Mastering Docker Container Logs: Drivers, Commands, and Best Practices

Preface

Docker containers are widely used, and managing container logs is a common challenge. This guide consolidates essential Docker log concepts and practical commands.

Reference link: https://www.cnblogs.com/operationhome/p/10907591.html

Docker Log Overview

Docker logs are divided into two categories:

Docker engine logs (dockerd runtime logs)

Container logs generated by services inside the container

Engine logs are typically handled by Upstart (Ubuntu 14.04) or systemd (CentOS 7, Ubuntu 16.04). Use journalctl -u docker for systemd-managed systems.

Ubuntu 14.04: /var/log/upstart/docker.log

Ubuntu 16.04: journalctl -u docker.service

CentOS 7 / RHEL 7 / Fedora: journalctl -u docker.service

CoreOS: journalctl -u docker.service

OpenSuSE: journalctl -u docker.service

OSX: ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/log/docker.log

Debian 7: /var/log/daemon.log

Debian 8: journalctl -u docker.service

Boot2Docker: /var/log/docker.log

Container Log Commands

Use docker logs [container_name] to view STDOUT and STDERR output. For containers that redirect logs to files (e.g., nginx), create symbolic links to /dev/stdout or /dev/stderr to capture logs.

root@elk(192.168.1.103)/root> docker exec -it ngx sh
/ # ls -l /var/log/nginx/access.log
lrwxrwxrwx 1 root root 11 Jun 23 03:20 /var/log/nginx/access.log -> /dev/stdout
/ # ls -l /var/log/nginx/error.log
lrwxrwxrwx 1 root root 11 Jun 23 03:20 /var/log/nginx/error.log -> /dev/stderr

Only containers using the local, json-file, or journald drivers support docker logs.

Docker Log Drivers

none : No logs are generated.

local : Stores logs in a custom format with minimal overhead.

json-file : Default driver; logs are stored as JSON with timestamps.

syslog : Sends logs to the host syslog daemon.

journald : Sends logs to systemd‑journald.

gelf : Sends logs to Graylog‑compatible endpoints.

fluentd : Sends logs to a Fluentd collector.

awslogs : Sends logs to Amazon CloudWatch Logs.

splunk : Sends logs via HTTP Event Collector to Splunk.

etwlogs : Writes logs as Windows ETW events.

gcplogs : Sends logs to Google Cloud Logging.

logentries : Sends logs to Rapid7 Logentries.

Docker CE supports only local, json-file, and journald for docker logs.

Inspecting and Configuring Log Drivers

View current driver: docker info | egrep -i "logging driver" or docker info -f '{{.LoggingDriver}}' Inspect a container's driver:

docker inspect -f '{{.HostConfig.LogConfig.Type}}' [container_id]

Set global driver in /etc/daemon.json (JSON format), e.g., {"log-driver": "syslog"} Run a container with a specific driver:

docker run -itd --log-driver none alpine sh

Local Driver Details

The local driver records STDOUT/STDERR to host disk, keeping 100 MB per container by default with automatic compression.

Log file location:

/var/lib/docker/containers/<container_id>/local-logs/container.log

Supported options:

max-size : Maximum size before rotation (e.g., --log-opt max-size=10m).

max-file : Maximum number of log files (effective only with max-size).

compress : Enable or disable compression of rotated files.

docker run -itd --log-driver local alpine ping 127.0.0.1

tail -f /var/lib/docker/containers/ce58493e28e3089bb55c04ad1e2aad4dd6bd752ca37852bf8c690f97430d9a2a/local-logs/container.log

JSON‑File Driver Details

The default driver stores logs as JSON, including the log line, stream, and timestamp. Example entry:

{"log":"64 bytes from 127.0.0.1: seq=8 ttl=64 time=0.152 ms
","stream":"stdout","time":"2022-06-29T06:42:41.932442509Z"}

Log file path:

/var/lib/docker/containers/<container_id>/<container_id>-json.log

Syslog Driver

Requires the host rsyslog service. Configure /etc/rsyslog.conf to listen on UDP/TCP port 514, then restart the service.

# Provides UDP syslog reception
# $ModLoad imudp
# $UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

docker run --name alpine -itd --log-driver syslog --log-opt syslog-address=tcp://127.0.0.1:514 alpine ping 127.0.0.1

tail -f /var/log/messages

Journald Driver

Start a container with journald driver and optional labels or environment variables:

docker run --name alpine -itd --log-driver journald --log-opt labels=location --log-opt env=TEST --env "TEST=false" --label location=china alpine ping 127.0.0.1

View logs with journalctl filters, e.g., journalctl CONTAINER_NAME=alpine -f.

Production Log Handling

Two main log types:

Standard output (STDOUT/STDERR) – collectable via Docker log drivers (recommended).

File logs inside the container – not captured by drivers; need volume mounts or rootfs access.

For file‑based logs (e.g., Tomcat), you can bind‑mount a host directory or use a Docker volume:

--mount type=bind,src=/opt/logs/,dst=/usr/local/tomcat/logs/

docker volume create tomcat
docker run --name tomcat -P --mount type=volume,src=tomcat,dst=/usr/local/tomcat/logs/ -d tomcat:alpine

Rootfs Mount Point Collection

Determine the container's storage driver (aufs, overlay, overlay2, devicemapper) and compute the rootfs mount point to access internal logs without modifying the container.

aufs: /var/lib/docker/aufs/mnt/

overlay: /var/lib/docker/overlay//merged

overlay2: /var/lib/docker/overlay2//merged

devicemapper: /var/lib/docker/devicemapper/mnt//rootfs

docker inspect -f '{{.GraphDriver.Data.MergedDir}}' <container_id>

Log Rotation Example

By default, Docker creates a single growing log file. To limit size and number of files, edit /etc/docker/daemon.json:

{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "5m",
    "max-file": "3"
  }
}

Restart Docker and create new containers to apply the limits. After a load test, logs rotate as expected, creating .1, .2 files.

Setting log size and file count in daemon.json is essential for preventing uncontrolled disk usage.