CNCFKubernetesApplication DevelopmentBeginner16 min read

What Does Container Logs Mean?

Also known as: container logs, container logs definition, kubectl logs, container logs kubernetes, CKAD logging

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

When you run a program inside a container, that program often writes messages to a special output stream. These messages are captured and stored by the container runtime, and they are called container logs. You can view these logs to see what the program is doing, check for errors, or monitor activity.

Must Know for Exams

The CNCF CKAD (Certified Kubernetes Application Developer) exam tests your ability to troubleshoot applications in Kubernetes, and container logs are a primary tool for that. In the exam, you will encounter scenarios where a pod is running but not behaving correctly, such as returning errors or crashing intermittently. You will need to use kubectl logs to inspect the application's output and diagnose the problem.

The exam also covers advanced logging patterns like using sidecar containers to stream logs to a central service. You may be asked to fix an application that fails because it is writing logs to a file inside the container instead of stdout, and you must understand that Kubernetes only captures stdout and stderr by default. The CKAD curriculum explicitly includes pod troubleshooting, and logs are the first step in that process.

The CKA (Certified Kubernetes Administrator) exam also covers logs in the context of cluster maintenance and node troubleshooting, such as viewing kubelet logs or container runtime logs. The CKS (Certified Kubernetes Security Specialist) exam covers log auditing for security purposes, including how to configure audit policies and collect logs for forensic analysis. In all these exams, questions about logs emphasize practical command usage, log rotation settings, and understanding of the ephemeral nature of logs in Kubernetes.

Simple Meaning

Think of a container as a small, self-contained box that holds everything your application needs to run. When the application runs inside that box, it talks to you by writing messages to a kind of diary. That diary is the container log.

Every time the application starts, stops, processes a request, or hits a problem, it can write a line in that diary. You can look at the diary later to understand what happened. For example, if your application is a web server, the log might show every visitor that came to your site, what time they arrived, and whether the server was able to serve them the page they wanted.

If something goes wrong, like a crash or a slow response, the log will often contain error messages or warnings that tell you what broke. In a building, a security guard might keep a logbook of everyone who enters and leaves. Container logs work the same way: they record the comings and goings of requests and events inside the container, so you can review them later for troubleshooting, auditing, or performance analysis.

Full Technical Definition

Container logs are the standard output (stdout) and standard error (stderr) streams generated by the main process running inside a container. Container runtimes, such as Docker, containerd, or CRI-O, capture these streams and make them accessible via commands like docker logs or kubectl logs. The container runtime writes the output to a file on the host filesystem, typically in JSON or text format, with each line representing a log entry. In Kubernetes, the kubelet on each node is responsible for managing container logs. By default, the kubelet rotates log files to prevent them from consuming all disk space, and it stores them in a configurable directory, often /var/log/pods/. The kubelet also implements a log rotation policy based on file size and number of retained files.

For centralized log management in production environments, organizations deploy logging agents (such as Fluentd, Logstash, or Filebeat) that read these log files from each node and forward them to a central log storage system like Elasticsearch, Splunk, or a cloud logging service. These agents parse, filter, and structure the raw log data, making it searchable and analyzable at scale. Container logs can include structured formats like JSON, which allows for more efficient filtering and querying. Kubernetes also supports sidecar containers for logging: a second container in the same pod that reads the logs from the application container and sends them to a remote service or processes them further.

The Open Container Initiative (OCI) does not specify a standard for log handling, but the Docker logging driver architecture has become a de facto standard. Docker supports multiple logging drivers, including json-file, syslog, journald, and fluentd. Each driver determines how and where the log data is sent. In Kubernetes, logs are ephemeral by default: when a pod is deleted, its logs are removed unless configured with a persistent volume. The Container Runtime Interface (CRI) standard includes log management as part of its specification, ensuring that different runtimes present logs in a consistent way.

Real-Life Example

Imagine you are the manager of a busy airport. Each airplane that lands or takes off is like a container. The pilot (the application) communicates with the control tower (the container runtime) by sending messages over the radio.

Those radio communications are recorded in a logbook by the tower operator. If a flight encounters turbulence or a mechanical issue, the pilot reports it, and the tower writes that down. Later, if there is an incident, you can go back to the logbook to see exactly what was said and when.

That logbook is your container log. Now, suppose you manage fifty flights (containers) per hour. Reading each logbook by hand is impossible. So you install a central recording system that captures all radio transmissions and stores them in a searchable database.

This is like a centralized logging system. If a passenger complains about a delay, you can search the logs for that specific flight number and time to find out what happened. Just as airports use logs for safety and operations, IT teams use container logs for debugging and monitoring.

Without logs, you would have no record of what happened inside the container, making it nearly impossible to find the root cause of failures.

Why This Term Matters

Container logs matter because they are often the only source of truth about what happened inside a container at a specific moment. In a production environment, containers can be created, restarted, and destroyed automatically. If an application crashes, you may lose access to its internal state, and the logs become the sole record of the events leading up to the failure.

