Docker provider
Provides inventory information from Docker. Elastic Agent uses the Docker provider to automatically discover containers and build input configurations. It is also responsible for enriching events with container metadata through the add_docker_metadata processor, which it applies by default to all inputs it generates.
providers.docker:
host: "unix:///var/run/docker.sock"
cleanup_timeout: 60s
ssl:
certificate_authority: "/etc/pki/root/ca.pem"
certificate: "/etc/pki/client/cert.pem"
key: "/etc/pki/client/cert.key"
- default; change for TCP or non-standard socket paths
host- (Optional) Docker socket (UNIX or TCP socket). Defaults to
unix:///var/run/docker.sock. ssl- (Optional) SSL configuration for connecting to Docker over TLS. For available settings, refer to SSL/TLS.
cleanup_timeout- (Optional) Time of inactivity before container metadata is cleaned up. Defaults to
60s.
The available dynamic variables are:
| Key | Type | Description |
|---|---|---|
docker.container.id |
string |
ID of the container |
docker.container.name |
string |
Name of the container |
docker.container.image.name |
string |
Image of the container |
docker.container.labels |
object |
Labels of the container |
Label keys are available as variables using their original names, including dots. For example, for a container with the label com.docker.compose.service=redis, you can reference it as ${docker.container.labels.com.docker.compose.service}.
However, when the Docker provider enriches events using the add_docker_metadata processor, dots in label keys are replaced with underscores by default (labels.dedot: true). This means that in the resulting Elasticsearch document, the same label is stored as container.labels.com_docker_compose_service.
| Context | Label key format |
|---|---|
Variable reference in the configuration template (${...}) |
Dots preserved — docker.container.labels.com.docker.compose.service |
| Field in the event/Elasticsearch document | Dots replaced by _ — container.labels.com_docker_compose_service |
For more details on the label behavior, refer to Working with labels in the add_docker_metadata processor documentation.
To set the container ID dynamically in the configuration, use a variable in the Elastic Agent policy to return container ID information from the provider:
inputs:
- id: 'docker-container-logs-${docker.container.id}'
type: filestream
paths:
- '/var/lib/docker/containers/${docker.container.id}/*-json.log'
Sample of the policy generated by this configuration will look like:
inputs:
- id: docker-container-logs-b9b898d9c2a1126384d38e9f857b3985480cd05c8e74ffc8b628d92245f5a103
streams:
paths:
- /var/lib/docker/containers/b9b898d9c2a1126384d38e9f857b3985480cd05c8e74ffc8b628d92245f5a103/*-json.log
processors:
- add_fields:
fields:
id: b9b898d9c2a1126384d38e9f857b3985480cd05c8e74ffc8b628d92245f5a103
image: image-name:latest
labels:
key: value
name: container-name
target: container
- id: docker-container-596bbd114498253985e6a5c4f0f7bf2d9eb8fcd4fe3e6cb53bdfba0cdc7036c8
type: filestream
streams:
paths:
- /var/lib/docker/containers/596bbd114498253985e6a5c4f0f7bf2d9eb8fcd4fe3e6cb53bdfba0cdc7036c8/*-json.log
processors:
- add_fields:
fields:
id: 596bbd114498253985e6a5c4f0f7bf2d9eb8fcd4fe3e6cb53bdfba0cdc7036c8
image: other-image-name:latest
labels:
key: value
name: other-container-name
target: container
Docker provider ensures that each docker container event is enriched with the container’s metadata, and hence the inputs will be populated with the add_fields processor which will be responsible for adding the proper container’s metadata.