Alert when docker container are destoy

Enol · February 22, 2024, 7:40am

Hello,

I have a docker swarm cluster with some containers and I send metrics and logs with metricbeat and filebeat to a elasticsearch cloud cluster.

I have some alerts about CPU, RAM, network traffic but I need alerts when a container are destroyed or are reboot.

I can see I have a field in the document docker.event.status, that has values like top (container is ok), destroy, down etc...

Maybe I can create an alert that get triggered when this field get values like destroy or down.
I was cheking for create it but in the managed rules I don't find any type where I can use this field (docker.event.status) to notify me.

Anyone can helps me?

Thanks

rtwolfe94022 · March 19, 2024, 3:34am

To set up an alert for when Docker containers are destroyed or rebooted, you can use Elasticsearch's Watcher feature. Create a watch that periodically searches your logs for documents where docker.event.status is either destroy or down . If such documents are found, you can configure Watcher to send notifications or take other actions. Adapt the example provided to your specific needs, including the indices, query details, and notification settings.

Topic		Replies	Views
Creating alert for service docker Elastic Observability elastic-stack-monitoring , elastic-stack-alerting , docker	2	50	August 6, 2024
Watch docker container up or down Elasticsearch elastic-stack-alerting	4	593	December 3, 2019
How to write alert rule in Elastalert Elasticsearch	2	744	October 13, 2018
Elastic Watcher custom alert help Elastic Observability docker , painless	1	272	November 4, 2022
Docker swarm container log monitoring - require help Beats filebeat	5	1693	October 29, 2018

Alert when docker container are destoy

Related topics