Build a log aggregator in Go from scratch. Tail files with inotify, survive log rotation, parse …
/user/kayd
@
devops
:~$
cat apache-logs-and-docker-your-ultimate-guide.md
Docker Log Management: From docker logs to a Go Log Collector Docker Log Management: From docker logs to a Go Log Collector
Karandeep Singh
• 31 minutes
Summary
Master Docker container logging with Linux commands and a real Go log collector. From docker logs basics to a streaming aggregator that processes multiple containers.
Docker containers write logs to stdout and stderr. Docker captures those streams and stores them on disk. This sounds simple. It is not. When you have 20 containers running, logs scatter across the filesystem. When a container restarts, you lose context. When disk fills up, everything stops.
This article walks through Docker logging from the ground up. Each step starts with a Linux command, then builds the same thing in Go. We make mistakes on purpose, see the wrong output, and fix the code.
By the end, we have a Go log collector that discovers running containers, tails their logs concurrently, parses log levels, and prints a live stats dashboard.
Prerequisites
- A Linux system with Docker installed (native, WSL, or a VM)
- Go 1.21+ installed
- Basic familiarity with Docker commands
Step 1: How Docker Captures Logs
Every process inside a container has stdout (file descriptor 1) and stderr (file descriptor 2). Docker attaches to both streams and stores every line the process writes.
Linux Commands
Start a container that writes to stdout:
docker run -d --name test-stdout alpine sh -c 'while true; do echo "INFO $(date +%T) request processed"; sleep 1; done'
Wait a few seconds, then read the logs:
docker logs test-stdout
Expected output:
INFO 14:30:01 request processed
INFO 14:30:02 request processed
INFO 14:30:03 request processed
INFO 14:30:04 request processed
Now start a container that writes to stderr:
docker run -d --name test-stderr alpine sh -c 'while true; do echo "ERROR $(date +%T) connection failed" >&2; sleep 2; done'
Read just the last 3 lines:
docker logs --tail 3 test-stderr
Expected output:
ERROR 14:30:08 connection failed
ERROR 14:30:10 connection failed
ERROR 14:30:12 connection failed
Read logs from the last 5 seconds:
docker logs --since 5s test-stdout
This returns only lines written in the last 5 seconds. Useful during incidents when you do not want to scroll through hours of output.
Clean up:
Enrich your learning with CPU Monitoring: From Linux Commands to a Go Dashboard
docker rm -f test-stdout test-stderr
Go Code
We will use os/exec to run docker logs and capture the output. This is the simplest way to read container logs from Go.
mkdir -p /tmp/logcollector && cd /tmp/logcollector
go mod init logcollector
main.go
package main
import (
"fmt"
"log"
"os/exec"
)
func main() {
// Start a test container
start := exec.Command("docker", "run", "-d", "--name", "go-log-test",
"alpine", "sh", "-c",
`i=0; while [ $i -lt 10 ]; do echo "INFO request $i processed"; echo "ERROR failed to connect to db" >&2; i=$((i+1)); sleep 0.5; done`)
start.Run()
// Wait for logs to accumulate
fmt.Println("Waiting for container to produce logs...")
exec.Command("sleep", "6").Run()
// Read logs — BUG: only capture stdout
cmd := exec.Command("docker", "logs", "go-log-test")
output, err := cmd.Output()
if err != nil {
log.Fatalf("Failed to read logs: %v", err)
}
fmt.Println("=== Container Logs ===")
fmt.Println(string(output))
// Clean up
exec.Command("docker", "rm", "-f", "go-log-test").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
Waiting for container to produce logs...
=== Container Logs ===
INFO request 0 processed
INFO request 1 processed
INFO request 2 processed
INFO request 3 processed
INFO request 4 processed
INFO request 5 processed
INFO request 6 processed
INFO request 7 processed
INFO request 8 processed
INFO request 9 processed
Where are the ERROR lines? The container wrote "ERROR failed to connect to db" to stderr. But cmd.Output() only captures stdout. All stderr output is silently discarded.
This is a common mistake. You test with a container that logs everything to stdout. It works. Then in production, your application writes errors to stderr, and your collector misses them.
Fix: Capture Both stdout and stderr
package main
import (
"fmt"
"log"
"os/exec"
)
func main() {
start := exec.Command("docker", "run", "-d", "--name", "go-log-test",
"alpine", "sh", "-c",
`i=0; while [ $i -lt 10 ]; do echo "INFO request $i processed"; echo "ERROR failed to connect to db" >&2; i=$((i+1)); sleep 0.5; done`)
start.Run()
fmt.Println("Waiting for container to produce logs...")
exec.Command("sleep", "6").Run()
// FIX: use CombinedOutput to capture both stdout and stderr
cmd := exec.Command("docker", "logs", "go-log-test")
output, err := cmd.CombinedOutput()
if err != nil {
log.Fatalf("Failed to read logs: %v", err)
}
fmt.Println("=== Container Logs ===")
fmt.Println(string(output))
// Count lines
lines := 0
for _, b := range output {
if b == '\n' {
lines++
}
}
fmt.Printf("Total lines: %d\n", lines)
exec.Command("docker", "rm", "-f", "go-log-test").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
Waiting for container to produce logs...
=== Container Logs ===
INFO request 0 processed
ERROR failed to connect to db
INFO request 1 processed
ERROR failed to connect to db
INFO request 2 processed
ERROR failed to connect to db
INFO request 3 processed
ERROR failed to connect to db
INFO request 4 processed
ERROR failed to connect to db
INFO request 5 processed
ERROR failed to connect to db
INFO request 6 processed
ERROR failed to connect to db
INFO request 7 processed
ERROR failed to connect to db
INFO request 8 processed
ERROR failed to connect to db
INFO request 9 processed
ERROR failed to connect to db
Total lines: 20
Now we see 20 lines instead of 10. The CombinedOutput() method merges stdout and stderr into a single byte slice. The docker logs command itself merges both streams in chronological order, so the interleaving looks correct.
The one-line fix: replace Output() with CombinedOutput(). In production, you almost always want both streams.
Deepen your understanding in Nginx Log Analysis: From grep to a Go Log Parser
Step 2: Docker Logging Drivers
Docker does not just dump logs to a random file. It uses a logging driver to decide how and where logs are stored. The default driver is json-file.
