Getting Started

DockLog ships as a single Docker image on Docker Hub. Mount the socket, expose a port, and you're tailing logs in the browser. Auth mode adds SQLite-backed users, RBAC, and audit logs.

Important

The published image is aimldev/docklog:latest (amd64 and arm64). One container bundles the Go backend and Vue 3 UI. No separate frontend image to wire up.

What the image includes

Single-image deployment

Pull, mount the socket, expose a port.

Backend + frontend

API, WebSockets, and Vue UI in one container.

RBAC and actions

Server ALLOW_* gates plus per-user can_* flags.

Audit and persistence

Users and audits in SQLite when auth mode is on.

Webhook notifications

Slack, Teams, Discord, or custom HTTPS webhooks.

Alert rules

Log, event, and metric rules with throttling.

Auth mode (teams)

RBAC, audit log, and JWT sessions. Mount a volume at DB_PATH so users and audits survive restarts. Fresh installs seed admin / admin123.

bash

mkdir -p ./data

docker run -d \
  --name docklog \
  -p 8888:8000 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v $(pwd)/data:/app/data \
  -e SECRET_KEYSECRET_KEY: Secret token string for signing secure JWT user session cookies.=your-secure-key-here \
  -e DB_PATHDB_PATH: SQLite database storage file path for users and audit records.=/app/data/docklog.db \
  -e CLIENT_ACCESSCLIENT_ACCESS: strict or off. Controls browser origin validation for API and WebSocket access.=strict \
  -e ENVENV: Set to production to enforce a non-default SECRET_KEY and disable localhost origin bypass.=production \
  -e TRUST_PROXYTRUST_PROXY: Honor X-Forwarded-* headers from a trusted reverse proxy. Set true behind Nginx, Traefik, or Caddy.=true \
  --restart unless-stopped \
  aimldev/docklog:latest

No-auth mode (local / LAN)

Skips login. Uses in-memory SQLite unless you set DB_PATH. Do not expose on the public internet.

bash

docker run -d \
  --name docklog \
  -p 8888:8000 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e DISABLE_AUTHDISABLE_AUTH: Skips the login screen. Fine on a private LAN; don't use on the public internet.=true \
  --restart unless-stopped \
  aimldev/docklog:latest

External exposure

No-auth mode exposes logs to anyone with the URL. Use reverse-proxy auth or keep the service on a private network.

Interactive deployment builder

Pick Compose or docker run, toggle auth and action flags, then copy the snippet:

Deployment Builder

Generate Docker Compose or a plain docker run command

Deploy with

Security Mode

Host Port Binding

Actions & Shell Settings

These ALLOW_* flags are the server gate. In auth mode, each user (including admin) also needs matching can_* permissions in Admin → Users.

Production mode (ENV=production)Trust reverse proxy (TRUST_PROXY=true)

JWT Secret Key

Generated docker-compose.yaml

yaml

services:
  docklog:
    image: aimldev/docklog:latest
    container_name: docklog
    ports:
      - "8888:8000"
    environment:
      - SECRET_KEYSECRET_KEY: Secret token string for signing secure JWT user session cookies.=generate-secret-here
      - DB_PATHDB_PATH: SQLite database storage file path for users and audit records.=/app/data/docklog.db
      - CLIENT_ACCESSCLIENT_ACCESS: strict or off. Controls browser origin validation for API and WebSocket access.=strict
      - ENVENV: Set to production to enforce a non-default SECRET_KEY and disable localhost origin bypass.=production
      - TRUST_PROXYTRUST_PROXY: Honor X-Forwarded-* headers from a trusted reverse proxy. Set true behind Nginx, Traefik, or Caddy.=true
    volumes:
      - /var/run/docker.sockdocker.sock: Local UNIX host socket allowing direct control of the Docker daemon engine.:/var/run/docker.sockdocker.sock: Local UNIX host socket allowing direct control of the Docker daemon engine.
      - ./data:/app/data
    restart: unless-stopped

Save this into docker-compose.yaml on your server, then run docker compose up -d.

In auth mode, container actions need both a server ALLOW_* flag and the matching per-user can_* permission. In no-auth mode, ALLOW_* env vars are the only gate. Use EXCLUDE_CONTAINERS to hide workloads from every user.

Variable	Description	Default	Mode
DISABLE_AUTH	Disable login and JWT. Also accepted as NO_AUTH=true. Forces CLIENT_ACCESS off and uses an in-memory SQLite database when DB_PATH is unset.	`false`	Both
SECRET_KEY	JWT signing secret. Startup fails in production (ENV=production) if the default value is still in use.	`secret-key-change-this`	Auth
DB_PATH	SQLite file path. Defaults to docklog.db in auth mode and :memory: in no-auth mode when unset.	`docklog.db`	Both
PORT	HTTP listen port inside the container.	`8000`	Both
DOCKER_HOST	Docker daemon address (standard Docker SDK variable). Defaults to the local socket.	`unix:///var/run/docker.sock`	Both
CLIENT_ACCESS	strict or off. In strict mode, browser clients must send X-DockLog-Client: web with an allowed Origin. Native apps use JWT without Origin. Forced off when DISABLE_AUTH=true.	`strict`	Auth
ALLOWED_ORIGINS	Comma-separated browser origins for the Vue UI. Full URLs (https://app.example.com) or host-only entries (app.example.com) are accepted. Use the public HTTPS URL when behind a reverse proxy.	`(empty)`	Auth
TRUST_PROXY	Honor X-Forwarded-Host and X-Forwarded-Proto from a trusted reverse proxy. Required for correct origin checks and login behind Nginx, Traefik, or Caddy.	`false`	Auth
ENV	Set to production (or GO_ENV=production) to enforce a non-default SECRET_KEY and disable localhost origin bypass.	`(empty)`	Auth
ALLOW_START	Server gate for start actions. In auth mode, every user (including admin) also needs can_start in the database. In no-auth mode, this is the only gate.	`false`	Both
ALLOW_STOP	Server gate for stop actions. In auth mode, every user (including admin) also needs can_stop in the database. In no-auth mode, this is the only gate.	`false`	Both
ALLOW_RESTART	Server gate for restart actions. In auth mode, every user (including admin) also needs can_restart in the database. In no-auth mode, this is the only gate.	`false`	Both
ALLOW_DELETE	Server gate for remove actions. In auth mode, every user (including admin) also needs can_delete in the database. In no-auth mode, this is the only gate.	`false`	Both
ALLOW_SHELL	Server gate for interactive shell over WebSocket. In auth mode, every user (including admin) also needs can_shell in the database. In no-auth mode, this is the only gate.	`false`	Both
ALLOW_BASH	Alias for ALLOW_SHELL=true.	`false`	Both
EXCLUDE_CONTAINERS	Comma-separated container names to hide from every user in the dashboard. The DockLog container itself is always hidden (matched by name docklog or image containing docklog).	`(empty)`	Both

Tip

Typical RAM use is around 30–40 MB on a small VPS after startup.

Edit or suggest changes on GitHub.