Logstash

Logstash is a tool developed by Elastic Co which can act as a good funnel for logs. Logstash pairs nicely with Logspout. In the diagram below, Logspout is used to aggregate logs from each of the containers. Logspout then exports the data it received to Logstash via UDP. Logstash then modifies the data as desired and routes it to various outputs.

+-------------+                                        +---------------+
| Container 1 |                                        | Elasticsearch |
+-------------+\                                      /+---------------+
                \                                    /
+-------------+  \   +----------+    +----------+   /  +---------------+
| Container 2 |----->| Logspout |--->| Logstash |----->| Papertrail    |
+-------------+  /   +----------+    +----------+   \  +---------------+
                /                                    \
+-------------+/                                      \+---------------+
| Container 3 |                                        | Analytics     |
+-------------+                                        +---------------+

Logstash

/etc/logstash.conf

input {
  tcp {                        
    port => 5000               
    type => syslog
  }
  udp {
    port => 5000               
    type => syslog
  } 
}     
  
output {                       
  stdout { }                   
} 

Run

$ docker run \
    --name logstash \
    --volume /etc/logstash:/conf:ro \ 
    logstash bash -c "logstash -f /conf/logstash.conf"

Logspout

The only gotcha here is that you need to link to the logstash container to send data to it.

$ docker run \
    --name logspout \
    --link logstash:logstash \
    --restart always \
    --volume /var/run/docker.sock:/var/run/docker.sock \  
    gliderlabs/logspout raw://logstash:5000