My application will send out syslog local0 messages. When I move my application into docker, I found it is difficult to show the syslog.

I've tried to run docker as --log-dirver as syslog or journald, both works strange, the /var/log/local0.log show console output of docker container instead of my application's syslog when I try to run this command inside container

logger -p local0.info -t a message

So, I try to install syslog-ng inside the docker container. The outside docker box is Arch Linux (kernel 4.14.8 + systemctl). The docker container is running as CentOS 6. If I install syslog-ng inside the container and start it, it shows following message.

# yum install -y syslog-ng  # this will install syslog-ng 3.2.5
# /etc/init.d/syslog-ng start
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
Error initializing source driver; source='s_sys', id='s_sys#0'
Error initializing message pipeline;

CentOS 6:

1.

Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql' 
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'

You can fix above error by installing syslog-ng-libdbi package:

yum install -y syslog-ng-libdbi

2.

Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
Error initializing source driver; source='s_sys', id='s_sys#0'
Error initializing message pipeline;

Since syslog-ng doesn't have direct access on the kernel messages, you need to disable (comment) that in its configuration:

sed -i 's|file ("/proc/kmsg"|#file ("/proc/kmsg"|g' /etc/syslog-ng/syslog-ng.conf

CentOS 7:

1.

Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'

The system() source is in default configuration. This source reads platform-specific sources automatically, and reads /dev/kmsg on Linux if the kernel is version 3.5 or newer. So, we need to disable (comment) system() source in configuration file:

sed -i 's/system()/# system()/g' /etc/syslog-ng/syslog-ng.conf

2. When we start it in foreground mode syslog-ng -F we get the following:

# syslog-ng -F
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'

So, we need to run syslog-ng as root, without capability-support:

syslog-ng --no-caps -F

I also had problems getting the standard "syslog" output from my app after it has been dockerized.

I have attacked the problem from a different direction. I wanted to get the container syslogs on the host /var/log/syslog

I have ran my container with an extra mount the /dev/log device and voila it worked like a charm.

docker run -v /dev/log:/dev/log  sysloggingapp:latest

Another way is to set up central logging with syslog/ rsyslog server, then use the syslog docker driver for logging. The syntax to use on the docker run command line is:

$ docker run --log-driver=syslog \
--log-opt syslog-address=udp://address:port image-name

Destination syslog server protocol can be udp or tcp and the server address can be a remote server, VM, a different container or local container address.

Replace image-name with your application docker image name.

A ready rsyslog docker image is available on https://github.com/jumanjihouse/docker-rsyslog

References: Docker Logging at docker.com,

Docker CLI, https://www.aquasec.com/wiki/display/containers/Docker+Containers+vs.+Virtual+Machines