Container Logs

LEVEL 0

The Problem

Your container is running but behaving strangely. Users report errors. But you can’t see anything — the container just sits there.

Unlike traditional servers where you SSH in and check /var/log/, containers work differently. Where do the logs go? How do you see them?

LEVEL 1

The Concept — The Flight Recorder

The Concept

Think of container logs like an airplane’s black box (flight recorder).

Everything the application “says” — output messages, errors, warnings — is recorded. Whether you’re watching or not, the recorder captures it all.

Docker captures two streams:

stdout (standard output) — normal messages
stderr (standard error) — error messages

When your application prints “Server started on port 8080” or logs an error “Database connection failed,” Docker captures that. You can play it back anytime with docker logs.

LEVEL 2

The Mechanics — Viewing Logs

The Mechanics

Basic Log Viewing

# Show all logs
docker logs mycontainer

# Show last 100 lines
docker logs --tail 100 mycontainer

# Follow logs in real-time (like tail -f)
docker logs -f mycontainer

# Show timestamps
docker logs -t mycontainer

# Show logs since a time
docker logs --since 2024-01-15T10:00:00 mycontainer
docker logs --since 10m mycontainer  # Last 10 minutes

# Combine options
docker logs -f --tail 50 -t mycontainer

Filtering by Stream

Some tools treat stdout and stderr differently. In Docker, both go to logs by default.

LEVEL 3

How Docker Captures Logs

The Logging Driver

Docker uses “logging drivers” to handle container output. The default is json-file, which:

Captures stdout and stderr from PID 1
Wraps each line in JSON with a timestamp
Stores it in /var/lib/docker/containers/<id>/<id>-json.log

Other logging drivers can send logs to:

Syslog
AWS CloudWatch
Fluentd
Splunk
And more

Log Rotation

By default, logs can grow unbounded! For production, configure rotation:

docker run --log-opt max-size=10m --log-opt max-file=3 nginx

This keeps 3 files of max 10MB each = 30MB max logs.

LEVEL 4

Common Issues

“docker logs shows nothing”

Possible causes:

Application writes to files instead of stdout/stderr
Application uses a logging framework that buffers output
Container hasn’t produced any output yet

“logs are too verbose”

Solutions:

Configure application’s log level
Use --tail and --since to filter
Use external log aggregation

“logs are too large”

Solutions:

Configure log rotation
Use a different logging driver
Have application log less