Event Sources

Event sources indicate the origin of Sysdig Monitor Events.

The source of an Event is usually found as the second item in the Event Detail panel. The Event Detail panel is accessed by clicking on an event listing in the feed.

Additionally, the source of an event is represented with an icon in the feed.

Different source values are applicable to different Event Types.

Sources can be used to narrow down the set of events to be considered in Event Alerts and in setting up an Event Overlay.

Alert Event and Sysdig Event Sources

Alert Events that are triggered by Sysdig are added to the event feed. Since Alert Events are determined through alert configuration, they are not populated with a source value. The same applies to Sysdig Events: since they come from the system itself, the source field is empty.

Infrastructure Event Sources

Infrastructure events have different source values based on their origin:

For Infrastructure Events, the source field will have a different value based on the service the event is drawn from. For example, the source will be:

Custom Event Sources

Custom events ingested through the Events API will have the source field set to api. You can view these tags on the Event overlay.

You can customise this value by specifying it in the ingestion payload, in two different ways:

  • As a source field in the JSON event object

    For example, the following call will ingest an event with a customised source equal to jenkins:

    #!/bin/bash
SDC_ACCESS_TOKEN='626abc7-YOUR-TOKEN-HERE-3a3ghj432'
ENDPOINT='app.sysdigcloud.com'

curl -X POST -s https://${ENDPOINT}/api/v2/events \
-H 'Content-Type: application/json; charset=UTF-8' \
-H 'Accept: application/json, text/javascript, */*; q=0.01' -H "Authorization: Bearer ${SDC_ACCESS_TOKEN}" \
--data-binary '
{"event": {"name": "Jenkins - start wordpress deploy", "description": "deploy", "severity": "MEDIUM", "source": "jenkins", "scope": "host.hostName = \"ip-10-1-1-1\" and build = \"89\""}}
'
sleep 5

Note: You will need to replace the URL in the line ENDPOINT='app.sysdigcloud.com' with an endpoint that matches your subscription. See Saas Regions and IP Ranges for further details.

  • As a tag with key source in the tags section of the event object

    For example, the following call will ingest an event with a customised source equal to jenkins:

    #!/bin/bash
SDC_ACCESS_TOKEN='626abc7-YOUR-TOKEN-HERE-3a3ghj432'
ENDPOINT='app.sysdigcloud.com'

curl -X POST -s https://${ENDPOINT}/api/v2/events \
-H 'Content-Type: application/json; charset=UTF-8' \
-H 'Accept: application/json, text/javascript, */*; q=0.01' -H "Authorization: Bearer ${SDC_ACCESS_TOKEN}" \
--data-binary '
{"event": {"name": "Jenkins - start wordpress deploy", "description": "deploy", "severity": "MEDIUM", "tags": {"source" : "jenkins"}, "scope": "host.hostName = \"ip-10-1-1-1\" and build = \"89\""}}'
sleep 5