Docker: syslog-ng setup

root's picture

In this article I will show you how to create and set up a syslog-ng in docker container and redirect logs from another container to it.
You should have already a running docker set up. If you do not know how to do that, do a search on this page as I have created several articles for it. Also, web is full of it.

1. Edit the syslog-ng configuration file

What I did was to get the default syslog-ng.conf from within the docker container and edit it according to my needs.
This set up below will create messages_local for syslog-ng logs and messages_HOST_PROGRAM for each docker container, automatically, without any additional filter.
It will work on the fly, you do not need to add custom filters for each docker you configure to send it's messages there.

@version: 3.29
@include "scl.conf"

source s_local {
	internal();
};

source s_network {
	default-network-drivers(
	);
};

destination d_local {
        file("/var/log/messages_local");
};

destination d_network {
	file("/var/log/messages_${HOST}_${PROGRAM}" template("$(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};

log {
        source(s_local);
        destination(d_local);
};

log {
	source(s_network);
	destination(d_network);
};

2. Start syslog-ng docker container - this is how I run mine:

DOCKER_IP=192.168.11.30
DOCKER_NAME=syslog
DOCKER_IMAGE=balabit/syslog-ng:latest
DATA_DIR=/docker/DATA/services/syslog/logs
CONFIG_FILE=/docker/DATA/services/syslog/syslog-ng.conf

docker run -d \
  --name ${DOCKER_NAME} \
  --restart=always \
  --publish ${DOCKER_IP}514:514/udp \
  --publish ${DOCKER_IP}601:601 \
  --publish ${DOCKER_IP}6514:6514 \
  --volume ${DATA_DIR}:/var/log \
  --volume ${CONFIG_FILE}:/etc/syslog-ng/syslog-ng.conf \
  ${DOCKER_IMAGE}

The running container should look like this:

23:22:55 root@sonic:logs# docker container ls | grep syslog
dd5bcd591fb4        balabit/syslog-ng:latest                         "/usr/sbin/syslog-ng…"   4 hours ago         Up 4 hours (healthy)   192.168.11.30:601->601/tcp, 192.168.11.30:514->514/udp, 192.168.11.30:6514->6514/tcp                                                                                                                                                   syslog

3. Start the container for which you want to send the logs to our newly created syslog container as follows:

This container runs bind9 with a custom docker image.

DOCKER_IP=192.168.11.25
DOCKER_IMAGE=bind9
DATA_DIR=/docker/DATA/services/bind9
docker run -d \
  --restart=always \
  --name ${DOCKER_NAME} \
  --log-driver=syslog \
  --log-opt syslog-address=udp://192.168.11.30:514 \
  --log-opt tag=${DOCKER_NAME} \
  --log-opt syslog-format=rfc5424micro \
  --publish ${DOCKER_IP}53:53/udp \
  --publish ${DOCKER_IP}53:53/tcp \
  -v ${DATA_DIR}:/etc/bind \
  ${DOCKER_IMAGE}

5. Now go to your syslog folder and see if the logs were created

In this setup, you should have the following logs there:

23:40:50 root@sonic:logs# ls
messages_local  messages_sonic_bind9

That's it. Enjoy!

Useful links:
https://docs.docker.com/config/containers/logging/syslog/

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.