Write journald metadata to rsyslog

I have a setup where docker containers use the journald log driver to write their logs. Currently log lines from the journal are forwarded to rsyslog running on the host, but the application name on the syslog lines appears as dockerd.

As a workaround, I’d like to write the CONTAINER_NAME field form the journal metadata into the line that appears in syslog, so I can identify what container wrote what line after the host’s syslog has been shipped to a syslog aggregation server.

  • Docker-compose check if mysql connection is ready
  • Docker (NGINX, PHP, mySQL) and Windows - File Permissions
  • Best practice/way to develop Golang app to be run in Docker container
  • How to get docker container ID within Docker?
  • Http2 protocol in an nginx reverse proxy and docker container
  • How to copy files to each user's space in docker
  • Any suggestions?

  • How to serve Docker containers with Nginx if there are multiple sites on one host?
  • Running docker commands in bash script leads to segmentation fault
  • NodeJS/Dokku/Docker: ffmpeg exited with code 127
  • Running Remote Bamboo Agents on Demand Using Docker
  • docker container exits because of “std in is not a tty”
  • Docker running out of memory when loading large sql dump
  • 2 Solutions collect form web for “Write journald metadata to rsyslog”

    I think closest you could get image name. You can add a log tag to show the image name in logs. This feature has been added in v1.11.0. For example:

    docker run --log-driver=journald --log-opt tag="{{.ImageName}}
    

    Have a look at log tag docs too. Hope this helps.

    I managed to get this working by putting this in rsyslog.conf


    if ( $!CONTAINER_TAG == "mycontainer" ) then {
    action(type="omfile" file="/var/log/mycontainer.log")
    stop
    }

    I can test that it works with this

    docker run --log-driver=journald --log-opt tag="mycontainer" centos:latest echo Pierre7

    I get my log both in the file /var/log/mycontainer and in the journal, which I can find with


    journalctl --unit docker CONTAINER_TAG=mycontainer

    It is difficult to find the information, the only place where it seems documented in in the redhat documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-structured_logging_with_rsyslog.html

    My use case is that I want the journal for all the benefits it gives but the support people are requesting to have normal files. Also we will use the splunkforwarder to consume the files.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.