- Packetbeat Reference: other versions:
- Overview
- Contributing to Beats
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Export GeoIP Information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DNS fields
- Docker fields
- Flow Event fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
WARNING: Version 6.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Add Docker metadata
editAdd Docker metadata
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
The add_docker_metadata processor annotates each event with relevant metadata
from Docker containers:
- Container ID
- Name
- Image
- Labels
processors: - add_docker_metadata: host: "unix:///var/run/docker.sock" #match_fields: ["system.process.cgroup.id"] #match_pids: ["process.pid", "process.ppid"] #match_source: true #match_source_index: 4 #cleanup_timeout: 60 # To connect to Docker over TLS you must specify a client and CA certificate. #ssl: # certificate_authority: "/etc/pki/root/ca.pem" # certificate: "/etc/pki/client/cert.pem" # key: "/etc/pki/client/cert.key"
It has the following settings:
-
host -
(Optional) Docker socket (UNIX or TCP socket). It uses
unix:///var/run/docker.sockby default. -
ssl - (Optional) SSL configuration to use when connecting to the Docker socket.
-
match_fields - (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
-
match_pids -
(Optional) A list of fields that contain process IDs. If the
process is running in Docker then the event will be enriched. The default value
is
["process.pid", "process.ppid"]. -
match_source -
(Optional) Match container ID from a log path present in the
sourcefield. Enabled by default. -
match_source_index -
(Optional) Index in the source path split by
/to look for container ID. It defaults to 4 to match/var/lib/docker/containers/<container_id>/*.log -
cleanup_timeout - (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
Was this helpful?
Thank you for your feedback.