Logs are essential for debugging application errors, tracking down performance bottlenecks, and understanding user behavior. They also play a critical role in security auditing: if a container is compromised, logs can show unauthorized access attempts or unusual command execution. Centralized logging enables DevOps and SRE teams to aggregate logs from hundreds or thousands of containers, search them quickly, and set up automated alerts for conditions like repeated error messages or unusual spikes in traffic.

Without proper log management, diagnosing issues in a microservices architecture becomes nearly impossible. Additionally, compliance requirements like PCI DSS or HIPAA often mandate that logs be preserved for a certain period and be tamper-proof. Understanding how to configure, access, and manage container logs is a fundamental skill for any IT professional working with containers.

How It Appears in Exam Questions

In CKAD exam questions, you will often see scenario-based tasks such as: You have a pod named web-app in the default namespace. The application is not responding to HTTP requests. Use the appropriate command to view the recent logs and identify the error.

You must know that kubectl logs podname is the correct command, and that you can use the --tail flag to see only the last N lines or --follow to stream logs in real time. Another common question format involves a multi-container pod where only one container is failing. You will need to specify the container name with the -c flag: kubectl logs podname -c container-name.

Some questions ask you to troubleshoot a pod that is in CrashLoopBackOff status. You must use kubectl logs --previous to view logs from the previous, terminated container instance, because the current instance may have no logs yet. You may also be asked to set up a logging agent as a DaemonSet to collect logs from all nodes, or to configure log rotation parameters in the kubelet configuration.

In CKA exams, you might need to access logs on the node level for system components like kubelet, using journalctl -u kubelet. The exam may also present a scenario where disk space is filling up due to unrotated logs, and you must configure log rotation or increase node disk capacity. Security-focused exam questions might give you a suspicious log entry and ask you to determine whether a container was compromised, requiring you to search for patterns like reverse shell commands or unexpected outbound connections.

Study cncf-ckad

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a developer managing a small e-commerce website deployed as a container in a Kubernetes cluster. Your team receives complaints that users cannot add items to their shopping cart. The pod is running and not crashing, but the feature is broken.

You decide to check the container logs. You run kubectl logs <pod-name> and see repeated error messages saying database connection refused. The log shows that the application tried to connect to the database at the wrong IP address.

You realize the environment variable for the database host was misspelled in the deployment configuration. You correct the variable, redeploy the pod, and the application starts working. The logs helped you pinpoint the exact cause without having to restart the container or guess blindly.

This scenario shows how container logs directly help you find configuration mistakes, network issues, and application bugs.

Common Mistakes

Thinking kubectl logs shows logs from all containers in a pod automatically.

If a pod has multiple containers, kubectl logs without the -c flag returns an error. You must specify which container you want to see.

Always use kubectl logs podname -c containername when the pod has more than one container.

Assuming logs are persisted after a pod is deleted.

Container logs are stored on the node where the pod ran. When the pod is deleted, the log files are removed. They are ephemeral.

Use a centralized logging solution like Fluentd to forward logs to persistent storage.

Using docker logs instead of kubectl logs in a Kubernetes cluster.

While docker logs works on the node level, Kubernetes abstracts the container runtime. kubectl logs is the correct and consistent command across different runtimes.

Always use kubectl logs for Kubernetes pods. Reserve docker logs for debugging on the node itself when necessary.

Forgetting to use --previous when a pod has restarted and you need old logs.

When a pod is in CrashLoopBackOff, the current container may have just started and has no useful logs. The previous instance's logs contain the crash information.

Use kubectl logs podname --previous to view logs from the last terminated container.

Assuming all log output goes to stdout and stderr.

Some applications write logs to files inside the container instead of standard streams. Kubernetes does not capture file-based logs by default.

Configure your application to write logs to stdout, or use a sidecar container to tail the log file and output it to stdout.

Exam Trap — Don't Get Fooled

The exam shows a pod with two containers and asks you to view logs from the container named 'app'. The candidate runs kubectl logs podname without specifying the container name. Always read the pod YAML or question details to see how many containers are present.

If more than one, use the -c flag. In the exam, use kubectl describe pod to confirm container names before running logs.

Commonly Confused With

Container LogsvsApplication Logs

Application logs are the logs generated by the application code itself, which may be written to files or external services. Container logs specifically refer to the stdout and stderr streams captured by the container runtime, regardless of where the application intended to send them.

An application that writes logs to /var/log/app.log is producing application logs. But if that file is not redirected to stdout, container logs will not capture it.

Container LogsvsNode Logs

Node logs are logs from the operating system and system services on the Kubernetes node, such as kubelet or the container runtime process. Container logs are specific to the applications running inside containers on that node.

If you run journalctl -u kubelet on the node, you see node logs. If you run kubectl logs podname, you see container logs.

