This functionality is in beta and is subject to change. The design and code is considered to be less mature than official GA features. Elastic will take a best effort approach to fix any issues, but beta features are not subject to the support SLA of official GA features.
add_docker_metadata processor annotates each event with relevant metadata
from Docker containers:
- Container ID
processors: - add_docker_metadata: host: "unix:///var/run/docker.sock" #match_fields: ["system.process.cgroup.id"] #match_pids: ["process.pid", "process.ppid"] #match_source: true #match_source_index: 4 #cleanup_timeout: 60 # To connect to Docker over TLS you must specify a client and CA certificate. #ssl: # certificate_authority: "/etc/pki/root/ca.pem" # certificate: "/etc/pki/client/cert.pem" # key: "/etc/pki/client/cert.key"
It has the following settings:
(Optional) Docker socket (UNIX or TCP socket). It uses
- (Optional) SSL configuration to use when connecting to the Docker socket.
- (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
(Optional) A list of fields that contain process IDs. If the
process is running in Docker then the event will be enriched. The default value
(Optional) Match container ID from a log path present in the
sourcefield. Enabled by default.
(Optional) Index in the source path split by
/to look for container ID. It defaults to 4 to match
- (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.