Hello.

I’m trying to send the output of docker events into ELK. Running on CentOS 7. To watch for container restarts

I’ve setup the filebeat docker watcher, which is great, but seems to be focused on the container internals. Not seeing an actual start.

The closest I’ve been able to find is

Dec 18 08:23:17 dockerhost containerd: time="2019-12-18T08:23:17.990766549+08:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/3a35d698a22b2c842258550b79140267aedf7c540c43cd88be159a643d9842fb/shim.sock" debug=false pid=8392

in /var/log/messages which shows an event, but isn’t particularly easy to link to a container once it’s left the machine.

The individual container logs are just showing the application stdout.

Any suggestions on what I’m missing?