Docker events record all interactive events of containers, images, plug-ins, networks, volumes, and other objects. This topic describes how to configure Logtail in the Log Service console to collect Docker events.

Prerequisites

Logtail is installed on the server that you use to collect Docker events. For more information, see Install Logtail in Linux.
Note Only Linux servers that run Logtail 0.16.18 or later are supported.

Limits

  • Logtail that runs on containers or hosts must be granted access to the /var/run/docker.sock file.

    For more information about how to use Logtail to collect Kubernetes logs, see Collect Kubernetes logs. For more information about how to collect standard container logs, see Collect logs from standard Docker containers.

  • When Logtail is restarted or stopped, container events are not collected.

Scenarios

  • Monitor the start and stop events of all containers, and trigger alerts when core containers stop running.
  • Collect all container events for auditing, security analysis, and troubleshooting.
  • Monitor all image pulling events, and trigger an alert if an image is pulled from an invalid path.

Procedure

  1. Log on to the Log Service console.
  2. In the Import Data section, select Custom Data Plug-in.
  3. In the Specify Logstore step, select the target project and Logstore, and click Next.
    You can also click Create Now to create a project and a Logstore. For more information, see Step 1: Create a project and a Logstore.
  4. In the Create Machine Group step, create a machine group.
    • If a machine group is available, click Using Existing Machine Groups.
    • If no machine group is available, perform the following steps. The following steps take ECS instances as an example to describe how to create a machine group:
      1. Install Logtail on ECS instances. For more information, see Install Logtail on ECS instances.

        If Logtail is installed on the ECS instances, click Complete Installation.

        Note If you want to collect logs from a user-created cluster, you must manually install Logtail on the servers in the cluster. For more information, see Install Logtail in Linux.
      2. After the installation is completed, click Complete Installation.
      3. On the page that appears, set relevant parameters for the machine group. For more information, see Create an IP address-based machine group or Create a custom ID-based machine group.
  5. In the Machine Group Settings step, apply the configurations to the machine group.
    Select the created machine group and move the group from Source Server Groups to Applied Server Groups.
  6. In the Specify Data Source step, set the Config Name and Plug-in Config parameters.
    • inputs: Required. The Logtail configurations for log collection.
      Note You can configure only one type of data source in the inputs field.
    • processors: Optional. The Logtail configurations for data processing. You can configure one or more processing methods in the processors field. For more information, see Process data.
    {
      "inputs": [
        {
          "detail": {},
          "type": "service_docker_event"
        }
      ]
    }
    Parameter Type Required Description
    type String Yes The type of the data source. Set the value to service_docker_event.
    EventQueueSize Int No The maximum number of events in the event queue. Default value: 10.
  7. In the Configure Query and Analysis step, configure the indexes.
    Indexes are configured by default. You can re-configure the indexes based on your business requirements. For more information, see Enable and configure the index feature for a Logstore.
    Note
    • You must configure Full Text Index or Field Search. If you configure both of them, the settings of Field Search are applied.
    • If the data type of index is long or double, the Case Sensitive and Delimiter settings are unavailable.

What to do next

After Logtail collects Docker events and uploads the events to Log Service, you can view the events in the Log Service console. The following examples show multiple event log entries.

  • Example 1: image pulling event
    __source__:  10.10.10.10
    __tag__:__hostname__:  logtail-ds-77brr
    __topic__:  
    _action_:  pull
    _id_:  registry.cn-hangzhou.aliyuncs.com/ringtail/eventer:v1.6.1.3
    _time_nano_:  1547910184047414271
    _type_:  image
    name:  registry.cn-hangzhou.aliyuncs.com/ringtail/eventer
  • Example 2: container destruction event in Kubernetes
    __source__:  10.10.10.10
    __tag__:__hostname__:  logtail-ds-xnvz2
    __topic__:  
    _action_:  destroy
    _id_:  af61340b0ac19e6f5f32be672d81a33fc4d3d247bf7dbd4d3b2c030b8bec4a03
    _time_nano_:  1547968139380572119
    _type_:  container
    annotation.kubernetes.io/config.seen:  2019-01-20T15:03:03.114145184+08:00
    annotation.kubernetes.io/config.source:  api
    annotation.scheduler.alpha.kubernetes.io/critical-pod:  
    controller-revision-hash:  2630731929
    image:  registry-vpc.cn-hangzhou.aliyuncs.com/acs/pause-amd64:3.0
    io.kubernetes.container.name:  POD
    io.kubernetes.docker.type:  podsandbox
    io.kubernetes.pod.name:  logtail-ds-44jbg
    io.kubernetes.pod.namespace:  kube-system
    io.kubernetes.pod.uid:  6ddcf598-1c81-11e9-9ddf-00163e0c7cbe
    k8s-app:  logtail-ds
    kubernetes.io/cluster-service:  true
    name:  k8s_POD_logtail-ds-44jbg_kube-system_6ddcf598-1c81-11e9-9ddf-00163e0c7cbe_0
    pod-template-generation:  9
    version:  v1.0

The following table describes the common log fields of Docker events. For more information, visit Docker events.

Field Description
_type_ The type of the resource, such as container and image.
_action_ The type of the action, such as destroy and health status.
_id_ The unique ID of the event.
_time_nano_ The event timestamp in nanoseconds.