Write journald metadata to rsyslog

I have a setup where docker containers use the journald log driver to write their logs. Currently log lines from the journal are forwarded to rsyslog running on the host, but the application name on the syslog lines appears as dockerd.

As a workaround, I’d like to write the CONTAINER_NAME field form the journal metadata into the line that appears in syslog, so I can identify what container wrote what line after the host’s syslog has been shipped to a syslog aggregation server.

  • `rails console` hangs when using vendored gems (running in docker)
  • How to pass arguments within docker-compose?
  • how to do docker-compose pip install with a proxy?
  • Enable port access container through dockerfile
  • (Windows Git-bash) IntelliJ git bash shell color scheme messed up with Docker
  • Docker node express volume changes in the host not reflected in the container
  • Any suggestions?

  • osx docker max connections limit
  • How to enable a Spark-Mesos job to be launched from inside a Docker container?
  • Docker name gets longer each time I run docker-compose
  • cannot start docker daemon
  • Docker Swarm managers acting nodes?
  • Run Docker container behind proxy?
  • 2 Solutions collect form web for “Write journald metadata to rsyslog”

    I think closest you could get image name. You can add a log tag to show the image name in logs. This feature has been added in v1.11.0. For example:

    docker run --log-driver=journald --log-opt tag="{{.ImageName}}

    Have a look at log tag docs too. Hope this helps.

    I managed to get this working by putting this in rsyslog.conf

    if ( $!CONTAINER_TAG == "mycontainer" ) then {
    action(type="omfile" file="/var/log/mycontainer.log")

    I can test that it works with this

    docker run --log-driver=journald --log-opt tag="mycontainer" centos:latest echo Pierre7

    I get my log both in the file /var/log/mycontainer and in the journal, which I can find with

    journalctl --unit docker CONTAINER_TAG=mycontainer

    It is difficult to find the information, the only place where it seems documented in in the redhat documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-structured_logging_with_rsyslog.html

    My use case is that I want the journal for all the benefits it gives but the support people are requesting to have normal files. Also we will use the splunkforwarder to consume the files.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.