Linux Commands
Check which logging driver your Docker daemon uses:
docker info --format '{{.LoggingDriver}}'
Expected output:
json-file
The json-file driver writes each log line as a JSON object to a file on disk. You can control file size and rotation:
docker run -d --name sized-logs \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
alpine sh -c 'while true; do echo "payload data $(date +%T)"; sleep 0.1; done'
This creates at most 3 log files, each at most 10MB. When the third file fills up, Docker deletes the oldest and starts a new one.
Find where Docker stores the log file:
docker inspect --format '{{.LogPath}}' sized-logs
Expected output:
/var/lib/docker/containers/abc123.../abc123...-json.log
Read the raw file (you need root):
sudo head -5 $(docker inspect --format '{{.LogPath}}' sized-logs)
Expected output:
{"log":"payload data 14:30:01\n","stream":"stdout","time":"2023-09-10T14:30:01.123456789Z"}
{"log":"payload data 14:30:01\n","stream":"stdout","time":"2023-09-10T14:30:01.223456789Z"}
{"log":"payload data 14:30:01\n","stream":"stdout","time":"2023-09-10T14:30:01.323456789Z"}
{"log":"payload data 14:30:01\n","stream":"stdout","time":"2023-09-10T14:30:01.423456789Z"}
{"log":"payload data 14:30:01\n","stream":"stdout","time":"2023-09-10T14:30:01.523456789Z"}
Each line is a JSON object with three fields:
log: the actual log line (including the trailing newline)stream: eitherstdoutorstderrtime: timestamp in RFC3339Nano format
Clean up:
Enrich your learning with CPU Monitoring: From Linux Commands to a Go Dashboard
docker rm -f sized-logs
Go Code
We will parse the json-file format directly. This is faster than calling docker logs because we read the file ourselves without spawning a process.
package main
import (
"bufio"
"encoding/json"
"fmt"
"log"
"os"
"os/exec"
"strings"
"time"
)
type DockerLogEntry struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time string `json:"time"`
}
func main() {
// Start a test container
start := exec.Command("docker", "run", "-d", "--name", "json-test",
"alpine", "sh", "-c",
`for i in $(seq 1 5); do echo "INFO line $i"; echo "ERROR fault $i" >&2; sleep 0.2; done`)
out, _ := start.Output()
containerID := strings.TrimSpace(string(out))
fmt.Printf("Container: %s\n", containerID[:12])
exec.Command("sleep", "3").Run()
// Get the log file path
inspect := exec.Command("docker", "inspect", "--format", "{{.LogPath}}", "json-test")
pathOut, _ := inspect.Output()
logPath := strings.TrimSpace(string(pathOut))
fmt.Printf("Log file: %s\n\n", logPath)
// Read and parse the JSON log file
file, err := os.Open(logPath)
if err != nil {
log.Fatalf("Cannot open log file: %v", err)
}
defer file.Close()
scanner := bufio.NewScanner(file)
for scanner.Scan() {
var entry DockerLogEntry
if err := json.Unmarshal(scanner.Bytes(), &entry); err != nil {
fmt.Printf("SKIP malformed line: %v\n", err)
continue
}
// BUG: parse time with RFC3339 instead of RFC3339Nano
ts, err := time.Parse(time.RFC3339, entry.Time)
if err != nil {
fmt.Printf("SKIP bad timestamp: %v\n", err)
continue
}
logText := strings.TrimRight(entry.Log, "\n")
fmt.Printf("[%s] [%s] %s\n", ts.Format("15:04:05"), entry.Stream, logText)
}
exec.Command("docker", "rm", "-f", "json-test").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
Container: abc123def456
Log file: /var/lib/docker/containers/abc123.../abc123...-json.log
SKIP bad timestamp: parsing time "2023-09-10T14:30:01.123456789Z" as "2006-01-02T15:04:05Z07:00": cannot parse ".123456789Z" as "Z07:00"
SKIP bad timestamp: parsing time "2023-09-10T14:30:01.323456789Z" as "2006-01-02T15:04:05Z07:00": cannot parse ".323456789Z" as "Z07:00"
SKIP bad timestamp: parsing time "2023-09-10T14:30:01.523456789Z" as "2006-01-02T15:04:05Z07:00": cannot parse ".523456789Z" as "Z07:00"
...
Every line fails to parse. The Docker time field uses nanosecond precision: 2023-09-10T14:30:01.123456789Z. Go’s time.RFC3339 format expects no fractional seconds or exactly one decimal group that matches the Z07:00 zone. It does not handle nanoseconds.
This bug is easy to introduce because time.RFC3339 looks like the right choice. The timestamps are in RFC3339 format. But Docker uses the nanosecond variant.
Fix: Use time.RFC3339Nano
package main
import (
"bufio"
"encoding/json"
"fmt"
"log"
"os"
"os/exec"
"strings"
"time"
)
type DockerLogEntry struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time string `json:"time"`
}
func main() {
start := exec.Command("docker", "run", "-d", "--name", "json-test",
"alpine", "sh", "-c",
`for i in $(seq 1 5); do echo "INFO line $i"; echo "ERROR fault $i" >&2; sleep 0.2; done`)
out, _ := start.Output()
containerID := strings.TrimSpace(string(out))
fmt.Printf("Container: %s\n", containerID[:12])
exec.Command("sleep", "3").Run()
inspect := exec.Command("docker", "inspect", "--format", "{{.LogPath}}", "json-test")
pathOut, _ := inspect.Output()
logPath := strings.TrimSpace(string(pathOut))
fmt.Printf("Log file: %s\n\n", logPath)
file, err := os.Open(logPath)
if err != nil {
log.Fatalf("Cannot open log file: %v", err)
}
defer file.Close()
scanner := bufio.NewScanner(file)
stdoutCount := 0
stderrCount := 0
for scanner.Scan() {
var entry DockerLogEntry
if err := json.Unmarshal(scanner.Bytes(), &entry); err != nil {
continue
}
// FIX: use RFC3339Nano for Docker timestamps
ts, err := time.Parse(time.RFC3339Nano, entry.Time)
if err != nil {
fmt.Printf("SKIP bad timestamp: %v\n", err)
continue
}
logText := strings.TrimRight(entry.Log, "\n")
fmt.Printf("[%s] [%-6s] %s\n", ts.Format("15:04:05.000"), entry.Stream, logText)
if entry.Stream == "stdout" {
stdoutCount++
} else {
stderrCount++
}
}
fmt.Printf("\nTotal: %d stdout, %d stderr\n", stdoutCount, stderrCount)
exec.Command("docker", "rm", "-f", "json-test").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
Container: abc123def456
Log file: /var/lib/docker/containers/abc123.../abc123...-json.log
[14:30:01.123] [stdout] INFO line 1
[14:30:01.124] [stderr] ERROR fault 1
[14:30:01.323] [stdout] INFO line 2
[14:30:01.324] [stderr] ERROR fault 2
[14:30:01.523] [stdout] INFO line 3
[14:30:01.524] [stderr] ERROR fault 3
[14:30:01.723] [stdout] INFO line 4
[14:30:01.724] [stderr] ERROR fault 4
[14:30:01.923] [stdout] INFO line 5
[14:30:01.924] [stderr] ERROR fault 5
Total: 5 stdout, 5 stderr
Now every line parses correctly. The millisecond timestamps show that stdout and stderr lines from the same iteration arrive less than 1ms apart.
