Search code examples
dockersyslog-ng

How to let syslog workable in docker?

My application will send out syslog local0 messages. When I move my application into docker, I found it is difficult to show the syslog.

I've tried to run docker as --log-dirver as syslog or journald, both works strange, the /var/log/local0.log show console output of docker container instead of my application's syslog when I try to run this command inside container

logger -p local0.info -t a message

So, I try to install syslog-ng inside the docker container. The outside docker box is Arch Linux (kernel 4.14.8 + systemctl). The docker container is running as CentOS 6. If I install syslog-ng inside the container and start it, it shows following message.

# yum install -y syslog-ng  # this will install syslog-ng 3.2.5
# /etc/init.d/syslog-ng start
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
Error initializing source driver; source='s_sys', id='s_sys#0'
Error initializing message pipeline;
Solution

  • CentOS 6:

    1.

    Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql' 
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'

    You can fix above error by installing syslog-ng-libdbi package:

    yum install -y syslog-ng-libdbi

    2.

    Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
Error initializing source driver; source='s_sys', id='s_sys#0'
Error initializing message pipeline;

    Since syslog-ng doesn't have direct access on the kernel messages, you need to disable (comment) that in its configuration:

    sed -i 's|file ("/proc/kmsg"|#file ("/proc/kmsg"|g' /etc/syslog-ng/syslog-ng.conf

    CentOS 7:

    1.

    Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'

    The system() source is in default configuration. This source reads platform-specific sources automatically, and reads /dev/kmsg on Linux if the kernel is version 3.5 or newer. So, we need to disable (comment) system() source in configuration file:

    sed -i 's/system()/# system()/g' /etc/syslog-ng/syslog-ng.conf

    2. When we start it in foreground mode syslog-ng -F we get the following:

    # syslog-ng -F
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'

    So, we need to run syslog-ng as root, without capability-support:

    syslog-ng --no-caps -F