Description of problem: For further analysis, the saved docker event log (documents) should include identification code, for example the container ID, container IP, Container Name, Container Image and etc. but fluentd couldn't scratch such data from audit logs. Version-Release number of selected component (if applicable): openshift3/logging-fluentd/images/v3.7.14-1 How reproducible: always Steps to Reproduce: 1. deploy logging to collect docker event logs openshift_logging_install_logging=true openshift_logging_fluentd_audit_container_engine=true openshift_logging_fluentd_audit_file=/var/log/audit/audit.log openshift_logging_fluentd_audit_pos_file=/var/log/audit/audit.log.pos 2. run a docker container docker run --rm centos:7 sleep 200 3) docker inspect $dockerID in another tty docker inspect 8423f82e1ec9 4) gather all record ES stack oc rsh -c elasticsearch logging-es-ops-data-master-9mdj6t21-1-2ktkm curl -XGET --cacert /etc/elasticsearch/secret/admin-ca --cert /etc/elasticsearch/secret/admin-cert --key /etc/elasticsearch/secret/admin-key 'https://localhost:9200/_search?pretty&size=5000&q=docker.user:*' --insecure |tee dockerEvent.json 5) Search the container identification code in the saved dockerEnvent Documents For example, Search container ID, container IP, Container Name, Container Image in dockerEvent.json Actual results: No container identification code in the saved docker event documents Expected results: For further analysis, It is better to gather the container identification code in docker event log (documents). Additional info: For bug https://bugzilla.redhat.com/show_bug.cgi?id=1496176 have been closed. I open this to address it in Openshift
Created attachment 1364830 [details] Docker Event Documents in ES
@Joseph please evaluate and comment
Still waiting for a fix in docker
@Josef, the bug 1496176 have been fixed . The docker id and docker image id can be gathered. Can you verify the bug 1496176 and move this bug to ON_QA? { "_index": ".operations.2018.03.23", "_type": "com.redhat.viaq.common", "_id": "ZmRhMTJjMzQtMTUxMC00NmRjLWExZTgtYTBiY2E1MzEwMjA5", "_score": null, "_source": { "hostname": "172.16.120.9", "systemd": { "t": { "PID": "20135", "UID": "0", "AUDIT_LOGINUID": "4294967295", "AUDIT_SESSION": "4294967295", "SELINUX_CONTEXT": "system_u:system_r:container_runtime_t:s0", "EXE": "\"/usr/bin/dockerd-current\"" } }, "docker": { "sauid": "0", "container_id_short": "95849ae758f0", "container_image": "e66c511efd84", "pid": "1874", "user": "root", "reason": "api", "operation": "resize", "result": "success", "command": "/home/appliance/starter.sh" }, "pipeline_metadata": { "collector": { "ipaddr4": "10.130.0.27", "ipaddr6": "fe80::28a6:17ff:febe:940e", "inputname": "fluent-plugin-systemd", "name": "fluentd", "received_at": "2018-03-23T08:22:56.404335+00:00", "version": "0.12.42 1.6.0" } }, "@timestamp": "2018-03-23T08:22:56.402000+00:00", "viaq_msg_id": "ZmRhMTJjMzQtMTUxMC00NmRjLWExZTgtYTBiY2E1MzEwMjA5" }, "fields": { "@timestamp": [ 1521793376402 ], "pipeline_metadata.collector.received_at": [ 1521793376404 ] }, "highlight": { "docker.container_id_short": [ "@kibana-highlighted-field@95849ae758f0@/kibana-highlighted-field@" ] }, "sort": [ 1521793376402 ] }
It Works fine, It can recognize the container_id and container_image. "docker": { "sauid": "0", "container_id_short": "f94f3240202a", "container_image": "centos", "pid": "0", "user": "root", "reason": "api", "operation": "start", "result": "success", "command": "bash" }
Yes, it was fixed in atomic/moby 1.13.
Verified with docker-1.13.1-53.git774336d.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636