The fix: replace time.RFC3339 with time.RFC3339Nano. Docker always writes nanosecond timestamps. RFC3339Nano handles both nanosecond and plain timestamps, so it is always the safer choice when parsing Docker log times.
Explore this further in Nginx Log Analysis: From grep to a Go Log Parser
Step 3: Tailing Logs in Real Time
Reading existing logs is useful for post-incident analysis. During an active incident, you need real-time log streaming.
Linux Commands
Follow logs from a running container:
docker run -d --name tail-test alpine sh -c 'while true; do echo "$(date +%T) heartbeat"; sleep 2; done'
docker logs -f tail-test
This streams new lines as they appear, like tail -f. Press Ctrl+C to stop.
You can also watch container lifecycle events:
docker events --filter 'type=container' --format '{{.Time}} {{.Action}} {{.Actor.Attributes.name}}'
This shows when containers start, stop, die, or get removed. Useful for understanding why logs stop appearing.
Clean up:
Enrich your learning with CPU Monitoring: From Linux Commands to a Go Dashboard
docker rm -f tail-test
Go Code
We will build a log tailer that reads a Docker json-file log and keeps watching for new lines. This is the core of any log collector.
package main
import (
"bufio"
"encoding/json"
"fmt"
"log"
"os"
"os/exec"
"os/signal"
"strings"
"syscall"
"time"
)
type DockerLogEntry struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time string `json:"time"`
}
func main() {
// Start a container that logs every second
start := exec.Command("docker", "run", "-d", "--name", "tail-demo",
"alpine", "sh", "-c",
`i=0; while true; do echo "INFO heartbeat $i"; i=$((i+1)); sleep 1; done`)
start.Run()
exec.Command("sleep", "2").Run()
// Get log file path
inspect := exec.Command("docker", "inspect", "--format", "{{.LogPath}}", "tail-demo")
pathOut, _ := inspect.Output()
logPath := strings.TrimSpace(string(pathOut))
fmt.Printf("Tailing %s\n", logPath)
fmt.Println("Press Ctrl+C to stop\n")
// Open the log file
file, err := os.Open(logPath)
if err != nil {
log.Fatalf("Cannot open: %v", err)
}
defer file.Close()
// BUG: scanner reads to EOF and stops — does not wait for new lines
scanner := bufio.NewScanner(file)
for scanner.Scan() {
var entry DockerLogEntry
if err := json.Unmarshal(scanner.Bytes(), &entry); err != nil {
continue
}
ts, _ := time.Parse(time.RFC3339Nano, entry.Time)
logText := strings.TrimRight(entry.Log, "\n")
fmt.Printf("[%s] %s\n", ts.Format("15:04:05"), logText)
}
fmt.Println("Scanner finished — no more lines")
// Handle Ctrl+C
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT)
<-sig
exec.Command("docker", "rm", "-f", "tail-demo").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
Tailing /var/lib/docker/containers/abc.../abc...-json.log
Press Ctrl+C to stop
[14:30:01] INFO heartbeat 0
[14:30:02] INFO heartbeat 1
Scanner finished — no more lines
The scanner reads the two existing lines and then hits EOF. It exits the loop immediately. The container keeps writing new lines, but our program never sees them.
bufio.Scanner is designed to read files that have a defined end. A container log file is different. It keeps growing. We need to detect EOF and wait for new data instead of quitting.
Fix: Implement a Polling Loop on EOF
package main
import (
"bufio"
"encoding/json"
"fmt"
"log"
"os"
"os/exec"
"os/signal"
"strings"
"syscall"
"time"
)
type DockerLogEntry struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time string `json:"time"`
}
func main() {
start := exec.Command("docker", "run", "-d", "--name", "tail-demo",
"alpine", "sh", "-c",
`i=0; while true; do echo "INFO heartbeat $i"; i=$((i+1)); sleep 1; done`)
start.Run()
exec.Command("sleep", "2").Run()
inspect := exec.Command("docker", "inspect", "--format", "{{.LogPath}}", "tail-demo")
pathOut, _ := inspect.Output()
logPath := strings.TrimSpace(string(pathOut))
fmt.Printf("Tailing %s\n", logPath)
fmt.Println("Press Ctrl+C to stop\n")
file, err := os.Open(logPath)
if err != nil {
log.Fatalf("Cannot open: %v", err)
}
defer file.Close()
// Handle Ctrl+C for clean shutdown
done := make(chan bool)
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT)
go func() {
<-sig
fmt.Println("\nShutting down...")
done <- true
}()
// FIX: polling loop that retries on EOF
reader := bufio.NewReader(file)
lineCount := 0
for {
select {
case <-done:
fmt.Printf("\nTotal lines read: %d\n", lineCount)
exec.Command("docker", "rm", "-f", "tail-demo").Run()
return
default:
}
line, err := reader.ReadBytes('\n')
if err != nil {
// EOF reached — wait and try again
time.Sleep(100 * time.Millisecond)
continue
}
var entry DockerLogEntry
if jsonErr := json.Unmarshal(line, &entry); jsonErr != nil {
continue
}
ts, _ := time.Parse(time.RFC3339Nano, entry.Time)
logText := strings.TrimRight(entry.Log, "\n")
fmt.Printf("[%s] %s\n", ts.Format("15:04:05"), logText)
lineCount++
}
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output (streams continuously):
Tailing /var/lib/docker/containers/abc.../abc...-json.log
Press Ctrl+C to stop
[14:30:01] INFO heartbeat 0
[14:30:02] INFO heartbeat 1
[14:30:03] INFO heartbeat 2
[14:30:04] INFO heartbeat 3
[14:30:05] INFO heartbeat 4
[14:30:06] INFO heartbeat 5
^C
Shutting down...
