Docker Syslog logging driver

This article discuss the steps to enable syslog logging driver in docker.

Docker comes with a syslog logging driver, which routes logs to a syslog server. Syslog has the advantage of being already available on most of docker hosts, like the case of an Ubuntu host.

We will first setup rsyslog, and then tell docker to use it.

rsyslog set-up

We will collect logs for the docker daemon and for the containers.

We will create a rsyslog conf file /etc/rsyslog.d/10-docker.conf with the following content

$FileCreateMode 0644
$template DockerDaemonLogFileName,"/var/log/docker/docker.log"
$template DockerContainerLogFileName,"/var/log/docker/%SYSLOGTAG:R,ERE,1,FIELD:docker/(.*)\[--end:secpath-replace%.log"
if $programname == 'dockerd' then {
?DockerDaemonLogFileName
stop
}
if $programname == 'containerd' then {
?DockerDaemonLogFileName
stop
}
if $programname == 'docker' then {
if $syslogtag contains 'docker/' then {
?DockerContainerLogFileName
stop
}
}
$FileCreateMode 0600

Once rsyslog configuration is defined we will create the directory to store logs

sudo mkdir /var/log/docker
sudo chown syslog:adm /var/log/docker/

verify that configuration is correct

rsyslogd -f /etc/rsyslog.conf -N1
rsyslogd -f /etc/rsyslog.d/10-docker.conf -N1

In my test system I get this

rsyslogd: version 8.2112.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

restart rsyslog

sudo systemctl restart rsyslog

logrotate set-up

We will set-up logrotate to take care of our docker logs, you will need to do sudo nano /etc/logrotate.d/docker then enter this

/var/log/docker/*.log {
  copytruncate
  compress
  delaycompress
  dateext
  size 20M
  weekly
  dateformat -%Y%m%d
  missingok
  rotate 4
}

now we will restart the logrotate daemon

sudo systemctl restart logrotate

Docker set-up

Once we have rsyslog setup, we can now tell Docker to use it.

In order to enable syslog logging driver you need to edit /etc/docker/daemon.json file

{
  "log-driver": "syslog",
  "log-opts": {
    "syslog-address": "unixgram:///dev/log",
    "tag": "docker/{{.Name}}",
    "syslog-facility": "daemon"
    }
}

Once you save the configuration file you need to reload the docker daemon

sudo systemctl reload docker

Check logs

You should now be able to see docker log files in /var/log/docker/

have fun!

References

Some useful references

• https://docs.docker.com/config/containers/logging/syslog/

• https://www.loggly.com/use-cases/docker-syslog-logging-and-troubleshooting/

• https://www.commandprompt.com/blog/docker-logging-with-rsyslog/