How to View Docker Container Logs - A Step-by-Step Guide

Docker containers have revolutionized application deployment and management. However, to maintain and troubleshoot these containers effectively, you need to know how to access and interpret their logs. This guide will walk you through the process of viewing Docker container logs, from basic commands to advanced techniques.

Understanding Docker Container Logs

Docker container logs are records of events and output generated by containers during their runtime. These logs capture stdout and stderr streams, providing valuable insights into container behavior, application performance, and potential issues.

Docker stores logs in JSON format by default. The log files are typically located in the /var/lib/docker/containers/<container-id>/<container-id>-json.log directory on the host system. However, the exact location may vary depending on your Docker configuration and operating system.

Why View Docker Logs?

Accessing Docker logs is crucial for several reasons:

1. Troubleshooting: Logs help identify and resolve issues within containers.
2. Performance monitoring: They provide insights into application behavior and resource usage.
3. Security and compliance: Logs assist in detecting suspicious activities and ensuring regulatory compliance.
4. Behavior analysis: By examining logs, you can understand how containers interact with each other and the host system.

Basic Commands for Viewing Docker Logs

The primary command for viewing Docker logs is the docker logs command. This command allows you to fetch the logs of a container. In this section, you will see several ways the command can be utilized. A sample microservice application has been provided. To start the application, a Docker Compose file is included in the project root. This file defines and manages the multiple services. If you already have running Docker containers, you can skip this setup step.

Run the below commands in your terminal to clone and start the container application:

git clone https://github.com/yuvraajsj18/opentelemetry-signoz-sample.git
cd opentelemetry-signoz-sample
docker-compose up

You should see the below output in your terminal:

If you want to run the containers in the background, use:

docker-compose up -d

Here are different ways to access the Docker container logs using the docker-logs command:

1. To view logs for a specific container:

If you want to view logs of a particular container, for example, the opentelemetry-signoz-sample-product-1 container, you can use the below command:

docker logs <container_name_or_id>

This command retrieves all available logs from the container with the ID specified. To get the container ID of the opentelemetry-signoz-sample-product-1 container, run the below command:

docker ps

Copy the container ID for the opentelemetry-signoz-sample-product container.

Replace <container-id> with the container ID you copied and run the command.

docker logs 9539e20d8d4b

This command outputs the logs of the opentelemetry-signoz-sample-product container directly to your terminal, helping you monitor its operations and troubleshoot if necessary.

1. To follow the log output in real-time:

During a live update, a developer might want to monitor logs in real-time to ensure that all components are operating correctly. This can be done using the below command:

docker logs --follow <container_name_or_id>

The --follow option lets you stream logs to the console as they are being generated, which is vital for live debugging and monitoring the changes in real time.

Replace <container-id> with the ID of the particular container logs you want to monitor:

1. To view only the last N lines of the log:

When troubleshooting a container experiencing intermittent issues, focusing on the most recent log entries can significantly speed up the process. Instead of sifting through the entire log file, you can use the --tail option with the docker logs command to view a specific number of lines from the end.

docker logs --tail <number> <container_name_or_id>

Replace <number> with the desired number of lines and <container-id> with the actual container ID. For example, to view the last 5 lines of a container's log:

docker logs --tail 5 <container_name_or_id>

For real-time monitoring of the latest log entries, you can combine the --tail option with the --follow option:

docker logs --tail 5 --follow <container_name_or_id>

This displays the last 5 lines of the log and then continuously updates the output with new lines as they are written.

Advanced Docker Logs Options

For more detailed log analysis, Docker offers several advanced options to refine log retrieval and analysis. They include:

1. Time-Based Filtering

In a situation where a service encounters unexpected behavior, such as a sudden performance drop or critical error, to troubleshoot the cause within a specific timeframe, you can use the —-since and —-until options together with your docker logs command:

docker logs --since <YYYY-MM-DDTHH:MM:SS> --until <YYYY-MM-DDTHH:MM:SS> <container_name_or_id>

The --since option specifies the start time for log retrieval and the --until option specifies the end time for log retrieval, creating a precise time window for log analysis.

