CoursesDocker in depthThe Docker engine

Logging & log drivers

Where container output goes, and how to ship it.

Intermediate12 min · lesson 7 of 30

By default a container’s STDOUT and STDERR are captured by the daemon’s logging driver, and docker logs replays them. That default is intentional: containerized apps should log to stdout/stderr, not to files inside the container, so the platform can collect the stream. The choice that matters is which driver receives it — and the default, json-file, has a footgun.

terminal
$ docker logs -f --tail 50 web # follow the last 50 lines
$ docker inspect -f '{{.HostConfig.LogConfig.Type}}' web
json-file # the default driver

json-file and the rotation footgun

json-file writes each container’s output to a JSON file on the node and, by default, never rotates it — a chatty container can fill the disk and take the host down. Always cap it, either per container or (better) as an engine-wide default in daemon.json, so every container inherits bounded logs. This is the single most common Docker-logging incident.

/etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": { "max-size": "10m", "max-file": "3" } // bound + rotate, cluster-wide
}
// per-container override:
// docker run --log-opt max-size=5m --log-opt max-file=2 ...

Choosing a driver

The driver decides where logs go. json-file (default) and local keep them on the node for docker logs. journald hands them to the systemd journal (queryable with journalctl). syslog, fluentd, gelf, and awslogs ship them off-box to a central collector or SIEM — the right choice in production, because node-local logs vanish with the node and are the first thing an attacker edits. Note docker logs only works with the file/journald drivers; with a remote driver you read logs in the collector, not from Docker.

Where the log stream can go
stay on the node
json-file
default; rotate it!
local
efficient on-disk format
journald
into the systemd journal
ship off-box (production)
fluentd / gelf
to a log pipeline
syslog
to a central server
awslogs / splunk
to a managed sink
Off-box drivers survive node loss and tampering — but docker logs no longer shows them; read from the collector.
Log to stdout, cap the driver, ship it off-box
Three rules: apps should write to stdout/stderr (not files inside the container), the json-file driver must have max-size/max-file set or it will fill the disk, and anything you need for audit or incident response should be shipped off the node — a compromised host’s local logs cannot be trusted.