Collect Event Data

Sysdig Monitor supports event integrations with certain applications by default. The Sysdig Agent will automatically discover these services and begin collecting event data from them.

The following applications are currently supported:

You can configure Sysdig Monitor to collect additional events through Custom Events. See Custom Events for more information on ingesting custom events into Sysdig Monitor.

Enable Events

By default, only a limited set of events are collected for a supported application and are listed in the agent configuration file. To enable collecting other supported events, add an events entry to the dragent.yaml file. Events marked with * are enabled by default and are listed in the default configuration file. See Understand the Agent Configuration.

You can also change the log entry in dragent.yaml to filter events by severity.

See the following sections for more detail.

Customize Events Collection

To customize the default events collected for a specific application (by either enabling or disabling events), add an events entry todragent.yaml as described in the examples below.

An entry in a section in dragent.yaml overrides the entire section in the default configuration.

For example, the Pulling entry below will permit only the kubernetes pod Pulling events to be collected and all other kubernetes pod events settings in the default configuration file will be ignored.

However, other kubernetes sections - node and replicationController - remain intact and will be used as specified in the default configuration file.

Example 1: Collect Only Certain Events

Collect only ‘Pulling’ events from Kubernetes for pods:

events:
  kubernetes:
    pod:
       - Pulling

Example 2: Disable All Events in a Section

To disable all events in a section, set the event section to none:

events:
  kubernetes: none
  docker: none

Example 3: Combine Methods

These methods can be combined. For example, disable all kubernetes node and docker image events and limit docker container events to[attach, commit, copy] . The components events in other sections will be collected as specified by default:

events:
  kubernetes:
    node: none
  docker:
    image: none
    container:
      - attach
      - commit
      - copy

Format Sequences as List or Single Line

In addition to bulleted lists, sequences can also be specified in a bracketed single line. For example:

events:
  kubernetes:
    pod: [Pulling, Pulled, Failed]

Therefore, the following two settings are equivalent, permitting only Pulling, Pulled, Failed events for pods to be emitted:

events:
  kubernetes:
    pod: [Pulling, Pulled, Failed]

events:
  kubernetes:
    pod:
      - Pulling
      - Pulled
      - Failed

Change Event Collection by Severity

Events are limited globally at the agent level based on severity, using the logsettings in dragent.yaml.

The default setting for the events severity filter is information. Only warning and higher severity events are transmitted.

Valid severity levels are: fatal, emergency, critical, error, warning, alert, notice, information, debug, trace, none

Example 1: Block Low-Severity Messages

Block all the low-severity messages (notice, information, debug):

log:
  event_priority: warning

Example 2: Block All Event Collection

Block all the event collection:

log:
  event_priority: none

For other uses of the log settings see Optional: Change the Agent Log Level.