One challenge when using containers, especially in highly dynamic environments, is matching log messages with the containers that generate them. When you use the Alert Logic Agent Container to collect information about running containers on a host, Alert Logic collects container metadata such as the names of running containers with the logs from that host.
The following is a search query to match container names, as well as return log messages and all the asset metadata Alert Logic collected from the host. Implement this query in Alert Logic Search, which can be found in the Alert Logic console at (navigation menu) > Investigate > Search > Search > in the Simple Mode drop down, choose Expert Mode.
-- Match log messages based on the container name present on the host
-- Look at the last column (Asset) for the full set of properties that
-- can be displayed or matched.
time_recv AS "Time Received",
message AS "Message",
asset.dict.asset.containers[*].name AS "Container Names",
asset.dict.asset AS "Assets"
-- Any container name on the host where the log was collected
-- contains the string ip-masq-agent-
ARRAY_ANY("Container Names", @ CONTAINS 'ip-masq-agent-')
ORDER BY time_recv DESC
To utilize this query immediately, open this query in the Alert Logic console.
Did you find this useful? Share your queries and questions with Alert Logic in the comments.