Docker syslog driver to local facility


Scenario

You have Docker installed and want to send your Docker logs (default is json-file) to a local syslog facility (i.e. local6).

You can use the --log-driver=VALUE with the docker run command to configure the container’s logging driver or you can set the parameter globally in the docker daemon configuration file. This is useful when using container orchestration such as Kubernetes or Apache Mesos.

Step #1

Edit the docker configuration file (/etc/sysconfig/docker on RHEL/CentOS based systems).

# vi /etc/sysconfig/docker

Add the log driver parameter (--log-driver=syslog --log-opt syslog-facility=local6 --log-level=warn) to the OPTIONS line.

# /etc/sysconfig/docker

# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --log-driver=syslog --log-opt syslog-facility=local6 --log-level=warn'

DOCKER_CERT_PATH=/etc/docker

# If you want to add your own registry to be used for docker search and docker
# pull use the ADD_REGISTRY option to list a set of registries, each prepended
# with --add-registry flag. The first registry added will be the first registry
# searched.
ADD_REGISTRY=''

# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
# option and give it a set of registries, each prepended with --block-registry
# flag. For example adding docker.io will stop users from downloading images
# from docker.io
# BLOCK_REGISTRY='--block-registry'

# If you have a registry secured with https but do not have proper certs
# distributed, you can tell docker to not look for full authorization by
## adding the registry to the INSECURE_REGISTRY line and uncommenting it.
INSECURE_REGISTRY=''

# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1

# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp

# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false

Restart the docker daemon.

# systemctl restart docker

Step #2

Configure the syslog daemon to listen on local6 and write logs to specified location.

Create a new file in /etc/rsyslog.d called docker.conf.

# vi /etc/rsyslog.d/docker.conf

Add the following line to the /etc/rsyslog.d/docker.conf file.

local6.*    -/var/log/docker/docker.log

Make sure that /var/log/docker exists.

# mkdir /var/log/docker

Restart the rsyslog daemon

# systemctl restart rsyslog

Start a Docker container or two. You will be now able to view all Docker logs in /var/log/docker/docker.log.

For additional information on configuring Docker's logging drivers, please visit https://docs.docker.com/engine/admin/logging/overview.