Docker

InsightOps provides a Docker container that will forward logs and send metrics regarding your Docker infrastructure.

basic

Setup

Create a log to send your Docker logs to

  • Log in to InsightOps
  • Browse to the "Add data" page
  • Create a new log by clicking the Quick Add button.
  • Give your log a name of your choice, select Token TCP and finally click the Create new log button. * A token will be displayed in green
  • Make a note of the token

Get the InsightOps Docker container

Download and start the InsightOps logging container with the following command:

1
docker run -v /var/run/docker.sock:/var/run/docker.sock \
2
--read-only \
3
--security-opt=no-new-privileges \
4
rapid7/r7insight_docker \
5
-t <TOKEN> \
6
-r <REGION> \
7
-j \
8
-a host=`uname -n`

Replace with the token you created Replace with eu or us, depending on the data center where your InsightOps account is located.

You will now see your Docker container logs and metrics start streaming into your InsightOps accounts

Want to separate out your logs?

You can send the metrics, events and container logs to separate logs in your InsightOps account. Simply create 3 different logs in your account, make a note of the tokens and run the following command instead

1
docker run -v /var/run/docker.sock:/var/run/docker.sock \
2
--read-only \
3
--security-opt=no-new-privileges \
4
rapid7/r7insight_docker \
5
-l <LOGSTOKEN> \
6
-k <STATSTOKEN> \
7
-e <EVENTSTOKEN> \
8
-r <REGION> \
9
-j \
10
-a host=`uname -n`

Additional info

You can pass the --no-stats flag if you do not want stats to be published to InsightOps every second. You need this flag for Docker version < 1.5.

You can pass the --no-logs flag if you do not want logs to be published to InsightOps.

You can pass the --no-dockerEvents flag if you do not want events to be published to InsightOps.

The --read-only docker flag specifies that the container file system will be read-only. This is not a requirement but since currently there's no need for writing, it makes the container more secure.

The --security-opt=no-new-privileges docker flag sets a kernel bit which stops the process or its children from gaining additional privileges via setuid or sgid.
Once again not required, but increases security.

The -i/--statsinterval STATSINTERVAL downsamples the logs sent to Rapid7 InsightOps. It collects samples and averages them before sending to InsightOps.

If you don't use -a, a default host=uname -n value will be added.

You can also filter the containers for which the logs/stats are forwarded with:

  • --matchByName REGEXP: forward logs/stats only for the containers whose name matches the given REGEXP.
  • --matchByImage REGEXP: forward logs/stats only for the containers whose image matches the given REGEXP.
  • --skipByName REGEXP: do not forward logs/stats for the containers whose name matches the given REGEXP.
  • --skipByImage REGEXP: do not forward logs/stats for the containers whose image matches the given REGEXP.

Running container in a restricted environment. Some environments(such as Google Compute Engine) does not allow to access the docker socket without special privileges. You will get EACCES(Error: read EACCES) error if you try to run the container. To run the container in such environments add --privileged to the docker run command.

1
docker run --privileged \
2
-v /var/run/docker.sock:/var/run/docker.sock \
3
--read-only \
4
--security-opt=no-new-privileges \
5
rapid7/r7insight_docker \
6
-t <TOKEN> \
7
-r <REGION> \
8
-j \
9
-a host=`uname -n`