Your containerized application is misbehaving. The service is unresponsive, or worse, it’s crash-looping. As a developer or SRE, your first instinct is to ask, “What do the logs say?” For applications running in Docker, accessing and understanding container logs is the most fundamental troubleshooting skill you can possess. These logs are the raw, unfiltered story of what your application is doing, thinking, and feeling.
But docker logging is more than just a single action. It’s a comprehensive system with layers of functionality, from quickly tailing real-time output to implementing robust, production-grade log management strategies. This guide will walk you through everything you need to know to effectively view docker container logs, starting with the basics and progressing to the best practices that will keep your applications observable and your on-call nights quiet.
The Foundation: Understanding Log Viewing Capabilities
The primary tool in your Docker logging arsenal is Docker’s built-in logging command. At its simplest, it fetches and displays the logs for a specific container. To inspect a container, you first need to identify it by its name or ID. Once identified, you can access its entire log history. While useful, this raw dump can be overwhelming. Fortunately, Docker provides several powerful options to make the output more manageable.
Tailing Logs in Real-Time
To watch logs as they are generated, you can follow the log output in real-time. This functionality is invaluable when you’re deploying a new version or actively troubleshooting an issue, as it streams new log entries directly to your terminal as they happen.
Viewing the Most Recent Logs
Often, you only care about the most recent events. Docker allows you to specify the number of lines you want to see from the end of the logs. This is perfect for getting a quick status check after restarting a container or when you’re only interested in the latest activity.
Adding Timestamps for Context
By default, log output doesn’t include timestamps, making it difficult to correlate events across different services or with external events. You can enable an option to prepend a timestamp to each log line, which is crucial for building an accurate timeline during a debugging session.
Filtering by Time Window
Imagine a service failed sometime yesterday afternoon. Sifting through all the logs would be tedious. Docker’s logging functionality allows you to pinpoint the exact time window you’re interested in. You can filter logs using relative times (like the last ten minutes) or by providing specific start and end timestamps.
Where Do Docker Logs Live?
Understanding the log viewing commands is only half the story. It’s also important to know how Docker handles these logs under the hood. By default, Docker uses a logging driver that captures the standard output (stdout) and standard error (stderr) streams from your container and writes them to a JSON file on the host machine.
On a standard Linux system, you can find these log files stored within the /var/lib/docker/containers/ directory, organized into subdirectories named after each container’s unique ID.
While you can technically view these files directly, it’s always better to use Docker’s built-in tools, which correctly parse the JSON format and provide the powerful filtering options we just discussed.
The major issue with this default setup is that these log files can grow indefinitely. In a busy production environment, an unmanaged log file can quickly consume all available disk space, potentially crashing the host itself. This leads us to a critical topic: log management.
Production-Grade Log Management
Relying on the default logging configuration is not a viable strategy for production systems. You need to actively manage log volume and retention.
Implementing Log Rotation
The most effective way to prevent logs from filling your disk is to implement log rotation. You can configure Docker’s logging driver to automatically rotate files when they reach a certain size and to keep only a specific number of old files. This can be set globally for all containers by editing the Docker daemon’s configuration file, where you can specify options for the maximum size of log files and the number of rotated files to keep. These settings can also be applied on a per-container basis, giving you more granular control over services that may be more or less verbose.
Logging in Multi-Container Environments
When working with applications composed of multiple services, tools like Docker Compose offer ways to aggregate and stream logs from all services defined in your application’s configuration. This feature is incredibly useful as it provides a unified view of your entire application, typically prefixing each log line with the name of the service that generated it, which simplifies cross-service troubleshooting.
Docker Logging Best Practices
Beyond commands and configuration, a mature docker log management strategy involves a few key principles.
Use Structured Logging
For simple scripts, plain text logs are fine. For complex applications, you should use structured logging. This means writing logs in a consistent, machine-readable format like JSON. Instead of a simple string, each log entry becomes an object with key-value pairs (e.g., timestamp, level, message, user_id).
Structured logs are far easier to parse, search, and filter, especially when you send them to a centralized analysis platform.
Implement Centralized Logging
Viewing logs on a single container is excellent for local development. But in a distributed system with dozens of hosts and hundreds of containers, accessing each machine individually is not feasible.
A centralized logging solution is essential. This involves using a different logging driver to automatically forward logs from all your containers to a central location. This central system (such as the ELK Stack, Loki, or a SaaS vendor) allows you to search, visualize, and create alerts across your entire application stack from a single interface.
Secure Your Logs
Logs can inadvertently contain sensitive information, such as passwords, API keys, or personal user data. Be mindful of what your application logs. Implement mechanisms to filter or mask sensitive data before it is written to the logs to prevent security breaches and ensure compliance with regulations like GDPR.
By moving from basic log viewing to a deliberate strategy involving log rotation, structured formats, and centralization, you transform logs from a simple debugging tool into a powerful source of operational intelligence. This approach is fundamental to building observable, resilient, and secure containerized systems.
Effective logging gives you the “what” and “when” of an issue. To get the full picture, you need to correlate this information with the “how” and “why” from real-time performance metrics. Netdata automatically discovers all your containers and collects thousands of per-second metrics, providing the deep context needed to make sense of your logs and troubleshoot problems faster.
Get started with Netdata for free and gain unparalleled visibility into your Docker environment.