How To Run Rsyslog in a Docker Container for Logging

I’ve been playing around with Docker this morning (read as I have followed their 15 min tutorial and have installed it on an Ubuntu instance – so I’m not quite the expert yet). I was initially interested in figuring out what log management looks like for any Docker users out there.

From first look, Docker has a “logs” command that will fetch the logs from a container. You can run this via the docker daemon and it will  captures all the stdout/stderr from the process you’re running:

$ docker logs $CONTAINER_ID.

I ran the ‘hello world daemon’ example, routed the output to a log file and even managed to send the events to Logentries using the Logentries agent on my Ubuntu host that was running the Docker container.

Screen Shot 2014-03-04 at 11.02.51 AM

However, using the Docker “logs” command  is a little primitive, as  every time you run docker logs container_id you get all the logs of that process from the beginning.

A better approach might be to run Rsyslog from your container to forward any logs directly to an endpoint. One of our clever engineers put together a quick Dockerfile for me to test this out. (Thanks Chris!)

Here’s what it looks like:
FROM ubuntu:saucy
RUN echo "deb http://us.archive.ubuntu.com/ubuntu/ precise main universe" >> /etc/apt/source.list
RUN apt-get update
RUN apt-get -y install rsyslog
ADD ./logentries.conf /etc/rsyslog.d/logentries.conf

And what it does:

  • grabs the ubuntu:saucy image
  • installs Rsyslog
  • adds a config file for forwarding your log events to Logentries (note you can modify this with any endpoint so that you can forward your logs to wherever you want)

To test this out I cloned Chris’ git repo,

$ git clone https://github.com/m0wfo/le-docker.git

Then ran the following commands, which builds the Docker image, launches the container and attaches to the container instance:
$ cd le-docker
$ sudo docker build -t le/example .
$ sudo docker run -i -t le/example /bin/bash

I next opened the logentries.conf file and added my Logentries log token of a new “token based” log that I created in my Logentries UI:

$ vi /etc/rsyslog.d/logentries.conf

It looks like this:

Screen Shot 2014-03-04 at 12.05.20 PM

Simply replace TOKEN with your log token found here:

Screen Shot 2014-03-04 at 12.07.07 PM

Finally I started Rsyslog, and created some test events using the “logger” command.

$ rsyslogd
$ logger this is a test

Screen Shot 2014-03-04 at 11.45.47 AM

Now I see logs streaming into Logentries from my Docker container via Rsyslog!!!

(Thanks again Chris!)


    10-ways-to-lead-with-analytics
    Sign-up for a free 30 Day Trial

    Get set up in minutes, and gain insights in seconds

    Start Free Trial Setup a Demo

    Share This Post


    Posted in DevOps, How To, Syslog, Tips & Tricks
    5 comments on “How To Run Rsyslog in a Docker Container for Logging
    1. Ben says:

      I started with this approach but it felt somehow wrong to run a daemon in the container. Now I bind mount /dev/log (using -v /dev/log:/dev/log) to the container and use the host’s syslog daemon instead.

      • Trevor Parsons says:

        Thanks for the comment Ben! Yep I’ve seen that approach also and has an advantage where multiple docker containers could potentially take advantage of this. I’ve had a number of people suggest this type of approach since posting the above.

        Interested in why it feels wrong to run syslog in the container – I have seen the baseimage guys:http://phusion.github.io/baseimage-docker/ also promoting this.

    2. Colin says:

      Just wanted to say thanks. I was struggling with running a program in a Docker container that depended on the /dev/log socket, and trying to find the Docker alternative to starting the rsyslog service. rsyslogd is that alternative, and the methods for capturing logs here are really useful!

    3. Bind mounting /dev/log isn’t necessary, b/c a docker container knows from the routing table how to find the host. If you’re gonna use the host’s rsyslog server, why not have it listen on all ports, or at the very least its IP on the Docker bridge and use that? Or, with a little scripting, have a container startup script that can cover all the bases:

      https://github.com/randywallace/dockerfiles/blob/master/startup-scripts/log.sh.lib

      1) If you set HOST_SYSLOG_DAEMON, it will maintain that setting
      2) if you have a syslog container linked to the container creating logs, this sets HOST_SYSLOG_DAEMON to the IP of that container
      3) otherwise, it sets it to the IP of the gateway

      see the tests in https://github.com/randywallace/dockerfiles/blob/master/startup-scripts/test/log.sh and play with the environment variables to see it in action..

    2 Pings/Trackbacks for "How To Run Rsyslog in a Docker Container for Logging"
    1. […] I’ve been playing around with Docker this morning (read as I have followed their 15 min tutorial and have installed it on an Ubuntu instance – so I’m not quite the expert yet). I was initially interested in figuring out what log management looks like for any Docker users out there.  […]

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p>

     

    Subscribe to the Blog