Docker
Copy link

Log Management (InsightOps) provides a Docker container that will forward logs and send metrics regarding your Docker infrastructure. Setup

Create a log to send your Docker logs to
Copy link

  • Log in to Log Management (InsightOps)
  • Browse to the “Add data” page
  • Create a new log by clicking the Quick Add button.
  • Give your log a name of your choice, select Token TCP and finally click the Create new log button. * A token will be displayed in green
  • Make a note of the token

Get the Log Management (InsightOps) Docker container
Copy link

Download and start the Log Management (InsightOps) logging container with the following command:

docker run -v /var/run/docker.sock:/var/run/docker.sock \ --read-only \ --security-opt=no-new-privileges \ rapid7/r7insight_docker \ -t <TOKEN> \ -r <REGION> \ -j \ -a host=`uname -n`

Replace <TOKEN> with the token you created Replace <REGION> with eu or us, depending on the data center where your Log Management (InsightOps) account is located.

You will now see your Docker container logs and metrics start streaming into your Log Management (InsightOps) accounts

Want to separate out your logs?

You can send the metrics, events and container logs to separate logs in your Log Management (InsightOps) account. Simply create 3 different logs in your account, make a note of the tokens and run the following command instead

docker run -v /var/run/docker.sock:/var/run/docker.sock \ --read-only \ --security-opt=no-new-privileges \ rapid7/r7insight_docker \ -l <LOGSTOKEN> \ -k <STATSTOKEN> \ -e <EVENTSTOKEN> \ -r <REGION> \ -j \ -a host=`uname -n`

Additional info
Copy link

You can pass the —no-stats flag if you do not want stats to be published to Log Management (InsightOps) every second. You need this flag for Docker version < 1.5.

You can pass the —no-logs flag if you do not want logs to be published to Log Management (InsightOps).

You can pass the —no-dockerEvents flag if you do not want events to be published to Log Management (InsightOps).

The --read-only docker flag specifies that the container file system will be read-only. This is not a requirement but since currently there’s no need for writing, it makes the container more secure.

The --security-opt=no-new-privileges docker flag sets a kernel bit which stops the process or its children from gaining additional privileges via setuid or sgid.
Once again not required, but increases security.

The -i/—statsinterval STATSINTERVAL downsamples the logs sent to Rapid7 Log Management (InsightOps). It collects samples and averages them before sending to Log Management (InsightOps).

If you don’t use -a, a default host=uname -n value will be added.

You can also filter the containers for which the logs/stats are forwarded with:

  • —matchByName REGEXP: forward logs/stats only for the containers whose name matches the given REGEXP.
  • —matchByImage REGEXP: forward logs/stats only for the containers whose image matches the given REGEXP.
  • —skipByName REGEXP: do not forward logs/stats for the containers whose name matches the given REGEXP.
  • —skipByImage REGEXP: do not forward logs/stats for the containers whose image matches the given REGEXP.

Running container in a restricted environment. Some environments(such as Google Compute Engine) does not allow to access the docker socket without special privileges. You will get EACCES(Error: read EACCES) error if you try to run the container. To run the container in such environments add —privileged to the docker run command.

docker run --privileged \ -v /var/run/docker.sock:/var/run/docker.sock \ --read-only \ --security-opt=no-new-privileges \ rapid7/r7insight_docker \ -t <TOKEN> \ -r <REGION> \ -j \ -a host=`uname -n`