Back to blog results

September 10, 2015By Christian Beedgen

Update On Logging With Docker

A Simpler & Better Way

In New Docker Logging Drivers, I previously described how to use the new Syslog logging driver introduced in Docker 1.6 to transport container logs to Sumo Logic.

Since then, there have been improvements to the Syslog logging driver, which now allows users to specify the address of the Syslog server to send the logs to. In its initial release the Syslog logging driver simply logged to the local Syslog daemon, but this is now configurable. We can exploit this in conjunction with the Sumo Logic Collector container for Syslog to make logging with Docker and Sumo Logic even easier.

Simply run the Syslog Collector container as previously described:

$ docker run -d -p 514:514 -p 514:514/udp \
 --name="sumo-logic-collector" \
 sumologic/collector:latest-syslog \
 [Access ID] [Access key]

Now you have a collector running, listening for Syslog on both ports 514/tcp and 514/udp.

For every container required to run on the same host, you can now add the following to the Docker run command in order to make the container log to your Syslog collector:

--log-driver syslog --log-opt syslog-address=udp://localhost:514

Or, in a complete example:

$ docker run --rm --name test \
 --log-driver syslog --log-opt syslog-address=udp://localhost:514 \
 ubuntu \
 bash -c 'for i in `seq 1 10`; do echo Hello $i; sleep 1; done'

You should now see something along these lines in Sumo Logic:

Docker syslog collection

This, of course, works remotely, as well. You can run the Sumo Logic Collector on one host, and have containers on all other hosts log to it by setting the syslog address accordingly when running the container.

And Here Is An Errata

In New Docker Logging Drivers, I described the newly added logging drivers in Docker 1.6. At the time, Docker was only able to log to local syslog, and hence our recommendation for integration was as follows:

$ docker run -v /var/log/syslog:/syslog -d \
 --name="sumo-logic-collector" \
 sumologic/collector:latest-logging-driver-syslog \
 [Access ID] [Access Key]

This will basically have the Sumo Logic Collector tail the OS /var/log/syslog file. We discovered in the meantime that this will cause issues if /var/log/syslog is being logrotate’d. The container will hang on to the original file into which Syslog initially wrote the messages, and not pick up the new file after the old file was moved out of the way.

There’s a simple solution to the issue: mount the directory into the container, not the file. In other words, please do this:

$ docker pull sumologic/collector:latest-logging-driver-syslog
$ docker run -v /var/log:/syslog -d \
 --name="sumo-logic-collector" \
 sumologic/collector:latest-logging-driver-syslog \
 [Access ID] [Access Key]

Or, of course, switch to the above described new and improved approach!

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Christian Beedgen

As co-founder and CTO of Sumo Logic, Christian Beedgen brings 18 years experience creating industry-leading enterprise software products. Since 2010 he has been focused on building Sumo Logic’s multi-tenant, cloud-native machine data analytics platform which is widely used today by more than 1,600 customers and 50,000 users. Prior to Sumo Logic, Christian was an early engineer, engineering director and chief architect at ArcSight, contributing to ArcSight’s SIEM and log management solutions.

More posts by Christian Beedgen.

People who read this also enjoyed

Blog

The Key Message from KubeCon NA 2018: Prometheus is King

Blog

Sumo Logic Experts Reveal Their Top Enterprise Tech and Security Predictions for 2019

Blog

Understanding the Impact of the Kubernetes Security Flaw and Why DevSecOps is the Answer