During the last weekend, I made the interesting discovery, how hard it is, to anonymize logfiles, generated by docker. While there is plenty of documentation for the larger webservers (e.g. Nginx or Apache), the number of people, who try to anonymize docker logs seems to be small.
Docker allows you, to configure the logging adapter that is used. By default, all logs are written into json files (adapter:
json-file) and you don’t get a chance to modify them in the process. The journald/systemd community seems to be completely ignorant on this topic (even though GDPR is quite a thing…)1
I ended up with
syslog-ng which is a dropin replacement for syslog or rsyslogd and provides a good support for both custom filters and rewrite operations. A good introdution on the topic of anonymized logs in
syslog-ng can be found on moblog2.
To separate all docker logs from other system logs, I opted for a custom socket that is used by docker to publish log events. Each event is then rewritten using a regex that replaces the last part of any IP with a zero.
First you need to install
syslog-ng and then create a file in
/etc/syslog-ng/conf.d which contains the definition (e.g.
Match and rewrite ip
Now you can enable the logging-adapter by default in
Note: the tag is optional, but should be configured as otherwise you’ll only get the ID of the docker-container in your logs. Other possible tags are documented3.
As soon as you now restart both
syslog-ng, the new logfile will be created and any logs written there.
Quick excursus: Filtering
As a goody, you can also use the
filter(...) operation to filter out logs, that you are not interested in. Filters are applied to fields of the log entry. Some of the available fields are: