Docker Logging Driver

The Docker logging driver allows you send stdout and stderr output from your container to the host’s syslog daemon. The syslog daemon on the host will then forward the logs to Loggly. For alternatives, please see the Advanced Options section below.

  1. Configure Syslog Daemon
  2. If you haven’t already, run our automatic Configure-Syslog script below to configure rsyslog on the host. Alternatively, you can Manually Configure Rsyslog or Syslog-ng.

    curl -O https://www.loggly.com/install/configure-linux.sh
    sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME
    

    Replace:

    • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
    • USERNAME: your Loggly username

  3. Configure Rsyslog
  4. To show Docker Container ID in the appName, edit the template in 22-loggly.conf present in /etc/rsyslog.d/ directory

    If you are using rsyslog version 6.x or lower, then use the following configuration

    $template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% %msgid% [TOKEN@41058] %msg%\n"
    

    If you are using rsyslog version 7.x or higher, then use the following configuration. This will trim the process id from the appName which will make it easier to read and analyze in the field explorer.

    $template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %$!syslogtag% %procid% %msgid% [TOKEN@41058] %msg%\n"
    
    #Script below will send  'docker/Container ID' in appName.
    if re_match($syslogtag,'(docker)')
    then
    {
        set $!extract = re_extract($syslogtag,'(docker/[a-zA-Z0-9]*)',0,1,"");
        set $!syslogtag= $!extract;
    }
    else
        set $!syslogtag = $syslogtag;

    Replace:

  5. Configure Docker
  6. Set –log-driver=syslog to route stdout and stderr to the host’s syslog daemon. The syslog daemon will forward them to Loggly. Here is an example using the Ubuntu container.

    sudo docker run -d --log-driver=syslog ubuntu echo "Test Log"

    You should be able to see the logs in the host machine’s syslog log file. The log messages will include the container ID (the first 12 characters), plus the actual output of the container.

    $ tail /var/log/syslog
    Jan 28 10:15:57 PSQ110 docker/12084ad52ea1[1698]: Test Log
    

  7. Verify Events
  8. Search Loggly for events with the appName of ‘docker/Docker-Container-ID’ over the past 20 minutes. It may take a few minutes to index the events. If it doesn’t work, see the troubleshooting section below.

     syslog.appName:"docker/Docker-Container-ID"
    

    Replace:

    • Docker-Container-ID: your Your Docker Container ID.

    docker syslogtag

    Note: The output for versions 6.x or lower will be “syslog.appName:docker/12084ad52ea1[1698]” in loggly.

Advanced Docker Logging Driver Options

Docker Logging Driver Troubleshooting

  • Wait a few minutes in case indexing needs to catch up.
  • Verify that the docker logging driver and syslog daemon are working by checking the host machine’s syslog file
    tail -F /var/log/syslog
  • If they are in the syslog file but not showing up in Loggly, check our guide for troubleshooting rsyslog
  • Search or post your own Docker Logging Driver questions in the community forum
Thanks for the feedback! We'll use it to improve our support documentation.


Top