Total lines read: 6
Now the program keeps running. When ReadBytes hits EOF, it sleeps for 100ms and tries again. New lines appear within a second of being written. Press Ctrl+C and it prints the total count, removes the container, and exits.
The polling interval of 100ms is a tradeoff. Shorter means lower latency but more CPU. Longer means less CPU but you might miss logs during a burst. 100ms is a good default for most use cases.
Discover related concepts in Timezones in Production: From Linux Commands to Go
Step 4: Multi-Container Log Aggregation
Real applications run multiple containers. A web app might have nginx, an API server, a background worker, and a database. You need logs from all of them in one place.
Linux Commands
Start a small stack with docker compose (or create multiple containers):
docker run -d --name web alpine sh -c 'while true; do echo "$(date +%T) GET /api/users 200"; sleep 1; done'
docker run -d --name worker alpine sh -c 'while true; do echo "$(date +%T) processing job queue"; sleep 2; done'
docker run -d --name cache alpine sh -c 'while true; do echo "$(date +%T) cache hit ratio 94%"; sleep 3; done'
List running containers:
docker ps --format '{{.ID}} {{.Names}}'
Expected output:
abc123 web
def456 worker
ghi789 cache
Tail all of them at once. With docker compose this would be docker compose logs -f. Without compose, you can tail each one in the background:
docker logs -f web &
docker logs -f worker &
docker logs -f cache &
The output from all three containers mixes together. There is no label telling you which container produced which line. During an incident, this makes it hard to follow the flow.
Clean up:
Enrich your learning with CPU Monitoring: From Linux Commands to a Go Dashboard
docker rm -f web worker cache
Go Code
We will build a collector that discovers all running containers and tails each one concurrently using goroutines.
package main
import (
"bufio"
"fmt"
"os"
"os/exec"
"os/signal"
"strings"
"syscall"
)
type Container struct {
ID string
Name string
}
func main() {
// Start test containers
exec.Command("docker", "run", "-d", "--name", "web",
"alpine", "sh", "-c", `while true; do echo "GET /api/users 200 12ms"; sleep 1; done`).Run()
exec.Command("docker", "run", "-d", "--name", "worker",
"alpine", "sh", "-c", `while true; do echo "processing job 42"; sleep 2; done`).Run()
exec.Command("docker", "run", "-d", "--name", "cache",
"alpine", "sh", "-c", `while true; do echo "cache hit ratio 94%"; sleep 3; done`).Run()
exec.Command("sleep", "2").Run()
// Discover running containers
containers := discoverContainers()
fmt.Printf("Found %d containers\n\n", len(containers))
// BUG: each goroutine writes to stdout without synchronization
// Lines from different containers can interleave mid-line
for _, c := range containers {
go tailContainer(c)
}
// Wait for Ctrl+C
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT)
<-sig
fmt.Println("\nCleaning up...")
exec.Command("docker", "rm", "-f", "web", "worker", "cache").Run()
}
func discoverContainers() []Container {
cmd := exec.Command("docker", "ps", "--format", "{{.ID}} {{.Names}}")
out, _ := cmd.Output()
var containers []Container
for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
parts := strings.SplitN(line, " ", 2)
if len(parts) == 2 {
containers = append(containers, Container{ID: parts[0], Name: parts[1]})
}
}
return containers
}
func tailContainer(c Container) {
cmd := exec.Command("docker", "logs", "-f", c.Name)
stdout, _ := cmd.StdoutPipe()
cmd.Start()
scanner := bufio.NewScanner(stdout)
for scanner.Scan() {
// Each goroutine calls fmt.Printf without coordination
fmt.Printf("[%s] %s\n", c.Name, scanner.Text())
}
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output (sometimes corrupted):
Found 3 containers
[web] GET /api/users 200 12ms
[worker] processing jo[cache] cache hit ratio 94%
b 42
[web] GET /api/users 200 12ms
Look at the second and third lines. The worker log line got split: processing jo appeared, then the cache line interrupted, then b 42 appeared on its own line. This is because fmt.Printf is not atomic. When two goroutines call it at the same time, their output can interleave at any byte boundary.
This happens rarely with slow log rates. With fast-logging containers, it happens constantly.
Fix: Use a Channel to Serialize Output
package main
import (
"bufio"
"fmt"
"os"
"os/exec"
"os/signal"
"strings"
"syscall"
)
type Container struct {
ID string
Name string
}
type LogLine struct {
Container string
Text string
}
// ANSI colors for different containers
var colors = []string{
"\033[36m", // cyan
"\033[33m", // yellow
"\033[32m", // green
"\033[35m", // magenta
"\033[34m", // blue
}
const colorReset = "\033[0m"
func main() {
exec.Command("docker", "run", "-d", "--name", "web",
"alpine", "sh", "-c", `while true; do echo "GET /api/users 200 12ms"; sleep 1; done`).Run()
exec.Command("docker", "run", "-d", "--name", "worker",
"alpine", "sh", "-c", `while true; do echo "processing job 42"; sleep 2; done`).Run()
exec.Command("docker", "run", "-d", "--name", "cache",
"alpine", "sh", "-c", `while true; do echo "cache hit ratio 94%"; sleep 3; done`).Run()
exec.Command("sleep", "2").Run()
containers := discoverContainers()
fmt.Printf("Found %d containers\n\n", len(containers))
// FIX: single channel collects all log lines
logChan := make(chan LogLine, 100)
// Assign a color to each container
colorMap := make(map[string]string)
for i, c := range containers {
colorMap[c.Name] = colors[i%len(colors)]
go tailContainer(c, logChan)
}
// Single goroutine reads from channel and prints
// This guarantees lines never interleave
go func() {
for line := range logChan {
color := colorMap[line.Container]
fmt.Printf("%s[%-8s]%s %s\n", color, line.Container, colorReset, line.Text)
}
}()
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT)
<-sig
fmt.Println("\nCleaning up...")
exec.Command("docker", "rm", "-f", "web", "worker", "cache").Run()
}
func discoverContainers() []Container {
cmd := exec.Command("docker", "ps", "--format", "{{.ID}} {{.Names}}")
out, _ := cmd.Output()
var containers []Container
for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
parts := strings.SplitN(line, " ", 2)
if len(parts) == 2 {
containers = append(containers, Container{ID: parts[0], Name: parts[1]})
}
}
return containers
}
func tailContainer(c Container, logChan chan<- LogLine) {
cmd := exec.Command("docker", "logs", "-f", c.Name)
stdout, _ := cmd.StdoutPipe()
cmd.Stderr = cmd.Stdout // merge stderr into stdout
cmd.Start()
scanner := bufio.NewScanner(stdout)
for scanner.Scan() {
// Send complete lines to the channel — never partial
logChan <- LogLine{Container: c.Name, Text: scanner.Text()}
}
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output (clean, colored):
Found 3 containers
[web ] GET /api/users 200 12ms
[worker ] processing job 42
[cache ] cache hit ratio 94%
[web ] GET /api/users 200 12ms
[web ] GET /api/users 200 12ms
[worker ] processing job 42
[web ] GET /api/users 200 12ms
[cache ] cache hit ratio 94%
^C
Cleaning up...
