Master Docker Logging and Graylog Integration: A Step‑by‑Step Guide

Docker Logs

When a container starts, it runs as a child process of the Docker daemon, which captures the container's standard output and forwards it to a LogDriver. The default driver writes JSON lines to a local file, but other drivers such as syslog can be used.

Docker stores each log line as a JSON object, for example:

{"log":"root@74205cdc7b53dd:/#ls
","stream":"stdout","time":"xxx.155834526Z"}

The log driver can be changed at container start‑up; supported drivers are shown in the following image:

Graylog Log Management

Graylog is an open‑source log management platform similar to the ELK stack. Docker natively supports the Graylog (GELF) protocol, and Graylog provides Docker images and a docker‑compose file for quick deployment.

Deploying Graylog

mkdir graylog
cd graylog

Initialize configuration files:

mkdir -p ./graylog/config
cd ./graylog/config
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.1/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.1/config/log4j2.xml
# Fix permission issue caused by Graylog using UID 1100
chown -R 1100:1100 ./graylog/config

Edit graylog.conf to set the desired timezone, e.g.: root_timezone = Asia/Shanghai Create a docker-compose.yml file (excerpt):

version: '3'
services:
  mongo:
    image: mongo:3
    networks:
      - graylog
    volumes:
      - mongo_data:/data/db
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.5.0
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - ES_JAVA_OPTS=-Xms512m -Xmx512m
    ulimits:
      memlock:
        soft: -1
        hard: -1
    networks:
      - graylog
  graylog:
    image: graylog/graylog:3.1
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
      - ./graylog/config:/usr/share/graylog/data/config
    environment:
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.0.103:9000/
    networks:
      - graylog
    depends_on:
      - mongo
      - elasticsearch
    ports:
      - 9000:9000
      - 1514:1514
      - 1514:1514/udp
      - 12201:12201
      - 12201:12201/udp
networks:
  graylog:
    driver: bridge
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local

Start the stack with docker-compose up and access the Graylog web UI at http://<em>host</em>:9000 (default credentials admin/admin).

Configuring Graylog Input

In Graylog’s web UI, go to the System tab → Inputs and create a new input, e.g., GELF UDP. After saving, the input status changes to RUNNING and can receive log messages.

Sending Docker Logs to Graylog

Run a container with the GELF driver:

docker run --log-driver=gelf \
  --log-opt gelf-address=udp://<em>graylog_server</em>:12201 \
  --log-opt tag="<em>container_tag</em>" \
  <em>IMAGE</em> <em>COMMAND</em>

Example:

docker run -d \
  --log-driver=gelf \
  --log-opt gelf-address=udp://localhost:12201 \
  --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}" \
  busybox sh -c 'while true; do echo "Graylog test message"; sleep 10; done'

When using docker‑compose, add logging configuration:

logging:
  driver: "gelf"
  options:
    gelf-address: "udp://<em>graylog_server</em>:12201"
    tag: "<em>container_tag</em>"

After logs are sent, they can be searched in Graylog’s Search tab.