diff --git a/libbeat/docs/processors-using.asciidoc b/libbeat/docs/processors-using.asciidoc
index 3d029658d697..a615da08ff15 100644
--- a/libbeat/docs/processors-using.asciidoc
+++ b/libbeat/docs/processors-using.asciidoc
@@ -822,6 +822,20 @@ from Docker containers:
 * Image
 * Labels
 
+[NOTE]
+=====
+When running {beatname_uc} in a container, you need to provide access to
+Docker’s unix socket in order for the `add_docker_metadata` processor to work.
+You can do this by mounting the socket inside the container. For example:
+
+`docker run -v /var/run/docker.sock:/var/run/docker.sock ...`
+
+To avoid privilege issues, you may also need to add `--user=root` to the
+`docker run` flags. Because the user must be part of the docker group in order
+to access `/var/run/docker.sock`, root access is required if {beatname_uc} is
+running as non-root inside the container. 
+=====
+
 [source,yaml]
 -------------------------------------------------------------------------------
 processors:
@@ -870,7 +884,6 @@ for container ID. It defaults to 4 to match
 `cleanup_timeout`:: (Optional) Time of inactivity to consider we can clean and
 forget metadata for a container, 60s by default.
 
-
 [[add-host-metadata]]
 === Add Host metadata