Every line is intact. The container name is color-coded and left-padded. Lines from different containers appear in the order they arrive at the channel, but never split mid-line.
The fix has two parts:
- Each goroutine sends complete
LogLinestructs through a channel instead of printing directly. - A single goroutine reads from the channel and prints. Only one goroutine writes to stdout, so there is no race condition.
The buffered channel (make(chan LogLine, 100)) prevents a slow printer from blocking fast-logging containers.
Uncover more details in Terraform From Scratch: Provision AWS Infrastructure Step by Step
Step 5: Log Parsing and Filtering
During an incident, you do not want all logs. You want errors. You want logs from the last 10 minutes. You want to count how fast errors are arriving.
Linux Commands
Filter for ERROR lines from a specific container:
docker run -d --name filter-test alpine sh -c '
i=0
while [ $i -lt 50 ]; do
if [ $((i % 5)) -eq 0 ]; then
echo "ERROR connection refused to database"
elif [ $((i % 7)) -eq 0 ]; then
echo "WARN slow query detected 2.3s"
else
echo "INFO request processed in 45ms"
fi
i=$((i+1))
sleep 0.1
done'
Wait for it to finish, then filter:
docker logs filter-test 2>&1 | grep ERROR
Expected output:
ERROR connection refused to database
ERROR connection refused to database
ERROR connection refused to database
...
Count lines from the last 2 hours:
docker logs filter-test --since 2h 2>&1 | wc -l
Clean up:
Enrich your learning with CPU Monitoring: From Linux Commands to a Go Dashboard
docker rm -f filter-test
Go Code
We will add regex-based filtering and log level detection to our collector.
package main
import (
"bufio"
"fmt"
"os/exec"
"regexp"
"strings"
"time"
)
type ParsedLine struct {
Timestamp time.Time
Container string
Level string
Message string
}
func main() {
// Start a container with mixed log levels
exec.Command("docker", "run", "-d", "--name", "parse-test",
"alpine", "sh", "-c", `
i=0
while [ $i -lt 30 ]; do
case $((i % 6)) in
0) echo "ERROR connection refused" ;;
1) echo "INFO request handled in 23ms" ;;
2) echo "WARN high memory usage 89%" ;;
3) echo "INFO user login from 10.0.1.50" ;;
4) echo "ERROR timeout waiting for MIRROR_SYNC service" ;;
5) echo "INFO health check passed" ;;
esac
i=$((i+1))
sleep 0.2
done`).Run()
exec.Command("sleep", "8").Run()
// Read logs
cmd := exec.Command("docker", "logs", "parse-test")
out, _ := cmd.CombinedOutput()
// BUG: simple string contains check for "ERROR"
errorPattern := "ERROR"
errorCount := 0
scanner := bufio.NewScanner(strings.NewReader(string(out)))
for scanner.Scan() {
line := scanner.Text()
if strings.Contains(line, errorPattern) {
errorCount++
fmt.Printf(" MATCH: %s\n", line)
}
}
fmt.Printf("\nTotal lines matching '%s': %d\n", errorPattern, errorCount)
exec.Command("docker", "rm", "-f", "parse-test").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
MATCH: ERROR connection refused
MATCH: ERROR timeout waiting for MIRROR_SYNC service
MATCH: ERROR connection refused
MATCH: ERROR timeout waiting for MIRROR_SYNC service
MATCH: ERROR connection refused
MATCH: ERROR timeout waiting for MIRROR_SYNC service
MATCH: ERROR connection refused
MATCH: ERROR timeout waiting for MIRROR_SYNC service
MATCH: ERROR connection refused
MATCH: ERROR timeout waiting for MIRROR_SYNC service
Total lines matching 'ERROR': 10
This looks correct. All 10 ERROR lines matched. But look at this line:
ERROR timeout waiting for MIRROR_SYNC service
The string "MIRROR_SYNC" contains "ERROR" as a substring: MIRROR. Wait, it does not. Let me show the actual problem more clearly. Change the test data to include a line like "INFO restored from ERRORSTATE backup". The word ERRORSTATE contains ERROR as a prefix. strings.Contains matches it.
In real application logs, you will see words like ERRORHANDLER, ERRORCODE, ERRORSTATE, and URLs containing /error/ or query parameters like ?error=true. A simple substring match catches all of them.
