Collecting Docker logs with Seq

Docker's built-in logging infrastructure takes STDOUT and STDERR from a running container, and sends each line of text to one of several logging drivers. This makes it possible to monitor and diagnose issues in containerized apps without any special logging configuration in the app itself.

Aside from the basic docker logs command that retrieves logs from a runnining container, Docker doesn't provide centralized log storage or management of its own. Instead, it's up to an administrator to choose the logging driver and configure it to forward logs to an appropriate log server.

Docker doesn't ship with a logging driver for Seq itself, and although it's possible to extend Docker with plug-ins, it's much more convenient to work with one of the built-in drivers. Because of this, we've added GELF event format support into Seq 5.1: collecting Docker logs with Seq is now as simple as:

$ docker run \
    --rm \
    --log-driver gelf \
    --log-opt gelf-address=udp://seq.example.com:12201 \
    ubuntu echo HELO

Note the seq.example.com:12201 in there - this needs to be the hostname or IP address, and port, where your Seq server's GELF input is listening.

The Docker infrastructure adds a whole lot of useful information about the container to each line of output:

Docker container logs in Seq

A quick aside: what is GELF? GELF is a simple compressed, chunked, JSON log format originally developed by the Graylog project, and now supported by many log servers and aggregators. The format includes well-known field names for typical log event properties like timestamps and messages. GELF can be sent via TCP or UDP transports, but UDP is the more popular option and is what we've chosen to support first in Seq.

Enabling GELF inputs in Seq

There are two ways to ingest GELF packets into Seq.

For Windows servers, the simplest option is to install the Seq.Input.Gelf plug-in. The plug-in requires Seq 5.1 because the infrastructure for ingesting high-volume events through apps is new to this version. Seq 5.1 is in development - you'll need to grab the preview installer from https://getseq.net/download (bottom of the page). For Windows configuration instructions check out these docs.

For Docker environments, we ship a separate container datalust/sqelf (we love short names :-)) that runs alongside Seq and forwards events to it via Seq's HTTP ingestion API. This works with all recent Seq versions. To get a sqelf container deployed, these are the docs you're looking for.

Fully-structured events

If the container's output is valid JSON, the GELF input will attach properties from the JSON to the events in Seq.

Here's an example (PowerShell syntax warning!) that sets app_name and provides a friendly message @m:

> docker run `
     --rm `
     --log-driver gelf `
     --log-opt gelf-address=udp://seq.example.com:12201 `
     ubuntu echo '{\"app_name\":\"greetings\",\"@m\":\"Hello!\"}'

In Seq:

Structured Docker container logs in Seq

The input recognizes the special field names from the standard Seq JSON format, like @m, @t and so-on, making it possible to use Serilog.Formatting.Compact to losslessly record structured events to STDOUT.

Sharing feedback and getting help

The GELF input is brand new, and we'd love to hear how you're using it. Please ask questions and share your experiences with us here, on Twitter, or by emailing support@getseq.net. If you think you've spotted a bug, the GELF input is open-source on GitHub and we'd appreciate your issue reports and PRs.