Add docker event metricset (elastic#9856)

* Add docker `event` metricset This metricset will retrieve events coming from the Docker events API [0]. Example output: ``` "docker": { "event": { "id": "8c229155b039c2adcb4fab1f987f35a0d1f913dfaa95f3113ed6e4f91eb5398c", "from": "busybox", "type": "container", "action": "die", "actor": { "id": "8c229155b039c2adcb4fab1f987f35a0d1f913dfaa95f3113ed6e4f91eb5398c", "attributes": { "image": "busybox", "name": "distracted_lichterman", "exitCode": "0" } }, "time": "2019-01-02T22:41:02.000Z", "status": "die" } } ``` Actor attributes will container labels in the case of container events, the module will perform dedotting (if enabled) on them. [0] https://docs.docker.com/engine/api/v1.37/#operation/SystemEvents * Add tests * Update changelog * Add missing header * Add missing file * Adapt to ECS * Use a cheaper event for tests * Close docker client on module shutdown * Update data * clean created container * fix image pull
leweafan · Jan 4, 2019 · 1443646 · 1443646
1 parent 19f053b
commit 1443646
Show file tree

Hide file tree

Showing 18 changed files with 492 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -100,6 +100,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 - Add `key` metricset to the Redis module. {issue}9582[9582] {pull}9657[9657] {pull}9746[9746]
 - Add `socket_summary` metricset to system defaults, removing experimental tag and supporting Windows {pull}9709[9709]
+- Add docker `event` metricset. {pull}9856[9856]
 
 *Packetbeat*
 

diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc
@@ -2760,6 +2760,108 @@ type: scaled_float
 Number of reads and writes per second
 
 
+--
+
+[float]
+== event fields
+
+Docker event
+
+
+
+*`docker.event.status`*::
++
+--
+type: keyword
+
+Event status
+
+
+--
+
+*`docker.event.id`*::
++
+--
+type: alias
+
+alias to: event.id
+
+Event id when available
+
+
+--
+
+*`docker.event.from`*::
++
+--
+type: keyword
+
+Event source
+
+
+--
+
+*`docker.event.type`*::
++
+--
+type: alias
+
+alias to: event.kind
+
+The type of object emitting the event
+
+
+--
+
+*`docker.event.action`*::
++
+--
+type: alias
+
+alias to: event.action
+
+The type of event
+
+
+--
+
+*`docker.event.time`*::
++
+--
+type: alias
+
+alias to: event.created
+
+Timestamp of event
+
+
+--
+
+[float]
+== actor fields
+
+Actor
+
+
+
+*`docker.event.actor.id`*::
++
+--
+type: keyword
+
+The ID of the object emitting the event
+
+
+--
+
+*`docker.event.actor.attributes`*::
++
+--
+type: object
+
+Various key/value attributes of the object, depending on its type
+
+
 --
 
 [float]

diff --git a/metricbeat/docs/modules/docker.asciidoc b/metricbeat/docs/modules/docker.asciidoc
@@ -38,6 +38,7 @@ metricbeat.modules:
     - "container"
     - "cpu"
     - "diskio"
+    - "event"
     - "healthcheck"
     - "info"
     #- "image"
@@ -71,6 +72,8 @@ The following metricsets are available:
 
 * <<metricbeat-metricset-docker-diskio,diskio>>
 
+* <<metricbeat-metricset-docker-event,event>>
+
 * <<metricbeat-metricset-docker-healthcheck,healthcheck>>
 
 * <<metricbeat-metricset-docker-image,image>>
@@ -87,6 +90,8 @@ include::docker/cpu.asciidoc[]
 
 include::docker/diskio.asciidoc[]
 