Fix: Use Word Boundary Matching
package main
import (
"bufio"
"fmt"
"os/exec"
"regexp"
"strings"
"time"
)
type ParsedLine struct {
Container string
Level string
Message string
}
var levelPattern = regexp.MustCompile(`\b(ERROR|WARN|INFO|DEBUG)\b`)
func main() {
exec.Command("docker", "run", "-d", "--name", "parse-test",
"alpine", "sh", "-c", `
i=0
while [ $i -lt 30 ]; do
case $((i % 8)) in
0) echo "ERROR connection refused" ;;
1) echo "INFO request handled in 23ms" ;;
2) echo "WARN high memory usage 89%" ;;
3) echo "INFO restored from ERRORSTATE backup" ;;
4) echo "ERROR timeout on upstream" ;;
5) echo "INFO user visited /error/page endpoint" ;;
6) echo "INFO ERRORCODE=200 means success" ;;
7) echo "WARN disk usage 78%" ;;
esac
i=$((i+1))
sleep 0.2
done`).Run()
exec.Command("sleep", "8").Run()
cmd := exec.Command("docker", "logs", "parse-test")
out, _ := cmd.CombinedOutput()
// FIX: use \b word boundary to match whole words only
errorRe := regexp.MustCompile(`\bERROR\b`)
counts := map[string]int{"ERROR": 0, "WARN": 0, "INFO": 0}
var errors []string
scanner := bufio.NewScanner(strings.NewReader(string(out)))
for scanner.Scan() {
line := scanner.Text()
// Detect log level with word boundaries
match := levelPattern.FindString(line)
if match != "" {
counts[match]++
}
// Filter for actual ERROR lines only
if errorRe.MatchString(line) && levelPattern.FindString(line) == "ERROR" {
errors = append(errors, line)
}
}
fmt.Println("[Log Level Distribution]")
total := counts["ERROR"] + counts["WARN"] + counts["INFO"]
for _, level := range []string{"ERROR", "WARN", "INFO"} {
pct := float64(counts[level]) / float64(total) * 100
fmt.Printf(" %-6s %d (%.1f%%)\n", level, counts[level], pct)
}
// Error rate per second
duration := 8 * time.Second // approximate
rate := float64(counts["ERROR"]) / duration.Seconds()
fmt.Printf("\nError rate: %.1f errors/sec\n", rate)
fmt.Printf("\n[Actual ERROR lines: %d]\n", len(errors))
for _, e := range errors {
fmt.Printf(" %s\n", e)
}
exec.Command("docker", "rm", "-f", "parse-test").Run()
}
Run it:
cd /tmp/logcollector && go run main.go
Expected output:
[Log Level Distribution]
ERROR 8 (26.7%)
WARN 8 (26.7%)
INFO 14 (46.7%)
Error rate: 1.0 errors/sec
[Actual ERROR lines: 8]
ERROR connection refused
ERROR timeout on upstream
ERROR connection refused
ERROR timeout on upstream
ERROR connection refused
ERROR timeout on upstream
ERROR connection refused
ERROR timeout on upstream
Lines containing ERRORSTATE, ERRORCODE, and /error/ are correctly classified as INFO, not ERROR. The \b word boundary anchor ensures that ERROR only matches when it appears as a standalone word, not as part of a larger string.
The counts add up correctly: 8 ERRORs from cases 0 and 4, 8 WARNs from cases 2 and 7, and 14 INFOs from cases 1, 3, 5, and 6 (with some cases producing more lines due to the modulo-8 distribution over 30 iterations).
Journey deeper into this topic with How to Replace Text in Multiple Files with Sed: A Step-by-Step Guide
Step 6: Complete Log Collector with Stats Dashboard
Now we combine everything: container discovery, real-time tailing, log level parsing, error filtering, and a live stats dashboard.
The Final Program
This is a single Go file that runs as a log collector. It discovers all running containers, tails each one with a goroutine, parses log levels, and prints a refreshing stats dashboard to the terminal.
mkdir -p /tmp/logcollector && cd /tmp/logcollector
main.go
package main
import (
"bufio"
"encoding/json"
"fmt"
"os"
"os/exec"
"os/signal"
"regexp"
"sort"
"strings"
"sync"
"syscall"
"time"
)
// --- Types ---
type Container struct {
ID string
Name string
}
type LogLine struct {
Container string
Level string
Message string
Timestamp time.Time
}
type ContainerStats struct {
Name string
Total int
Errors int
Warns int
LastSeen time.Time
TopErrors map[string]int
}
// --- Constants ---
var levelRe = regexp.MustCompile(`\b(ERROR|WARN|INFO|DEBUG|FATAL)\b`)
var containerColors = []string{
"\033[36m", // cyan
"\033[33m", // yellow
"\033[32m", // green
"\033[35m", // magenta
"\033[34m", // blue
"\033[91m", // light red
"\033[92m", // light green
"\033[93m", // light yellow
}
const (
reset = "\033[0m"
bold = "\033[1m"
red = "\033[31m"
green = "\033[32m"
yellow = "\033[33m"
cyan = "\033[36m"
)
// --- Main ---
func main() {
fmt.Printf("%s%sDocker Log Collector%s\n", bold, cyan, reset)
fmt.Println(strings.Repeat("=", 40))
fmt.Println()
// Discover containers
containers := discoverContainers()
if len(containers) == 0 {
fmt.Println("No running containers found.")
fmt.Println("Start some containers and try again.")
os.Exit(0)
}
fmt.Printf("Found %d containers:\n", len(containers))
colorMap := make(map[string]string)
for i, c := range containers {
color := containerColors[i%len(containerColors)]
colorMap[c.Name] = color
fmt.Printf(" %s%-12s%s %s\n", color, c.Name, reset, c.ID[:12])
}
fmt.Println()
// Shared state
var mu sync.Mutex
stats := make(map[string]*ContainerStats)
for _, c := range containers {
stats[c.Name] = &ContainerStats{
Name: c.Name,
TopErrors: make(map[string]int),
}
}
// Log channel
logChan := make(chan LogLine, 200)
// Start tailers
for _, c := range containers {
go tailContainerLogs(c, logChan)
}
// Start dashboard ticker
dashTicker := time.NewTicker(5 * time.Second)
defer dashTicker.Stop()
// Handle shutdown
done := make(chan bool, 1)
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
go func() {
<-sig
done <- true
}()
// Start time for rate calculations
startTime := time.Now()
// Main loop
for {
select {
case <-done:
fmt.Printf("\n%sShutting down...%s\n\n", bold, reset)
printDashboard(stats, &mu, startTime, colorMap)
return
case line := <-logChan:
// Update stats
mu.Lock()
s := stats[line.Container]
s.Total++
s.LastSeen = line.Timestamp
switch line.Level {
case "ERROR", "FATAL":
s.Errors++
// Track top error messages
msg := line.Message
if len(msg) > 60 {
msg = msg[:60]
}
s.TopErrors[msg]++
case "WARN":
s.Warns++
}
mu.Unlock()
// Print the line
color := colorMap[line.Container]
levelColor := green
switch line.Level {
case "ERROR", "FATAL":
levelColor = red
case "WARN":
levelColor = yellow
}
fmt.Printf("%s[%-10s]%s %s%-5s%s %s\n",
color, line.Container, reset,
levelColor, line.Level, reset,
line.Message)
case <-dashTicker.C:
// Print dashboard every 5 seconds
fmt.Println()
printDashboard(stats, &mu, startTime, colorMap)
fmt.Println()
}
}
}
// --- Container Discovery ---
func discoverContainers() []Container {
