Docker provider

Provides inventory information from Docker. Elastic Agent uses the Docker provider to automatically discover containers and build input configurations. For information on how container metadata is added to events, refer to add_docker_metadata processor.

Provider configuration

		providers.docker:
  host: "unix:///var/run/docker.sock"
  cleanup_timeout: 60s
  ssl:
    certificate_authority: "/etc/pki/root/ca.pem"
    certificate:           "/etc/pki/client/cert.pem"
    key:                   "/etc/pki/client/cert.key"
		
	

default; change for TCP or non-standard socket paths

host: (Optional) Docker socket (UNIX or TCP socket). Defaults to unix:///var/run/docker.sock.
ssl: (Optional) SSL configuration for connecting to Docker over TLS. For available settings, refer to SSL/TLS.
cleanup_timeout: (Optional) Time of inactivity before container metadata is cleaned up. Defaults to 60s.

Available variables

The available dynamic variables are:

Key	Type	Description
`docker.container.id`	`string`	ID of the container
`docker.container.name`	`string`	Name of the container
`docker.container.image.name`	`string`	Image of the container
`docker.container.labels`	`object`	Labels of the container

Working with labels

Label keys are available as variables using their original names, including dots. For example, for a container with the label com.docker.compose.service=redis, you can reference it as ${docker.container.labels.com.docker.compose.service}.

However, when the Docker provider enriches events, dots in label keys are replaced with underscores. This means that in the resulting Elasticsearch document, the same label is stored as container.labels.com_docker_compose_service.

To set the container ID dynamically in the configuration, use a variable in the Elastic Agent policy to return container ID information from the provider:

		inputs:
  - id: 'docker-container-logs-${docker.container.id}'
    type: filestream
    paths:
      - '/var/lib/docker/containers/${docker.container.id}/*-json.log'
		
	

Sample of the policy generated by this configuration will look like:

		inputs:
  - id: docker-container-logs-b9b898d9c2a1126384d38e9f857b3985480cd05c8e74ffc8b628d92245f5a103
    streams:
      paths:
      - /var/lib/docker/containers/b9b898d9c2a1126384d38e9f857b3985480cd05c8e74ffc8b628d92245f5a103/*-json.log
    processors:
    - add_fields:
        fields:
          id: b9b898d9c2a1126384d38e9f857b3985480cd05c8e74ffc8b628d92245f5a103
          image: image-name:latest
          labels:
            key: value
          name: container-name
        target: container
  - id: docker-container-596bbd114498253985e6a5c4f0f7bf2d9eb8fcd4fe3e6cb53bdfba0cdc7036c8
    type: filestream
    streams:
      paths:
      - /var/lib/docker/containers/596bbd114498253985e6a5c4f0f7bf2d9eb8fcd4fe3e6cb53bdfba0cdc7036c8/*-json.log
    processors:
    - add_fields:
        fields:
          id: 596bbd114498253985e6a5c4f0f7bf2d9eb8fcd4fe3e6cb53bdfba0cdc7036c8
          image: other-image-name:latest
          labels:
            key: value
          name: other-container-name
        target: container
		
	

Note

Docker provider ensures that each docker container event is enriched with the container’s metadata, and hence the inputs will be populated with the add_fields processor which will be responsible for adding the proper container’s metadata.