Add Docker metadataedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

The add_docker_metadata processor annotates each event with relevant metadata from Docker containers:

  • Container ID
  • Name
  • Image
  • Labels
processors:
- add_docker_metadata:
    host: "unix:///var/run/docker.sock"
    #match_fields: ["system.process.cgroup.id"]
    #match_pids: ["process.pid", "process.ppid"]
    #match_source: true
    #match_source_index: 4
    #cleanup_timeout: 60
    # To connect to Docker over TLS you must specify a client and CA certificate.
    #ssl:
    #  certificate_authority: "/etc/pki/root/ca.pem"
    #  certificate:           "/etc/pki/client/cert.pem"
    #  key:                   "/etc/pki/client/cert.key"

It has the following settings:

host
(Optional) Docker socket (UNIX or TCP socket). It uses unix:///var/run/docker.sock by default.
ssl
(Optional) SSL configuration to use when connecting to the Docker socket.
match_fields
(Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
match_pids
(Optional) A list of fields that contain process IDs. If the process is running in Docker then the event will be enriched. The default value is ["process.pid", "process.ppid"].
match_source
(Optional) Match container ID from a log path present in the source field. Enabled by default.
match_source_index
(Optional) Index in the source path split by / to look for container ID. It defaults to 4 to match /var/lib/docker/containers/<container_id>/*.log
cleanup_timeout
(Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.