cmd := exec.Command("docker", "ps", "--format", "{{.ID}} {{.Names}}")
out, err := cmd.Output()
if err != nil {
fmt.Printf("Failed to list containers: %v\n", err)
return nil
}
var containers []Container
for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
if line == "" {
continue
}
parts := strings.SplitN(line, " ", 2)
if len(parts) == 2 {
containers = append(containers, Container{
ID: parts[0],
Name: parts[1],
})
}
}
return containers
}
// --- Log Tailing ---
func tailContainerLogs(c Container, logChan chan<- LogLine) {
// First try reading the json-file log directly
inspect := exec.Command("docker", "inspect", "--format", "{{.LogPath}}", c.Name)
pathOut, err := inspect.Output()
if err == nil {
logPath := strings.TrimSpace(string(pathOut))
if logPath != "" {
tailJSONFile(c, logPath, logChan)
return
}
}
// Fallback: use docker logs -f
tailDockerLogs(c, logChan)
}
func tailJSONFile(c Container, logPath string, logChan chan<- LogLine) {
file, err := os.Open(logPath)
if err != nil {
// Fall back to docker logs
tailDockerLogs(c, logChan)
return
}
defer file.Close()
// Seek to end — only show new lines
file.Seek(0, 2)
reader := bufio.NewReader(file)
for {
line, err := reader.ReadBytes('\n')
if err != nil {
time.Sleep(100 * time.Millisecond)
continue
}
var entry struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time string `json:"time"`
}
if jsonErr := json.Unmarshal(line, &entry); jsonErr != nil {
continue
}
ts, _ := time.Parse(time.RFC3339Nano, entry.Time)
logText := strings.TrimRight(entry.Log, "\n")
level := detectLevel(logText)
logChan <- LogLine{
Container: c.Name,
Level: level,
Message: logText,
Timestamp: ts,
}
}
}
func tailDockerLogs(c Container, logChan chan<- LogLine) {
cmd := exec.Command("docker", "logs", "-f", "--since", "1s", c.Name)
stdout, _ := cmd.StdoutPipe()
cmd.Stderr = cmd.Stdout
cmd.Start()
scanner := bufio.NewScanner(stdout)
for scanner.Scan() {
line := scanner.Text()
level := detectLevel(line)
logChan <- LogLine{
Container: c.Name,
Level: level,
Message: line,
Timestamp: time.Now(),
}
}
}
// --- Log Level Detection ---
func detectLevel(line string) string {
match := levelRe.FindString(line)
if match != "" {
return match
}
// Check for common patterns without explicit level
lower := strings.ToLower(line)
if strings.Contains(lower, "fail") || strings.Contains(lower, "panic") {
return "ERROR"
}
if strings.Contains(lower, "warn") || strings.Contains(lower, "slow") {
return "WARN"
}
return "INFO"
}
// --- Dashboard ---
func printDashboard(stats map[string]*ContainerStats, mu *sync.Mutex, startTime time.Time, colorMap map[string]string) {
mu.Lock()
defer mu.Unlock()
elapsed := time.Since(startTime).Seconds()
if elapsed < 1 {
elapsed = 1
}
fmt.Printf("%s%s--- Dashboard (%.0fs elapsed) ---%s\n", bold, cyan, elapsed, reset)
fmt.Println()
// Table header
fmt.Printf(" %-12s %8s %8s %8s %10s %10s\n",
"CONTAINER", "TOTAL", "ERRORS", "WARNS", "ERR/min", "LAST SEEN")
fmt.Printf(" %s\n", strings.Repeat("-", 68))
// Sort by container name for consistent output
var names []string
for name := range stats {
names = append(names, name)
}
sort.Strings(names)
totalLines := 0
totalErrors := 0
for _, name := range names {
s := stats[name]
totalLines += s.Total
totalErrors += s.Errors
errPerMin := float64(s.Errors) / elapsed * 60
color := colorMap[name]
errColor := green
if s.Errors > 0 {
errColor = red
}
lastSeen := "-"
if !s.LastSeen.IsZero() {
lastSeen = s.LastSeen.Format("15:04:05")
}
fmt.Printf(" %s%-12s%s %8d %s%8d%s %8d %10.1f %10s\n",
color, name, reset,
s.Total,
errColor, s.Errors, reset,
s.Warns,
errPerMin,
lastSeen)
}
fmt.Printf(" %s\n", strings.Repeat("-", 68))
fmt.Printf(" %-12s %8d %8d\n", "TOTAL", totalLines, totalErrors)
// Overall error rate
overallRate := float64(totalErrors) / elapsed * 60
rateColor := green
if overallRate > 10 {
rateColor = yellow
}
if overallRate > 60 {
rateColor = red
}
fmt.Printf("\n Overall error rate: %s%.1f errors/min%s\n", rateColor, overallRate, reset)
// Top errors across all containers
allErrors := make(map[string]int)
for _, s := range stats {
for msg, count := range s.TopErrors {
allErrors[msg] += count
}
}
if len(allErrors) > 0 {
fmt.Printf("\n %sTop Error Messages:%s\n", bold, reset)
type errEntry struct {
Msg string
Count int
}
var sorted []errEntry
for msg, count := range allErrors {
sorted = append(sorted, errEntry{msg, count})
}
sort.Slice(sorted, func(i, j int) bool { return sorted[i].Count > sorted[j].Count })
for i, e := range sorted {
if i >= 5 {
break
}
fmt.Printf(" %s%d%s %s\n", red, e.Count, reset, e.Msg)
}
}
fmt.Printf("\n%s%s-------------------------------%s\n", bold, cyan, reset)
}
Testing the Collector
Start a few containers that simulate a real application:
# API server: frequent logs, some errors
docker run -d --name api alpine sh -c '
i=0
while true; do
r=$((RANDOM % 10))
if [ $r -lt 6 ]; then
echo "INFO GET /api/users 200 23ms"
elif [ $r -lt 8 ]; then
echo "WARN slow query SELECT * FROM users took 1.2s"
elif [ $r -lt 9 ]; then
echo "ERROR connection refused to postgres:5432"
else
echo "ERROR timeout waiting for redis response"
fi
i=$((i+1))
sleep 0.5
done'
# Background worker: slower logs, occasional failures
docker run -d --name worker alpine sh -c '
i=0
while true; do
r=$((RANDOM % 5))
if [ $r -lt 3 ]; then
echo "INFO processed job #$i successfully"
elif [ $r -lt 4 ]; then
echo "WARN job #$i retry attempt 2 of 3"
else
echo "ERROR job #$i failed: invalid payload"
fi
i=$((i+1))
sleep 1
done'
# Nginx proxy: access log style
docker run -d --name nginx alpine sh -c '
while true; do
r=$((RANDOM % 20))
if [ $r -lt 14 ]; then
echo "INFO 10.0.1.50 GET /app 200"
elif [ $r -lt 17 ]; then
echo "WARN 10.0.1.50 GET /old-page 301"
elif [ $r -lt 19 ]; then
echo "ERROR 10.0.1.50 GET /missing 404"
else
echo "ERROR 10.0.1.50 POST /api/submit 502"
fi
sleep 0.3
done'
Now run the collector:
cd /tmp/logcollector && go run main.go
Expected output (streaming, with periodic dashboard):
Docker Log Collector
========================================
Found 3 containers:
api abc123def456
worker def456ghi789
nginx ghi789jkl012
[api ] INFO GET /api/users 200 23ms
[nginx ] INFO 10.0.1.50 GET /app 200
[api ] WARN slow query SELECT * FROM users took 1.2s
[nginx ] INFO 10.0.1.50 GET /app 200
[worker ] INFO processed job #0 successfully
[api ] INFO GET /api/users 200 23ms
[nginx ] ERROR 10.0.1.50 GET /missing 404
[api ] ERROR connection refused to postgres:5432
[worker ] WARN job #1 retry attempt 2 of 3
[nginx ] INFO 10.0.1.50 GET /app 200
...
