crowdsecurity
diff --git a/‎crowdsec-docs/docs/log_processor/data_sources/docker.md
Lines changed: 114 additions & 27 deletions b/‎crowdsec-docs/docs/log_processor/data_sources/docker.md
Lines changed: 114 additions & 27 deletions
@@ -7,6 +7,8 @@ This module allows the `Security Engine` to acquire logs from running containers
 
 ## Configuration example
 
+### Container
+
 To monitor a given container name or ID:
 
 ```yaml
@@ -31,71 +33,115 @@ labels:
   type: log_type
 ```
 
+### Swarm
+
+To monitor a given Swarm service name or ID:
+
+```yaml
+source: docker
+service_name:
+ - my_service_name
+service_id:
+ - abcdef123456
+labels:
+  type: log_type
+```
+
+To monitor Swarm services name or ID matching a regex:
+
+```yaml
+source: docker
+service_name_regexp:
+ - web_*
+service_id_regexp:
+ - svc-*
+labels:
+  type: log_type
+```
+
 Look at the `configuration parameters` to view all supported options.
 
+
 ## Parameters
 
+:::warning
+you should not mix `container` options and `swarm` options as it may lead to duplicate logs being read. if you plan to use `swarm` options solely use these options.
+:::
+
+### Container
 
-### `container_name`
+#### `container_name`
 
 List of containers names to monitor.
 
-### `container_id`
+#### `container_id`
 
 List of containers IDs to monitor.
 
-### `container_name_regexp`
+#### `container_name_regexp`
 
 List of regexp matching containers names to monitor.
 
-### `container_id_regexp`
+#### `container_id_regexp`
 
 List of regexp matching containers ID to monitor.
 
-### `docker_host`
+#### `use_container_labels`
 
-Docker host.
+Forces the use of container labels to get the log type. Meaning you can define a single docker datasource and let the labels of the container define the log type.
 
-Default: `unix:///var/run/docker.sock`
+```yaml
+source: docker
+use_container_labels: true
+```
 
-### `until`
+Currently here is the list of reserved labels for the container:
 
-Read logs until timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes).
+`crowdsec.enable` : Enable crowdsec acquisition for this container the value must be set to `crowdsec.enable=true` for the container to be adopted.
 
-### `since`
+`crowdsec.labels` : Top level key that will parse into the labels struct for the acquisition, for example `crowdsec.labels.type=nginx` will be parsed to the following:
 
-Read logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes).
+```yaml
+labels:
+  type: nginx
+```
 
-### `check_interval`
+Here is an example of running a nginx container with the labels:
 
-Relative interval (e.g. 5s for 5 seconds) to check for new containers matching the configuration.
+```bash
+docker run -d --label crowdsec.enable=true --label crowdsec.labels.type=nginx nginx:alpine
+```
 
-Default: `1s`
+### Swarm
 
-### `follow_stdout`
+#### `service_name`
 
-Follow `stdout` containers logs.
+List of service names to monitor.
 
-Default: `true`
+#### `service_id`
 
-### `follow_stderr`
+List of service IDs to monitor.
 
-Follow `stderr` container logs.
+#### `service_name_regexp`
 
-Default: `true`
+List of regexp matching service names to monitor.
 
-### `use_container_labels`
+#### `service_id_regexp`
 
-Forces the use of container labels to get the log type. Meaning you can define a single docker datasource and let the labels of the container define the log type.
+List of regexp matching service ID to monitor
+
+#### `use_service_labels`
+
+Forces the use of service labels to get the log type. Meaning you can define a single docker datasource and let the labels of the service define the log type.
 
 ```yaml
 source: docker
-use_container_labels: true
+use_service_labels: true
 ```
 
-Currently here is the list of reserved labels for the container:
+Currently here is the list of reserved labels for the service:
 
-`crowdsec.enable` : Enable crowdsec acquisition for this container the value must be set to `crowdsec.enable=true` for the container to be adopted.
+`crowdsec.enable` : Enable crowdsec acquisition for this service the value must be set to `crowdsec.enable=true` for the service to be adopted.
 
 `crowdsec.labels` : Top level key that will parse into the labels struct for the acquisition, for example `crowdsec.labels.type=nginx` will be parsed to the following:
 
@@ -104,15 +150,56 @@ labels:
   type: nginx
 ```
 
-Here is an example of running a nginx container with the labels:
+Here is an example of running a service using nginx with the labels:
 
 ```bash
-docker run -d --label crowdsec.enable=true --label crowdsec.labels.type=nginx nginx:alpine
+docker service create \
+  --name test-nginx \
+  --label crowdsec.enable=true \
+  --label crowdsec.labels.type=nginx \
+  --replicas 2 \
+  nginx:latest
 ```
 
+### `docker_host`
+
+Docker host.
+
+Default: `unix:///var/run/docker.sock`
+
+### `until`
+
+Read logs until timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes).
+
+### `since`
+
+Read logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes).
+
+### `check_interval`
+
+Relative interval (e.g. 5s for 5 seconds) to check for new containers matching the configuration.
+
+Default: `1s`
+
+### `follow_stdout`
+
+Follow `stdout` containers logs.
+
+Default: `true`
+
+### `follow_stderr`
+
+Follow `stderr` container logs.
+
+Default: `true`
+
 
 ## DSN and command-line
 
+:::info
+DSN does not support reading from Swarm services
+:::
+
 docker datasource implements a very approximative DSN, as follows : `docker://<docker_name_or_id>?[args]`
 
 Supported args are :