This functionality is in beta and is subject to change. The design and code is considered to be less mature than official GA features. Elastic will take a best effort approach to fix any issues, but beta features are not subject to the support SLA of official GA features.
add_docker_metadata processor annotates each event with relevant metadata
from Docker containers:
- Container ID
processors: - add_docker_metadata: host: "unix:///var/run/docker.sock" #match_fields: ["system.process.cgroup.id"] #match_pids: ["process.pid", "process.ppid"] #match_source: true #match_source_index: 4 #match_short_id: true #cleanup_timeout: 60 # To connect to Docker over TLS you must specify a client and CA certificate. #ssl: # certificate_authority: "/etc/pki/root/ca.pem" # certificate: "/etc/pki/client/cert.pem" # key: "/etc/pki/client/cert.key"
It has the following settings:
(Optional) Docker socket (UNIX or TCP socket). It uses
- (Optional) SSL configuration to use when connecting to the Docker socket.
- (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
(Optional) A list of fields that contain process IDs. If the
process is running in Docker then the event will be enriched. The default value
(Optional) Match container ID from a log path present in the
sourcefield. Enabled by default.
(Optional) Match container short ID from a log path present
sourcefield. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example,
(Optional) Index in the source path split by
/to look for container ID. It defaults to 4 to match
- (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.