Collect Event Data
Sysdig Monitor supports event integrations with certain applications by default. The Sysdig Agent will automatically discover these services and begin collecting event data from them.
The following applications are currently supported:
You can configure Sysdig Monitor to collect additional events through Custom Events. See Custom Events for more information on ingesting custom events into Sysdig Monitor.
By default, only a limited set of events are collected for a supported application and are listed in the agent configuration file. To enable collecting other supported events, add an
events entry to the
/opt/draios/etcdragent.yaml file. Events marked with
* are enabled by default and are listed in the default configuration file.
You can also change the
log entry in
dragent.yaml to filter events by severity.
See the following sections for more detail.
Customize Events Collection
To customize the default events collected for a specific application (by either enabling or disabling events), add an
events entry to
dragent.yaml as described in the examples below.
An entry in a section in
dragent.yaml overrides the entire section in the default configuration.
For example, the
Pulling entry below will permit only the kubernetes pod
Pulling events to be collected and all other kubernetes pod events settings in the default configuration file will be ignored.
However, other kubernetes sections -
replicationController - remain intact and will be used as specified in the default configuration file.
Example 1: Collect Only Certain Events
Collect only ‘Pulling’ events from Kubernetes for pods:
events: kubernetes: pod: - Pulling
Example 2: Disable All Events in a Section
To disable all events in a section, set the event section to
events: kubernetes: none docker: none
Example 3: Combine Methods
These methods can be combined. For example, disable all kubernetes node and docker image events and limit docker container events to
[attach, commit, copy] . The components events in other sections will be collected as specified by default:
events: kubernetes: node: none docker: image: none container: - attach - commit - copy
Format Sequences as List or Single Line
In addition to bulleted lists, sequences can also be specified in a bracketed single line. For example:
events: kubernetes: pod: [Pulling, Pulled, Failed]
Therefore, the following two settings are equivalent, permitting only
Pulling, Pulled, Failed events for pods to be emitted:
events: kubernetes: pod: [Pulling, Pulled, Failed] events: kubernetes: pod: - Pulling - Pulled - Failed
Change Event Collection by Severity
Events are limited globally at the agent level based on severity, using the
log settings in
The default setting for the events severity filter is
information. Only warning and higher severity events are transmitted.
Valid severity levels are:
Example 1: Block Low-Severity Messages
Block all the low-severity messages (
notice, information, debug):
log: event_priority: warning
Example 2: Block All Event Collection
Block all the event collection:
log: event_priority: none
For other uses of the
log settings see Optional: Change the Agent Log Level.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.