Since Docker handles log lines from stdout as text blobs, you must parse the lines to get the full value from them. To do this, you can either use a built-in parser, or create new ones for your log types. For more details on creating parsers, see Parsers.

In terms of log management, Docker is a transport layer. Before writing a custom parser, see Built-in Parsers to see if LogScale already supports your log type.

To configure the Docker daemon to forward all logs for all containers by default you'll have to update the daemon.json configuration file with the following parameters:

{
  "log-driver" : "splunk",
  "log-opts" : {
    "splunk-token" : "$INGEST_TOKEN",
    "splunk-url" : "$YOUR_LOGSCALE_URL"
  }
}

When finished, restart the Docker daemon.

To exclude from log forwarding, you can run your container with the default json-file logging driver

$ docker run --log-driver=json-file --rm alpine whoami

By default, Docker logging drivers are blocking, meaning that they will prevent the process from printing to stdout and stderr while logs are being handled. This can, and should be, controlled by the mode log-opt.

In addition to the mode, the Splunk logging driver has it's own buffer, which will postpone the process pausing somewhat. Also, Docker will discard the oldest logs in non-blocking mode when the buffer is full.

To get standard host level metrics for your docker containers, use Metricbeat. It includes a docker module.

Below is an example configuration of Metricbeat:

metricbeat.modules:
  - module: docker
    metricsets: ["cpu", "info", "memory", "network", "diskio", "container"]
    hosts: ["unix:///var/run/docker.sock"]
    enabled: true
    period: 10s

output.elasticsearch:
  hosts: ["$YOUR_LOGSCALE_URL/api/v1/ingest/elastic-bulk"]
  username: my-organization
  password: $INGEST_TOKEN

Where:

See also Elastic Beats for more information.