I have a setup where docker containers use the journald log driver to write their logs. Currently log lines from the journal are forwarded to rsyslog running on the host, but the application name on the syslog lines appears as dockerd.
As a workaround, I'd like to write the CONTAINER_NAME field form the journal metadata into the line that appears in syslog, so I can identify what container wrote what line after the host's syslog has been shipped to a syslog aggregation server.
Any suggestions?
Jason Kincl :
I was able to achieve this by defining a template after parsing the structured logs from journald. For figuring out what properties were available I ran journalctl -o verbose -n 10\n\nrsyslog has multiple different ways to do the same configuration, here is my config from a CentOS 7 machine:\n\nmodule(load=\"imjournal\" StateFile=\"imjournal.state\") # Load imjournal module\nmodule(load=\"mmjsonparse\") # Load mmjsonparse module for structured logs\n\naction(type=\"mmjsonparse\") # Attempt to parse JSON\n\ntemplate(name=\"ContainerTemplate\" type=\"list\") {\n property(name=\"timestamp\" dateFormat=\"rfc3339\")\n constant(value=\" \")\n property(name=\"$!CONTAINER_NAME\")\n constant(value=\" \")\n property(name=\"$!CONTAINER_ID\")\n constant(value=\" \")\n property(name=\"$!MESSAGE\")\n constant(value=\"\\n\") # Separate logs with a newline\n}\n\nif ($!CONTAINER_NAME != \"\") then {\n action(type=\"omfile\" file=\"/var/log/messages\" template=\"ContainerFormat\")\n} else {\n *.info;mail.none;news.none;authpriv.none;cron.none action(type=\"omfile\" file=\"/var/log/messages\")\n}\n\n\nReference documentation:\n\n\nhttps://docs.docker.com/engine/admin/logging/journald/\nhttp://www.rsyslog.com/doc/v8-stable/configuration/modules/imjournal.html\nhttp://www.rsyslog.com/doc/master/configuration/modules/mmjsonparse.html\nhttp://www.rsyslog.com/using-rsyslog-and-elasticsearch-to-handle-different-types-of-json-logs/\nhttp://www.rsyslog.com/doc/v8-stable/configuration/templates.html\nhttp://www.rsyslog.com/doc/v8-stable/rainerscript/control_structures.html#if-else-if-else\n",
2017-08-11T19:51:27
Laksitha Ranasingha :
I think closest you could get image name. You can add a log tag to show the image name in logs. This feature has been added in v1.11.0. For example:\n\ndocker run --log-driver=journald --log-opt tag=\"{{.ImageName}}\n\n\nHave a look at log tag docs too. Hope this helps.",
2016-08-30T22:38:51