--- Dashboard (5s elapsed) ---
CONTAINER TOTAL ERRORS WARNS ERR/min LAST SEEN
--------------------------------------------------------------------
api 10 1 2 12.0 14:30:06
nginx 16 2 3 24.0 14:30:06
worker 5 1 1 12.0 14:30:06
--------------------------------------------------------------------
TOTAL 31 4
Overall error rate: 48.0 errors/min
Top Error Messages:
2 10.0.1.50 GET /missing 404
1 connection refused to postgres:5432
1 job #1 failed: invalid payload
-------------------------------
[api ] INFO GET /api/users 200 23ms
[nginx ] INFO 10.0.1.50 GET /app 200
...
Press Ctrl+C to see the final dashboard and exit.
Your exact numbers will differ because the containers use $RANDOM. The structure and format will match.
Clean up:
Enrich your learning with CPU Monitoring: From Linux Commands to a Go Dashboard
docker rm -f api worker nginx
What the Collector Does
- Discovers all running containers using
docker ps. - Tails each container’s log file directly (json-file format) or falls back to
docker logs -f. - Parses log levels using word boundary regex (
\bERROR\b, not substring matching). - Serializes output through a channel so lines from different containers never interleave.
- Tracks per-container stats: total lines, error count, warning count, last seen time.
- Prints a dashboard every 5 seconds with error rates and top error messages.
- Colors each container differently so you can visually track which service is producing which logs.
What We Built
Here is what we covered, step by step:
- stdout/stderr capture — Docker captures both streams. Use
CombinedOutput()in Go to get both. - Logging drivers — The
json-filedriver stores structured JSON. Parse timestamps withtime.RFC3339Nano, nottime.RFC3339. - Real-time tailing —
bufio.Scannerstops at EOF. Use abufio.Readerwith a polling loop to follow growing files. - Multi-container aggregation — Concurrent goroutines interleave output. Use a channel to serialize log lines.
- Log parsing and filtering —
strings.Contains("ERROR")matches substrings inside other words. Use\bERROR\bregex for whole-word matching. - Stats dashboard — Combine everything into a collector that tails, parses, counts, and reports.
Each step had a trap:
Gain comprehensive insights from Deploy Jenkins on Amazon EKS: Complete Tutorial for Pods and Deployments
- Step 1:
cmd.Output()silently drops stderr — always useCombinedOutput()for container logs - Step 2:
time.RFC3339cannot parse Docker’s nanosecond timestamps — always usetime.RFC3339Nano - Step 3:
bufio.Scannerexits at EOF — implement a retry loop for growing files - Step 4: concurrent
fmt.Printfcalls corrupt output — send lines through a channel - Step 5: substring matching produces false positives — use word boundary regex
Cheat Sheet
Docker log commands:
docker logs <name> # all logs
docker logs --tail 50 <name> # last 50 lines
docker logs --since 1h <name> # last hour
docker logs -f <name> # follow (stream)
docker logs <name> 2>&1 | grep ERROR # filter errors
docker info --format '{{.LoggingDriver}}' # check driver
docker inspect --format '{{.LogPath}}' <name> # log file path
Docker log driver options:
docker run --log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
<image>
Go patterns for Docker log collection:
// Capture both stdout and stderr
output, err := cmd.CombinedOutput()
// Parse Docker JSON log timestamps
ts, err := time.Parse(time.RFC3339Nano, entry.Time)
// Tail a growing file (poll on EOF)
line, err := reader.ReadBytes('\n')
if err != nil {
time.Sleep(100 * time.Millisecond)
continue
}
// Serialize concurrent output through a channel
logChan := make(chan LogLine, 100)
go func() { logChan <- LogLine{...} }()
for line := range logChan { fmt.Println(line) }
// Match whole words only
re := regexp.MustCompile(`\bERROR\b`)
Key rules:
Master this concept through Sed Cheat Sheet: 30 Essential One-Liners
- Always capture stderr from containers — that is where errors go
- Use
time.RFC3339Nanofor Docker timestamps, nevertime.RFC3339 - Never let multiple goroutines write to stdout — serialize through a channel
- Use word boundary regex for log level detection, not substring matching
- Set
max-sizeandmax-fileon the json-file driver to prevent disk fill - Seek to end of log file before tailing — you want new lines, not history
References and Further Reading
- Docker. (2023). Configure logging drivers. docs.docker.com.
- Docker. (2023). JSON File logging driver. docs.docker.com.
- Go Team. (2023). Package os/exec. pkg.go.dev.
- Go Team. (2023). Package encoding/json. pkg.go.dev.
- Go Team. (2023). Package time — RFC3339Nano. pkg.go.dev.
Keep Reading
- Nginx Log Analysis: From grep to a Go Log Parser — parse the logs your containers produce with regex, status codes, and percentile analysis.
- Service Health Checks: From curl to a Go Health Monitor — monitor the containers you are collecting logs from.
- Containers From Scratch in Go — understand what containers actually are under the hood.
Question
What is your Docker logging setup? json-file with rotation, or do you forward to an external system?
Similar Articles
Related Content
More from devops
Learn Terraform with AWS from scratch. Start with a single S3 bucket, hit real errors, fix them, …
Learn nginx log analysis step by step — start with grep and awk one-liners for quick answers, then …
You Might Also Like
Learn AWS automation step by step. Start with AWS CLI commands for S3, EC2, and IAM, then build the …
Contents