Event integrations: Application Events

Sysdig Monitor supports event integrations with certain applications by default. The Sysdig agent will automatically discover these services and begin collecting event data from them.

The following applications are currently supported:

Other methods of ingesting custom events into Sysdig Monitor are covered in the full Custom Events documentation.

 

Configuration

Default Event Collection

Only a limited set of events will be collected by default for any given application that is supported. Lists of supported events (including default events) for each application can be found below in this document, or by clicking the application links listed above.

The actual default settings for event collection can be found in your agent's default settings configuration file:

/opt/draios/etc/dragent.default.yaml

Global Severity Filter

Events are limited globally at the agent level based on severity, using the log settings. The default setting for the events severity filter is information (only warning and higher severity events are transmitted). Valid severity levels are: none, emergency, alert, critical, error, warning, notice, information, debug.

If you want to customize the events severity filter, you will need to add an entry to the user settings configuration file below (See our FAQ on how to edit the dragent.yaml file):

/opt/draios/etc/dragent.yaml

Block all low-severity messages (notice, information, debug):

log:
  event_priority: warning

Block all event collection:

log:
  event_priority: none

For other uses of the log settings see the log settings documentation page.

Customized Event Collection

If you want to customize the events collected for a specific application (by either adding or removing events) you will need to add an entry to the user settings configuration file here:

/opt/draios/etc/dragent.yaml

NOTE: An entry in a section in dragent.yaml overrides the entire section in the default configuration. For example, the Pulling entry below will permit only kubernetes pod Pulling events to be collected and all other kubernetes pod events settings in dragent.default.yaml will be ignored. However, other kubernetes sections - node and replicationController - remain intact and will be used as specified in dragent.default.yaml.

 

The following examples demonstrate the methods available for modifying the default behavior:

Collect only 'Pulling' events from Kubernetes for pods:

events:
  kubernetes:
    pod:
      - Pulling

To disable all events in a section, set the event section to none:

events:
  kubernetes: none
  docker: none

These methods can be combined. For example, disable all kubernetes node and docker image events and limit docker container events to [attach, commit, copy] (components events in other sections will be collected as specified by default):

events:
  kubernetes:
    node: none
  docker:
    image: none
    container:
      - attach
      - commit
      - copy

In addition to bulleted lists, sequences can also be specified in a bracketed single line, eg.:

events:
  kubernetes:
    pod: [Pulling, Pulled, Failed]

So, the following two settings are equivalent, permitting only Pulling, Pulled, Failed events for pods to be emitted:

events:
  kubernetes:
    pod: [Pulling, Pulled, Failed]

events: kubernetes: pod: - Pulling - Pulled - Failed

 

Application Integration Details

Docker

The following Docker events are supported (events marked with * are enabled by default, see dragent.default.yaml file):

  docker:
    container:
      - attach       # Container Attached      (information)
      - commit       # Container Committed     (information)
      - copy         # Container Copied        (information)
      - create       # Container Created       (information)
      - destroy      # Container Destroyed     (warning)
      - die          # Container Died          (warning)
      - exec_create  # Container Exec Created  (information)
      - exec_start   # Container Exec Started  (information)
      - export       # Container Exported      (information)
      - kill         # Container Killed        (warning)*
      - oom          # Container Out of Memory (warning)*
      - pause        # Container Paused        (information)
      - rename       # Container Renamed       (information)
      - resize       # Container Resized       (information)
      - restart      # Container Restarted     (warning)
      - start        # Container Started       (information)
      - stop         # Container Stopped       (information)
      - top          # Container Top           (information)
      - unpause      # Container Unpaused      (information)
      - update       # Container Updated       (information)
    image:
      - delete # Image Deleted  (information)
      - import # Image Imported (information)
      - pull   # Image Pulled   (information)
      - push   # Image Pushed   (information)
      - tag    # Image Tagged   (information)
      - untag  # Image Untaged  (information)
    volume:
      - create  # Volume Created    (information)
      - mount   # Volume Mounted    (information)
      - unmount # Volume Unmounted  (information)
      - destroy # Volume Destroyed  (information)
    network:
      - create     # Network Created       (information)
      - connect    # Network Connected     (information)
      - disconnect # Network Disconnected  (information)
      - destroy    # Network Destroyed     (information)

Kubernetes

The following Kubernetes events are supported (events marked with * are enabled by default, see dragent.default.yaml file):


kubernetes: node: - TerminatedAllPods # Terminated All Pods (information) - RegisteredNode # Node Registered (information)* - RemovingNode # Removing Node (information)* - DeletingNode # Deleting Node (information)* - DeletingAllPods # Deleting All Pods (information) - TerminatingEvictedPod # Terminating Evicted Pod (information)* - NodeReady # Node Ready (information)* - NodeNotReady # Node not Ready (information)* - NodeSchedulable # Node is Schedulable (information)* - NodeNotSchedulable # Node is not Schedulable (information)* - CIDRNotAvailable # CIDR not Available (information)* - CIDRAssignmentFailed # CIDR Assignment Failed (information)* - Starting # Starting Kubelet (information)* - KubeletSetupFailed # Kubelet Setup Failed (warning)* - FailedMount # Volume Mount Failed (warning)* - NodeSelectorMismatching # Node Selector Mismatch (warning)* - InsufficientFreeCPU # Insufficient Free CPU (warning)* - InsufficientFreeMemory # Insufficient Free Mem (warning)* - OutOfDisk # Out of Disk (information)* - HostNetworkNotSupported # Host Ntw not Supported (warning)* - NilShaper # Undefined Shaper (warning)* - Rebooted # Node Rebooted (warning)* - NodeHasSufficientDisk # Node Has Sufficient Disk (information)* - NodeOutOfDisk # Node Out of Disk Space (information)* - InvalidDiskCapacity # Invalid Disk Capacity (warning)* - FreeDiskSpaceFailed # Free Disk Space Failed (warning)* pod: - Pulling # Pulling Container Image (information) - Pulled # Ctr Img Pulled (information) - Failed # Ctr Img Pull/Create/Start Fail (warning)* - InspectFailed # Ctr Img Inspect Failed (warning)* - ErrImageNeverPull # Ctr Img NeverPull Policy Violate (warning)* - BackOff # Back Off Ctr Start, Image Pull (warning) - Created # Container Created (information) - Started # Container Started (information) - Killing # Killing Container (information)* - Unhealthy # Container Unhealthy (warning) - FailedSync # Pod Sync Failed (warning) - FailedValidation # Failed Pod Config Validation (warning) - OutOfDisk # Out of Disk (information)* - HostPortConflict # Host/Port Conflict (warning)* replicationController: - SuccessfulCreate # Pod Created (information)* - FailedCreate # Pod Create Failed (warning)* - SuccessfulDelete # Pod Deleted (information)* - FailedDelete # Pod Delete Failed (warning)*

 

Have more questions? Submit a request