Enable/Disable Event Data
Sysdig Monitor supports event integrations with certain applications by default. The Sysdig agent will automatically discover these services and begin collecting event data from them.
The following applications are currently supported:
Other methods of ingesting custom events into Sysdig Monitor are touched upon in Custom Events.
By default, only a limited set of events is collected for a supported
application, and are listed in the agent’s default settings
configuration file (
To enable collecting other supported events, add an
events entry to
You can also change
log entry in
dragent.yaml to filter events by
Learn more about it in the following sections.
Supported Application Events
Events marked with
* are enabled by default; see the
The following Docker events are supported.
docker: container: - attach # Container Attached (information) - commit # Container Committed (information) - copy # Container Copied (information) - create # Container Created (information) - destroy # Container Destroyed (warning) - die # Container Died (warning) - exec_create # Container Exec Created (information) - exec_start # Container Exec Started (information) - export # Container Exported (information) - kill # Container Killed (warning)* - oom # Container Out of Memory (warning)* - pause # Container Paused (information) - rename # Container Renamed (information) - resize # Container Resized (information) - restart # Container Restarted (warning) - start # Container Started (information) - stop # Container Stopped (information) - top # Container Top (information) - unpause # Container Unpaused (information) - update # Container Updated (information) image: - delete # Image Deleted (information) - import # Image Imported (information) - pull # Image Pulled (information) - push # Image Pushed (information) - tag # Image Tagged (information) - untag # Image Untaged (information) volume: - create # Volume Created (information) - mount # Volume Mounted (information) - unmount # Volume Unmounted (information) - destroy # Volume Destroyed (information) network: - create # Network Created (information) - connect # Network Connected (information) - disconnect # Network Disconnected (information) - destroy # Network Destroyed (information)
The following Kubernetes events are supported.
kubernetes: node: - TerminatedAllPods # Terminated All Pods (information) - RegisteredNode # Node Registered (information)* - RemovingNode # Removing Node (information)* - DeletingNode # Deleting Node (information)* - DeletingAllPods # Deleting All Pods (information) - TerminatingEvictedPod # Terminating Evicted Pod (information)* - NodeReady # Node Ready (information)* - NodeNotReady # Node not Ready (information)* - NodeSchedulable # Node is Schedulable (information)* - NodeNotSchedulable # Node is not Schedulable (information)* - CIDRNotAvailable # CIDR not Available (information)* - CIDRAssignmentFailed # CIDR Assignment Failed (information)* - Starting # Starting Kubelet (information)* - KubeletSetupFailed # Kubelet Setup Failed (warning)* - FailedMount # Volume Mount Failed (warning)* - NodeSelectorMismatching # Node Selector Mismatch (warning)* - InsufficientFreeCPU # Insufficient Free CPU (warning)* - InsufficientFreeMemory # Insufficient Free Mem (warning)* - OutOfDisk # Out of Disk (information)* - HostNetworkNotSupported # Host Ntw not Supported (warning)* - NilShaper # Undefined Shaper (warning)* - Rebooted # Node Rebooted (warning)* - NodeHasSufficientDisk # Node Has Sufficient Disk (information)* - NodeOutOfDisk # Node Out of Disk Space (information)* - InvalidDiskCapacity # Invalid Disk Capacity (warning)* - FreeDiskSpaceFailed # Free Disk Space Failed (warning)* pod: - Pulling # Pulling Container Image (information) - Pulled # Ctr Img Pulled (information) - Failed # Ctr Img Pull/Create/Start Fail (warning)* - InspectFailed # Ctr Img Inspect Failed (warning)* - ErrImageNeverPull # Ctr Img NeverPull Policy Violate (warning)* - BackOff # Back Off Ctr Start, Image Pull (warning) - Created # Container Created (information) - Started # Container Started (information) - Killing # Killing Container (information)* - Unhealthy # Container Unhealthy (warning) - FailedSync # Pod Sync Failed (warning) - FailedValidation # Failed Pod Config Validation (warning) - OutOfDisk # Out of Disk (information)* - HostPortConflict # Host/Port Conflict (warning)* replicationController: - SuccessfulCreate # Pod Created (information)* - FailedCreate # Pod Create Failed (warning)* - SuccessfulDelete # Pod Deleted (information)* - FailedDelete # Pod Delete Failed (warning)*
Enable/Disable Events Collection with events Parameter
To customize the default events collected for a specific application (by
either enabling or disabling events), add an
events entry to
dragent.yaml as described in the examples below.
An entry in a section in
dragent.yaml overrides the entire section
in the default configuration.
For example, the
Pulling entry below will permit only kubernetes pod
Pulling events to be collected and all other kubernetes pod events
dragent.default.yaml will be ignored.
However, other kubernetes sections -
remain intact and will be used as specified in
Example 1: Collect Only Certain Events
Collect only ‘Pulling’ events from Kubernetes for pods:
events: kubernetes: pod: - Pulling
Example 2: Disable All Events in a Section
To disable all events in a section, set the event section to
events: kubernetes: none docker: none
Example 3: Combine Methods
These methods can be combined. For example, disable all kubernetes node
and docker image events and limit docker container events to
[attach, commit, copy] (components events in other sections will be
collected as specified by default):
events: kubernetes: node: none docker: image: none container: - attach - commit - copy
Note: Format Sequences as List or Single Line
In addition to bulleted lists, sequences can also be specified in a bracketed single line, eg.:
events: kubernetes: pod: [Pulling, Pulled, Failed]
So, the following two settings are equivalent, permitting only
Pulling, Pulled, Failed events for pods to be emitted:
events: kubernetes: pod: [Pulling, Pulled, Failed] events: kubernetes: pod: - Pulling - Pulled - Failed
Change Event Collection by Severity with log Parameter
Events are limited globally at the agent level based on severity, using
log settings in
The default setting for the events severity filter is
(only warning and higher severity events are transmitted).
Valid severity levels are:
none, emergency, alert, critical, error, warning, notice, information, debug.
Example 1: Block Low-Severity Messages
Block all low-severity messages (
notice, information, debug):
log: event_priority: warning
Example 2: Block All Event Collection
Block all event collection:
log: event_priority: none
For other uses of the
log settings see Optional: Change the Agent Log