Pricing Login
Products
The Platform

Monitor, troubleshoot, automate, and defend

Powered by AI/ML

Proprietary algorithms, machine learning, and generative AI

Powerful integrations
Open Telemetry
AWS
GCP
Azure

Cloud SIEM

Discover threats faster and respond smarter

Learn more

Logs for Security

Unlock cloud security with powerful log visibility

Learn more

Monitoring and Troubleshooting

Detect and resolve with comprehensive visibility

Learn more

Security

Threat detection, investigation, and response

Learn more

Observability

Diagnose and solve

Learn more
Trusted and certified
AICPA SOC 2 FedRamp GDPR CCPA ISO 27001 HIPAA PCI DSS
Solutions

Our approach resulted in a doubling of our log ingestion at an ingest cost increase of only 10%, saving us around $1 million.”

Iwan Eising

Team Lead of Service Reliability Architecture

Read case study

BY OBSERVABILITY USE CASE

BY SECURITY USE CASE

BY INITIATIVE

BY COMPETITION

Pricing
Docs
Resources

LEARN

ENGAGE

TRAIN

COMMUNITY

About
Support
Demo
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

September 10, 2015 By Christian Beedgen

Update On Logging With Docker

A Simpler & Better Way

In New Docker Logging Drivers, I previously described how to use the new Syslog logging driver introduced in Docker 1.6 to transport container logs to Sumo Logic.

Since then, there have been improvements to the Syslog logging driver, which now allows users to specify the address of the Syslog server to send the logs to. In its initial release the Syslog logging driver simply logged to the local Syslog daemon, but this is now configurable. We can exploit this in conjunction with the Sumo Logic Collector container for Syslog to make logging with Docker and Sumo Logic even easier.

Simply run the Syslog Collector container as previously described:

$ docker run -d -p 514:514 -p 514:514/udp \ --name="sumo-logic-collector" \ sumologic/collector:latest-syslog \ [Access ID] [Access key]

Now you have a collector running, listening for Syslog on both ports 514/tcp and 514/udp.

For every container required to run on the same host, you can now add the following to the Docker run command in order to make the container log to your Syslog collector:

--log-driver syslog --log-opt syslog-address=udp://localhost:514

Or, in a complete example:

$ docker run --rm --name test \ --log-driver syslog --log-opt syslog-address=udp://localhost:514 \ ubuntu \ bash -c 'for i in `seq 1 10`; do echo Hello $i; sleep 1; done'

You should now see something along these lines in Sumo Logic:

Docker syslog collection

This, of course, works remotely, as well. You can run the Sumo Logic Collector on one host, and have containers on all other hosts log to it by setting the syslog address accordingly when running the container.

And Here Is An Errata

In New Docker Logging Drivers, I described the newly added logging drivers in Docker 1.6. At the time, Docker was only able to log to local syslog, and hence our recommendation for integration was as follows:

$ docker run -v /var/log/syslog:/syslog -d \ --name="sumo-logic-collector" \ sumologic/collector:latest-logging-driver-syslog \ [Access ID] [Access Key]

This will basically have the Sumo Logic Collector tail the OS /var/log/syslog file. We discovered in the meantime that this will cause issues if /var/log/syslog is being logrotate’d. The container will hang on to the original file into which Syslog initially wrote the messages, and not pick up the new file after the old file was moved out of the way.

There’s a simple solution to the issue: mount the directory into the container, not the file. In other words, please do this:

$ docker pull sumologic/collector:latest-logging-driver-syslog$ docker run -v /var/log:/syslog -d \ --name="sumo-logic-collector" \ sumologic/collector:latest-logging-driver-syslog \ [Access ID] [Access Key]

Or, of course, switch to the above described new and improved approach!

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Start free trial

Categories

Spotlight

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Christian Beedgen

Christian Beedgen

As co-founder and CTO of Sumo Logic, Christian Beedgen brings 18 years experience creating industry-leading enterprise software products. Since 2010 he has been focused on building Sumo Logic’s multi-tenant, cloud-native machine data analytics platform which is widely used today by more than 1,600 customers and 50,000 users. Prior to Sumo Logic, Christian was an early engineer, engineering director and chief architect at ArcSight, contributing to ArcSight’s SIEM and log management solutions.

More posts by Christian Beedgen.

People who read this also enjoyed

Blog

From stateful to stateless: Sumo Logic’s transition from Lucene to Parquet-based architecture

Sumo Logic’s architecture innovation has boosted performance and facilitated the Flex pricing model. Discover why the team moved to a stateless architecture with Parquet.

Blog

How to execute an Azure Cloud purple team exercise

Purple teaming exercises can be an excellent source for threat detection avenues. Learn how to execute an Azure Cloud purple team flow with Cloud SIEM.

Blog

Learn how to use the common OpenTelemetry demo application with Sumo Logic

You can get up and running with Otel's Astronomy Shop demo with Sumo Logic. Get set up with your OpenTelemetry demo and start understanding the data.