Master Docker Logging: Choose the Right Log Driver and Manage Container Logs Efficiently

Docker Log Types

Docker logs are divided into two categories:

Docker engine logs (the daemon runtime logs)

Container logs (logs generated by services inside the container)

1. Docker Engine Logs

Engine logs are typically handled by the host’s init system. On Ubuntu 14.04 they are stored in /var/log/upstart/docker.log; on Ubuntu 16.04 and most systemd‑based systems they can be viewed with journalctl -u docker or journalctl -u docker.service. Other platforms such as CentOS, CoreOS, OpenSuSE, macOS, and Debian have their own log locations, e.g., /var/log/docker.log or /var/log/daemon.log.

2. Container Logs

2.1 Common Log Command – docker logs

The docker logs CONTAINER command shows STDOUT and STDERR output from a running container. It does not capture logs written directly to files inside the container unless the container uses a supported log driver (local, json‑file, or journald).

Note: Containers that write logs to files (e.g., Tomcat) require additional handling because docker logs only captures standard streams.

2.2 Docker Log Drivers

Docker provides several log drivers to route container output to different back‑ends. The main drivers are:

none – disables logging.

local – stores logs on the host in

/var/lib/docker/containers/<container‑id>/local-logs/container.log

, with optional rotation options such as max-size, max-file, and compress.

json-file (default) – writes logs in JSON format to

/var/lib/docker/containers/<container‑id>/<container‑id>-json.log

. Supports options like max-size, max-file, labels, env, and compress.

syslog – forwards logs to a syslog server. Configuration is done via /etc/docker/daemon.json with options such as syslog-address, syslog-facility, and tag.

journald – sends logs to the systemd journal. It can be enabled globally in /etc/docker/daemon.json or per‑container with --log-driver=journald. Additional options include labels, env, and tag.

Other drivers (gelf, fluentd, awslogs, splunk, etwlogs, gcplogs, logentries) are also available for specific integrations.

Configuring Log Drivers

To set a global driver, edit /etc/docker/daemon.json and restart Docker. Example for syslog:

{
  "log-driver": "syslog",
  "log-opts": {
    "syslog-address": "udp://1.2.3.4:1111"
  }
}

For a per‑container driver, use the --log-driver flag when running the container, e.g.:

docker run -d -it --log-driver local --log-opt max-size=10m --log-opt max-file=3 myimage

Local Driver Options

max-size

– maximum size of a log file before rotation (default 20m). max-file – maximum number of rotated files to keep (default 5). compress – enable compression of rotated files (default true).

JSON‑File Driver Options

max-size

– maximum size before rotation (default unlimited). max-file – maximum number of files (default 1). labels, env, env-regex – include container labels or environment variables in log metadata. compress – enable compression of rotated logs.

Syslog Driver Options

syslog-address

– address of the syslog server (e.g., udp://1.2.3.4:514). syslog-facility – syslog facility (e.g., daemon). tag – tag to prepend to each log message.

Journald Driver Options

tag

– sets CONTAINER_TAG and SYSLOG_IDENTIFIER. labels, env, env-regex – include additional metadata.

Handling File‑Based Container Logs

Some applications write logs directly to files inside the container (e.g., Tomcat). To collect these logs you can:

Bind mount a host directory to the container’s log directory using --mount type=bind,src=/opt/logs/,dst=/usr/local/tomcat/logs/.

Use a Docker volume and mount it to the log path with

--mount type=volume,src=tomcat_logs,dst=/usr/local/tomcat/logs/

.

Compute the container’s rootfs mount point based on the storage driver (overlay, overlay2, aufs, devicemapper) and read logs directly from the host filesystem.

Write logs to an external system (e.g., Redis → Logstash → Elasticsearch) from within the application code.

Choosing the appropriate method depends on the application’s logging design and operational requirements.

Conclusion

Docker offers flexible logging mechanisms through various drivers and configuration options. Understanding the differences between standard‑output logs and file‑based logs, and selecting the right driver or mounting strategy, enables reliable log collection and management in production environments.