+include::docker/event.asciidoc[]
+
 include::docker/healthcheck.asciidoc[]
 
 include::docker/image.asciidoc[]

diff --git a/metricbeat/docs/modules/docker/event.asciidoc b/metricbeat/docs/modules/docker/event.asciidoc
@@ -0,0 +1,21 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[metricbeat-metricset-docker-event]]
+=== Docker event metricset
+
+include::../../../module/docker/event/_meta/docs.asciidoc[]
+
+
+==== Fields
+
+For a description of each field in the metricset, see the
+<<exported-fields-docker,exported fields>> section.
+
+Here is an example document generated by this metricset:
+
+[source,json]
+----
+include::../../../module/docker/event/_meta/data.json[]
+----
diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc
@@ -22,9 +22,10 @@ This file is generated! See scripts/docs_collector.py
 |<<metricbeat-metricset-couchbase-cluster,cluster>> beta[]  
 |<<metricbeat-metricset-couchbase-node,node>> beta[]  
 |<<metricbeat-module-docker,Docker>>     |image:./images/icon-yes.png[Prebuilt dashboards are available]    |  
-.8+| .8+|  |<<metricbeat-metricset-docker-container,container>>   
+.9+| .9+|  |<<metricbeat-metricset-docker-container,container>>   
 |<<metricbeat-metricset-docker-cpu,cpu>>   
 |<<metricbeat-metricset-docker-diskio,diskio>>   
+|<<metricbeat-metricset-docker-event,event>>   
 |<<metricbeat-metricset-docker-healthcheck,healthcheck>>   
 |<<metricbeat-metricset-docker-image,image>>   
 |<<metricbeat-metricset-docker-info,info>>   

diff --git a/metricbeat/include/list.go b/metricbeat/include/list.go
diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml
@@ -167,6 +167,7 @@ metricbeat.modules:
     - "container"
     - "cpu"
     - "diskio"
+    - "event"
     - "healthcheck"
     - "info"
     #- "image"

diff --git a/metricbeat/module/docker/_meta/config.reference.yml b/metricbeat/module/docker/_meta/config.reference.yml
@@ -3,6 +3,7 @@
     - "container"
     - "cpu"
     - "diskio"
+    - "event"
     - "healthcheck"
     - "info"
     #- "image"

diff --git a/metricbeat/module/docker/_meta/config.yml b/metricbeat/module/docker/_meta/config.yml
@@ -3,6 +3,7 @@
   #  - container
   #  - cpu
   #  - diskio
+  #  - event
   #  - healthcheck
   #  - info
   #  - memory

diff --git a/metricbeat/module/docker/event/_meta/data.json b/metricbeat/module/docker/event/_meta/data.json
@@ -0,0 +1,31 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "docker": {
+        "event": {
+            "actor": {
+                "attributes": {
+                    "image": "busybox",
+                    "name": "wizardly_knuth"
+                },
+                "id": "9d4c3af1d4a0268940205aad04a3c6bf434b32f45e0784dec5c283201ef299fc"
+            },
+            "from": "busybox",
+            "status": "create"
+        }
+    },
+    "event": {
+        "action": "create",
+        "created": "2019-01-03T12:44:52+01:00",
+        "dataset": "event",
+        "id": "9d4c3af1d4a0268940205aad04a3c6bf434b32f45e0784dec5c283201ef299fc",
+        "kind": "container",
+        "module": "docker"
+    },
+    "service": {
+        "type": "docker"
+    }
+}
diff --git a/metricbeat/module/docker/event/_meta/docs.asciidoc b/metricbeat/module/docker/event/_meta/docs.asciidoc
@@ -0,0 +1 @@
+This is the event metricset of the module docker.
diff --git a/metricbeat/module/docker/event/_meta/fields.yml b/metricbeat/module/docker/event/_meta/fields.yml
@@ -0,0 +1,52 @@
+- name: event
+  type: group
+  description: >
+    Docker event
+  release: ga
+  fields:
+    - name: status
+      type: keyword
+      description: >
+        Event status
+    - name: id
+      type: alias
+      path: event.id
+      migration: true
+      description: >
+        Event id when available
+    - name: from
+      type: keyword
+      description: >
+        Event source
+    - name: type
+      type: alias
+      path: event.kind
+      migration: true
+      description: >
+        The type of object emitting the event
+    - name: action
+      type: alias
+      path: event.action
+      migration: true
+      description: >
+        The type of event
+    - name: time
+      type: alias
+      path: event.created
+      migration: true
+      description: >
+        Timestamp of event
+    - name: actor
+      type: group
+      description: >
+        Actor
+      fields:
+        - name: id
+          type: keyword
+          description: >
+            The ID of the object emitting the event
+        - name: attributes
+          type: object
+          object_type: keyword
+          description: >
+            Various key/value attributes of the object, depending on its type