Docker events record all interactive events of containers, images, plug-ins, networks, volumes, and other objects. This topic describes how to configure Logtail in the Log Service console to collect Docker events.
Prerequisites
Limits
- Logtail that runs on containers or hosts must be granted access to the
/var/run/docker.sock
file.For more information about how to use Logtail to collect Kubernetes logs, see Collect Kubernetes logs. For more information about how to collect standard container logs, see Collect logs from standard Docker containers.
- When Logtail is restarted or stopped, container events are not collected.
Scenarios
- Monitor the start and stop events of all containers, and trigger alerts when core containers stop running.
- Collect all container events for auditing, security analysis, and troubleshooting.
- Monitor all image pulling events, and trigger an alert if an image is pulled from an invalid path.
Procedure
What to do next
After Logtail collects Docker events and uploads the events to Log Service, you can view the events in the Log Service console. The following examples show multiple event log entries.
- Example 1: image pulling event
__source__: 10.10.10.10 __tag__:__hostname__: logtail-ds-77brr __topic__: _action_: pull _id_: registry.cn-hangzhou.aliyuncs.com/ringtail/eventer:v1.6.1.3 _time_nano_: 1547910184047414271 _type_: image name: registry.cn-hangzhou.aliyuncs.com/ringtail/eventer
- Example 2: container destruction event in Kubernetes
__source__: 10.10.10.10 __tag__:__hostname__: logtail-ds-xnvz2 __topic__: _action_: destroy _id_: af61340b0ac19e6f5f32be672d81a33fc4d3d247bf7dbd4d3b2c030b8bec4a03 _time_nano_: 1547968139380572119 _type_: container annotation.kubernetes.io/config.seen: 2019-01-20T15:03:03.114145184+08:00 annotation.kubernetes.io/config.source: api annotation.scheduler.alpha.kubernetes.io/critical-pod: controller-revision-hash: 2630731929 image: registry-vpc.cn-hangzhou.aliyuncs.com/acs/pause-amd64:3.0 io.kubernetes.container.name: POD io.kubernetes.docker.type: podsandbox io.kubernetes.pod.name: logtail-ds-44jbg io.kubernetes.pod.namespace: kube-system io.kubernetes.pod.uid: 6ddcf598-1c81-11e9-9ddf-00163e0c7cbe k8s-app: logtail-ds kubernetes.io/cluster-service: true name: k8s_POD_logtail-ds-44jbg_kube-system_6ddcf598-1c81-11e9-9ddf-00163e0c7cbe_0 pod-template-generation: 9 version: v1.0
The following table describes the common log fields of Docker events. For more information, visit Docker events.
Field | Description |
---|---|
_type_ | The type of the resource, such as container and image. |
_action_ | The type of the action, such as destroy and health status. |
_id_ | The unique ID of the event. |
_time_nano_ | The event timestamp in nanoseconds. |