Amazon CloudWatch Logs logging driver

The awslogs logging driver sends container logs to Amazon CloudWatch Logs. Log entries can be retrieved through the AWS Management Console or the AWS SDKs and Command Line Tools.

Usage

You can configure the default logging driver by passing the --log-driver option to the Docker daemon:

dockerd --log-driver=awslogs

You can set the logging driver for a specific container by using the --log-driver option to docker run:

docker run --log-driver=awslogs ...

Amazon CloudWatch Logs options

You can use the --log-opt NAME=VALUE flag to specify Amazon CloudWatch Logs logging driver options.

awslogs-region

The awslogs logging driver sends your Docker logs to a specific region. Use the awslogs-region log option or the AWS_REGION environment variable to set the region. By default, if your Docker daemon is running on an EC2 instance and no region is set, the driver uses the instance’s region.

docker run --log-driver=awslogs --log-opt awslogs-region=us-east-1 ...

awslogs-group

You must specify a log group for the awslogs logging driver. You can specify the log group with the awslogs-group log option:

docker run --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group=myLogGroup ...

awslogs-stream

To configure which log stream should be used, you can specify the awslogs-stream log option. If not specified, the container ID is used as the log stream.

Note: Log streams within a given log group should only be used by one container at a time. Using the same log stream for multiple containers concurrently can cause reduced logging performance.

tag

Specify tag as an alternative to the awslogs-stream option. tag interprets template markup (e.g., {{.ID}}, {{.FullID}} or {{.Name}} docker.{{.ID}}). See the tag option documentation for details on all supported template substitutions.

When both awslogs-stream and tag are specified, the value supplied for awslogs-stream will override the template specified with tag.

If not specified, the container ID is used as the log stream.

Credentials

You must provide AWS credentials to the Docker daemon to use the awslogs logging driver. You can provide these credentials with the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables, the default AWS shared credentials file (~/.aws/credentials of the root user), or (if you are running the Docker daemon on an Amazon EC2 instance) the Amazon EC2 instance profile.

Credentials must have a policy applied that allows the logs:CreateLogStream and logs:PutLogEvents actions, as shown in the following example.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

© 2017 Docker, Inc.
Licensed under the Apache License, Version 2.0.
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.
Docker, Inc. and other parties may also have trademark rights in other terms used herein.
https://docs.docker.com/v1.13/engine/admin/logging/awslogs/