docker containers:

  • Container ID
  • Name
  • Image
  • Labels
processors:
- add_docker_metadata:
    host: "unix:///var/run/docker.sock"
    match_fields: ["system.process.cgroup.id"]
    match_source: true
    match_source_index: 4

    # To connect to Docker over TLS you must specify a client and CA certificate.
    #ssl:
    #  certificate_authority: "/etc/pki/root/ca.pem"
    #  certificate:           "/etc/pki/client/cert.pem"
    #  key:                   "/etc/pki/client/cert.key"

It has the following settings:

host
(Optional) Docker socket (UNIX or TCP socket). It uses unix:///var/run/docker.sock by default.
match_fields
(Optional) A list of fields to match a container id, at least one of them should hold a container id to get the event enriched.
match_source
(Optional) Match container id from a log path present in source field. Enabled by default.
match_source_index
(Optional) Index in the source path split by / to look for container id. It defaults to 4 to match /var/lib/docker/containers/<container_id>/*.log