Enable/Disable Event Data
Sysdig Monitor supports event integrations with certain applications by default. The Sysdig agent will automatically discover these services and begin collecting event data from them.
The following applications are currently supported:
Docker
Kubernetes
Other methods of ingesting custom events into Sysdig Monitor are touched upon in Custom Events.
By default, only a limited set of events is collected for a supported
application, and are listed in the agent’s default settings
configuration file (/opt/draios/etc/dragent.default.yaml).
To enable collecting other supported events, add an events entry to
dragent.yaml.
You can also change log entry in dragent.yaml to filter events by
severity.
Learn more about it in the following sections.
Supported Application Events
Events marked with * are enabled by default; see the
dragent.default.yaml file.
Docker Events
The following Docker events are supported.
docker:
container:
- attach # Container Attached (information)
- commit # Container Committed (information)
- copy # Container Copied (information)
- create # Container Created (information)
- destroy # Container Destroyed (warning)
- die # Container Died (warning)
- exec_create # Container Exec Created (information)
- exec_start # Container Exec Started (information)
- export # Container Exported (information)
- kill # Container Killed (warning)*
- oom # Container Out of Memory (warning)*
- pause # Container Paused (information)
- rename # Container Renamed (information)
- resize # Container Resized (information)
- restart # Container Restarted (warning)
- start # Container Started (information)
- stop # Container Stopped (information)
- top # Container Top (information)
- unpause # Container Unpaused (information)
- update # Container Updated (information)
image:
- delete # Image Deleted (information)
- import # Image Imported (information)
- pull # Image Pulled (information)
- push # Image Pushed (information)
- tag # Image Tagged (information)
- untag # Image Untaged (information)
volume:
- create # Volume Created (information)
- mount # Volume Mounted (information)
- unmount # Volume Unmounted (information)
- destroy # Volume Destroyed (information)
network:
- create # Network Created (information)
- connect # Network Connected (information)
- disconnect # Network Disconnected (information)
- destroy # Network Destroyed (information)
Kubernetes Events
The following Kubernetes events are supported.
kubernetes:
node:
- TerminatedAllPods # Terminated All Pods (information)
- RegisteredNode # Node Registered (information)*
- RemovingNode # Removing Node (information)*
- DeletingNode # Deleting Node (information)*
- DeletingAllPods # Deleting All Pods (information)
- TerminatingEvictedPod # Terminating Evicted Pod (information)*
- NodeReady # Node Ready (information)*
- NodeNotReady # Node not Ready (information)*
- NodeSchedulable # Node is Schedulable (information)*
- NodeNotSchedulable # Node is not Schedulable (information)*
- CIDRNotAvailable # CIDR not Available (information)*
- CIDRAssignmentFailed # CIDR Assignment Failed (information)*
- Starting # Starting Kubelet (information)*
- KubeletSetupFailed # Kubelet Setup Failed (warning)*
- FailedMount # Volume Mount Failed (warning)*
- NodeSelectorMismatching # Node Selector Mismatch (warning)*
- InsufficientFreeCPU # Insufficient Free CPU (warning)*
- InsufficientFreeMemory # Insufficient Free Mem (warning)*
- OutOfDisk # Out of Disk (information)*
- HostNetworkNotSupported # Host Ntw not Supported (warning)*
- NilShaper # Undefined Shaper (warning)*
- Rebooted # Node Rebooted (warning)*
- NodeHasSufficientDisk # Node Has Sufficient Disk (information)*
- NodeOutOfDisk # Node Out of Disk Space (information)*
- InvalidDiskCapacity # Invalid Disk Capacity (warning)*
- FreeDiskSpaceFailed # Free Disk Space Failed (warning)*
pod:
- Pulling # Pulling Container Image (information)
- Pulled # Ctr Img Pulled (information)
- Failed # Ctr Img Pull/Create/Start Fail (warning)*
- InspectFailed # Ctr Img Inspect Failed (warning)*
- ErrImageNeverPull # Ctr Img NeverPull Policy Violate (warning)*
- BackOff # Back Off Ctr Start, Image Pull (warning)
- Created # Container Created (information)
- Started # Container Started (information)
- Killing # Killing Container (information)*
- Unhealthy # Container Unhealthy (warning)
- FailedSync # Pod Sync Failed (warning)
- FailedValidation # Failed Pod Config Validation (warning)
- OutOfDisk # Out of Disk (information)*
- HostPortConflict # Host/Port Conflict (warning)*
replicationController:
- SuccessfulCreate # Pod Created (information)*
- FailedCreate # Pod Create Failed (warning)*
- SuccessfulDelete # Pod Deleted (information)*
- FailedDelete # Pod Delete Failed (warning)*
Enable/Disable Events Collection with events Parameter
To customize the default events collected for a specific application (by
either enabling or disabling events), add an events entry to
dragent.yaml as described in the examples below.
An entry in a section in dragent.yaml overrides the entire section
in the default configuration.
For example, the Pulling entry below will permit only kubernetes pod
Pulling events to be collected and all other kubernetes pod events
settings in dragent.default.yaml will be ignored.
However, other kubernetes sections - node and replicationController -
remain intact and will be used as specified in dragent.default.yaml.
Example 1: Collect Only Certain Events
Collect only ‘Pulling’ events from Kubernetes for pods:
events:
kubernetes:
pod:
- Pulling
Example 2: Disable All Events in a Section
To disable all events in a section, set the event section to none:
events:
kubernetes: none
docker: none
Example 3: Combine Methods
These methods can be combined. For example, disable all kubernetes node
and docker image events and limit docker container events to
[attach, commit, copy] (components events in other sections will be
collected as specified by default):
events:
kubernetes:
node: none
docker:
image: none
container:
- attach
- commit
- copy
Note: Format Sequences as List or Single Line
In addition to bulleted lists, sequences can also be specified in a bracketed single line, eg.:
events:
kubernetes:
pod: [Pulling, Pulled, Failed]
So, the following two settings are equivalent, permitting only
Pulling, Pulled, Failed events for pods to be emitted:
events:
kubernetes:
pod: [Pulling, Pulled, Failed]
events:
kubernetes:
pod:
- Pulling
- Pulled
- Failed
Change Event Collection by Severity with log Parameter
Events are limited globally at the agent level based on severity, using
the log settings in dragent.yaml.
The default setting for the events severity filter is information
(only warning and higher severity events are transmitted).
Valid severity levels are:
none, emergency, alert, critical, error, warning, notice, information, debug.
Example 1: Block Low-Severity Messages
Block all low-severity messages (notice, information, debug):
log:
event_priority: warning
Example 2: Block All Event Collection
Block all event collection:
log:
event_priority: none
For other uses of the log settings see Optional: Change the Agent Log
Level.