Alert when docker container are destoy

Enol · February 22, 2024, 7:40am

Hello,

I have a docker swarm cluster with some containers and I send metrics and logs with metricbeat and filebeat to a elasticsearch cloud cluster.

I have some alerts about CPU, RAM, network traffic but I need alerts when a container are destroyed or are reboot.

I can see I have a field in the document docker.event.status, that has values like top (container is ok), destroy, down etc...

Maybe I can create an alert that get triggered when this field get values like destroy or down.
I was cheking for create it but in the managed rules I don't find any type where I can use this field (docker.event.status) to notify me.

Anyone can helps me?

Thanks

rtwolfe94022 · March 19, 2024, 3:34am

To set up an alert for when Docker containers are destroyed or rebooted, you can use Elasticsearch's Watcher feature. Create a watch that periodically searches your logs for documents where docker.event.status is either destroy or down . If such documents are found, you can configure Watcher to send notifications or take other actions. Adapt the example provided to your specific needs, including the indices, query details, and notification settings.