Docker accepts timestamps in this format: YYYY-MM-DDTHH:MM:SS, where;

• YYYY: Year (e.g., 2024)
• MM: Month (01-12)
• DD: Day (01-31)
• T: Separator between date and time
• HH: Hour (00-23)
• MM: Minute (00-59)
• SS: Second (00-59)

For example, if the opentelemetry-signoz-sample-product container experienced a failure that started on July 25, 2024, at 18:30:00, and persisted for 24 hours, the command will be as follows:

docker logs --since 2024-07-25T18:30:00 --until 2024-07-26T18:30:00 opentelemetry-signoz-sample-product

You should see a similar output:

This approach allows you to isolate the logs within a specific time window, making it easier to perform a detailed analysis without the distraction of irrelevant data. It's particularly useful for debugging transient issues that occurred at known times or reviewing system behavior during scheduled events (e.g., a new release deployment).

1. Pattern Searching

Suppose your application logs are showing recurring errors, and you suspect these are linked to specific error codes like "ERROR", “Database connectivity” or messages indicating some connection failure, you can use pattern search to identify the root cause of these issues.

Pattern searching allows you to filter log entries based on specific text patterns or regular expressions. The simplest form of pattern searching is using the grep command in conjunction with the docker logs command:

docker logs <container_name_or_id> | grep <pattern>

The grep command is a powerful Unix/Linux utility used here to search through the output of docker logs for specific patterns, reducing the volume of log data to needed information only.

For example, to search for all log entries containing the word "telemetry":

docker logs 9539e20d8d4b | grep "telemetry"

You should see a similar output:

This method is highly effective for searching for specific errors or patterns in your logs. It can drastically reduce the time spent scrolling through thousands of log entries by directly highlighting the relevant lines.

You can also combine pattern searching with time-based filtering:

docker logs --since 2024-07-25T00:00:00 opentelemetry-signoz-sample-product | grep "error"

This command searches for "error" in logs since July 25, 2024.

1. Multi-Container Logging

Suppose you're handling a big problem that affects several parts of your application, which is built with many different services working together. You need to see what's happening in each part to figure out how the problem is spreading and affecting your entire application.

If your services are defined in a Docker Compose file, you can view logs from all services at once using the docker-compose logs command:

docker-compose logs

It should return a similar output:

Best Practices for Docker Logging

To maximize the benefits of Docker logging:

• Implement log rotation: You can use Docker’s built-in drivers like json-file or syslog for seamless log rotation. This integration allows for automatic management of log files without manual intervention. You can learn more about log rotation using this blog.

• Structure log messages: Using JSON for structured logging enhances clarity and machine-readability, making it easier to automate parsing and analysis across systems. For instance, when an issue spans multiple services, JSON logs can be queried efficiently to extract specific data like timestamps and error messages, facilitating faster troubleshooting.

• Secure sensitive information: Avoid logging sensitive data such as user credentials or payment details. We can use masking or encryption to secure the information.

• Manage Log File Sizes with max-size and max-file: Use the max-size and max-file options with Docker's json-file logging driver to manage log rotation and prevent disk space overrun. In a production environment, logging without constraints can lead to massive log files that consume all available disk space, potentially crashing the service.

  Example:

{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3",
    "labels": "production_status",
    "env": "os,customer"
  }
}

Viewing Docker Logs in Different Environments

1. Docker Desktop

Docker Desktop provides a user-friendly interface to manage Docker containers, including viewing logs. You can access logs through the GUI. The Docker Desktop application features a graphical user interface (GUI) where you can select a running container and view its logs.

This can be done by navigating to the "Containers" tab, selecting the container of interest, and accessing the "Logs" section. The GUI provides a convenient way to filter and search through log entries.

1. Docker Compose

Docker Compose is a tool for defining and running multi-container Docker applications. When dealing with multiple services, it’s essential to aggregate and access logs for troubleshooting and monitoring. You can view logs from all containers defined in a docker-compose.yml file using docker-compose logs for multi-container applications as seen in the previous example.

1. Third-Party Solutions

For advanced log management, especially in production environments, third-party solutions provide enhanced capabilities such as log aggregation, filtering, visualization, and alerting.

An example of a third-party solution is SigNoz. It is an open-source observability platform that provides comprehensive log management features. It can be integrated with Docker to collect, aggregate, and visualize logs from all your containers. SigNoz offers a user-friendly dashboard where you can monitor logs in real-time, set up alerts, and analyze logs for troubleshooting.

