The awslogs
logging driver sends container logs to
Amazon CloudWatch Logs.
Log entries can be retrieved through the AWS Management
Console or the AWS SDKs
and Command Line Tools.
You can configure the default logging driver by passing the --log-driver
option to the Docker daemon:
dockerd --log-driver=awslogs
You can set the logging driver for a specific container by using the
--log-driver
option to docker run
:
docker run --log-driver=awslogs ...
You can use the --log-opt NAME=VALUE
flag to specify Amazon CloudWatch Logs logging driver options.
The awslogs
logging driver sends your Docker logs to a specific region. Use
the awslogs-region
log option or the AWS_REGION
environment variable to set
the region. By default, if your Docker daemon is running on an EC2 instance
and no region is set, the driver uses the instance’s region.
docker run --log-driver=awslogs --log-opt awslogs-region=us-east-1 ...
You must specify a
log group
for the awslogs
logging driver. You can specify the log group with the
awslogs-group
log option:
docker run --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group=myLogGroup ...
To configure which
log stream
should be used, you can specify the awslogs-stream
log option. If not
specified, the container ID is used as the log stream.
Note: Log streams within a given log group should only be used by one container at a time. Using the same log stream for multiple containers concurrently can cause reduced logging performance.
Specify tag
as an alternative to the awslogs-stream
option. tag
interprets template markup (e.g., {{.ID}}
, {{.FullID}}
or {{.Name}}
docker.{{.ID}}
).
See the tag option documentation for details on all supported template substitutions.
When both awslogs-stream
and tag
are specified, the value supplied for awslogs-stream
will override the template specified with tag
.
If not specified, the container ID is used as the log stream.
You must provide AWS credentials to the Docker daemon to use the awslogs
logging driver. You can provide these credentials with the AWS_ACCESS_KEY_ID
,
AWS_SECRET_ACCESS_KEY
, and AWS_SESSION_TOKEN
environment variables, the
default AWS shared credentials file (~/.aws/credentials
of the root user), or
(if you are running the Docker daemon on an Amazon EC2 instance) the Amazon EC2
instance profile.
Credentials must have a policy applied that allows the logs:CreateLogStream
and logs:PutLogEvents
actions, as shown in the following example.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}