To integrate SigNoz or any other logging tool, you typically need to:

• Configure Log Drivers: Set the appropriate log driver (e.g., syslog, json-file, fluentd) and configure it to send logs to your logging service.
• Use Agents or Sidecars: Deploy an agent or sidecar container that collects logs from the Docker environment and sends them to the logging service.
• Set Up Dashboards and Alerts: Use the provided tools to create custom dashboards and alerts tailored to your application's needs.

By leveraging these tools and techniques, you can efficiently manage and analyze Docker logs, ensuring smooth operation and quick resolution of issues in your containerized applications.

Troubleshooting Common Docker Logging Issues

1. Missing Logs

Missing logs are often due to misconfigurations in logging drivers or insufficient permissions. When configuring your Docker container, specify a logging driver in the Docker run command or within a Docker compose file, and ensure that the container has the necessary permissions to write logs.

Example: If using the json-file logging driver, your Docker run command might look like this:

{
  "log_driver": "json-file",
  "log_opts": {
    "max-size": "5m",
    "max-file": "3"
  }
}

1. Log Driver Conflicts

Verify that the chosen log driver is compatible with your Docker version and host system. To check the compatibility of the chosen log driver with your Docker version and host system, you can use the following command to list the available logging drivers:

docker info --format '{{.LoggingDriver}}'

1. Storage Space Issues

Implement log rotation and regularly clean up old log files. Log files can consume a significant amount of storage space, where extensive logging is required. To prevent this, make sure to Implement log rotation.

Example: Configuring log rotation in a docker-compose.json might look like:

{
  "services": {
    "app": {
      "image": "myapp:latest",
      "logging": {
        "driver": "json-file",
        "options": {
          "max-size": "100m",
          "max-file": "10"
        }
      }
    }
  }
}

You can also set up log rotation directly with the Docker CLI by using the --log-opt options when running a container:

docker run -d \
--name myapp \
--log-driver json-file \
--log-opt max-size=100m \
--log-opt max-file=10 \
myapp:latest

1. Application-Specific Logging

Problems can arise if applications are not configured to send logs to stdout and stderr, which Docker can capture by default. Ensuring your application logs to the console or properly routes logs through the configured Docker logging driver is crucial.

Example: A typical Node.js application configuration to log directly to stdout, which Docker can capture:

console.log('This is a log entry');

Or, if using a logging library like Winston:

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [
    new winston.transports.Console()
  ]
});
logger.info('Hello, this is a log message!');

This setup allows Docker to capture logs directly from the standard output, making them available via the docker logs command.

Enhancing Log Analysis with SigNoz

While grep is powerful for command-line log analysis, SigNoz provides a more comprehensive solution for managing and analyzing logs in complex, distributed systems.

1. Centralized Log Management
2. Advanced Search and Filtering
3. Log Correlation with Metrics and Traces
4. Real-time Log Tailing
5. Log-based Alerting
6. Log Visualizations and Dashboards

SigNoz cloud is the easiest way to run SigNoz. Sign up for a free account and get 30 days of unlimited access to all features.

You can also install and self-host SigNoz yourself since it is open-source. With 19,000+ GitHub stars, open-source SigNoz is loved by developers. Find the instructions to self-host SigNoz.

Read how to send Docker Logs to SigNoz.

Conclusion

• Use docker logs and docker service logs for essential log access and troubleshooting.
• Generally, Docker logs are stored on the host system in /var/lib/docker/containers/. It may be depend on operating system as well.
• Utilize options like --follow for real-time streaming, -since and -until for time-based filtering, and -tail for limiting log output.
• Configure logging drivers (e.g., json-file, syslog) to manage and transport logs efficiently.
• Enhanced Observability with SigNoz: Integrate with SigNoz for comprehensive log management, advanced querying, and efficient log storage using OpenTelemetry and ClickHouse.

FAQs

1. How long are Docker container logs retained?

Docker retains logs indefinitely by default. However, you can configure log rotation to manage log file sizes and retention periods.

2. Can I export Docker logs to a file?

Yes, you can redirect log output to a file:

docker logs <container-id> > container_log.txt

3. How do I view logs for a stopped container?

The docker logs command works for both running and stopped containers, as long as the container hasn't been removed.

4. Is it possible to change the logging driver for a running container?

No, you can't change the logging driver for a running container. You must stop the container, update its configuration, and restart it.