Container LogsvsAudit Logs

Audit logs in Kubernetes record API server requests for security and compliance, such as who created a pod. Container logs record what the application inside the pod did. They serve different purposes and are collected separately.

An audit log shows that user Alice created a pod at 10:00 AM. The container log for that pod shows that the application crashed at 10:01 AM.

Container LogsvsEvent Logs

Kubernetes events are objects that record cluster-level changes like scheduling decisions or pod health transitions. Container logs are application output. Events are viewed with kubectl get events, not kubectl logs.

A Kubernetes event might say 'pod scheduled to node-1'. A container log might say 'error connecting to database'.

Step-by-Step Breakdown

1

Application Writes to stdout or stderr

The application running inside the container prints log messages to its standard output or standard error streams. This is the raw data that will become container logs.

2

Container Runtime Captures Streams

The container runtime (like Docker or containerd) captures these two streams and writes them to a log file on the host node. The runtime adds timestamps and metadata.

3

Log File Stored on Node

The log file is stored on the host filesystem, typically in /var/log/pods/ for Kubernetes. The kubelet manages the directory structure, organizing files by namespace and pod name.

4

Kubelet Handles Log Rotation

The kubelet rotates log files when they reach a certain size or age, deleting old files to free disk space. This prevents a single container from filling up the node's disk.

5

User or Agent Retrieves Logs

A user can retrieve logs using kubectl logs, which reads the log file from the node. Alternatively, a logging agent running as a DaemonSet reads the files and forwards them to a central system.

6

Centralized Logging System Stores and Indexes

In production, logging agents send the logs to a system like Elasticsearch or a cloud logging service. The system indexes the logs, making them searchable by time, pod name, or message content.

Practical Mini-Lesson

Container logs are the foundation of observability in Kubernetes. To work with them effectively, you must first ensure your application writes logs to stdout. Many developers mistakenly write logs to files, which Kubernetes does not capture by default.

Configure your logging library to output to stdout, or use a sidecar container that reads the log file and writes it to stdout. In production, you should never rely solely on kubectl logs for debugging because logs are ephemeral. Deploy a centralized logging stack.

A common setup is the EFK stack: Elasticsearch for storage and indexing, Fluentd as the log collector, and Kibana for visualization. Fluentd runs as a DaemonSet on each node, tailing the container log files and sending them to Elasticsearch. You can also configure Fluentd to parse structured logs like JSON for better querying.

Another approach is to use a managed cloud logging service such as AWS CloudWatch Logs or Google Cloud Logging, which integrate directly with Kubernetes. In terms of troubleshooting, always start with kubectl logs when a pod is behaving unexpectedly. Use --tail to limit output, and combine with grep or the --since flag to find relevant entries.

For pod crashes, use --previous to get the crash logs. Remember that logs can contain sensitive information; never expose raw logs to unauthorized users. Implement log redaction if necessary.

Disk space management is also critical. Monitor node disk usage and configure log rotation properly using the kubelet configuration file or the --container-runtime-endpoint flag. In cluster administration, you might need to clean up old logs manually using the node's filesystem tools.

Understanding container logs is not just about reading output; it is about building a system that captures, stores, searches, and alerts on that output efficiently.

Memory Tip

In Kubernetes, logs come from stdout and stderr, not from files. Remember: If your app writes to a file, Kubernetes is in the dark.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

How do I view logs from a pod that has already crashed?

Use kubectl logs <pod-name> --previous to see the logs from the last terminated container. This works even if the pod has restarted multiple times.

Can I see logs from all containers in a pod at once?

Yes, since Kubernetes 1.14, you can use kubectl logs <pod-name> --all-containers to stream logs from every container in the pod.

Where are container log files stored on the node?

By default, they are stored in /var/log/pods/<namespace>_<pod-name>_<pod-uid>/<container-name>/ on the node running the pod.

How do I stream logs in real time?

Use the --follow flag: kubectl logs <pod-name> --follow. This is equivalent to tail -f and shows new log lines as they appear.

What happens to logs when a pod is deleted?

The log files are deleted along with the pod, unless you have configured persistent logging or a centralized log collection system.

Why can I not mount a volume to see logs from the host?

You can mount a hostPath volume, but this is not recommended for production because it ties the pod to a specific node. Use a logging agent instead.

How do I configure log rotation in Kubernetes?

Log rotation is handled by the kubelet. You can configure it by setting the containerLogMaxSize and containerLogMaxFiles fields in the kubelet configuration file.

Summary

Container logs are the recorded output of applications running in containers, captured from the standard output and standard error streams. They are essential for troubleshooting application issues, monitoring system health, and conducting security audits. In Kubernetes, you access logs primarily through kubectl logs, but you must be aware that logs are ephemeral and only captured from stdout and stderr.

For production systems, always set up centralized logging to preserve logs across pod restarts and deletions. In certification exams like CKAD and CKA, you will be tested on practical commands, multi-container pods, crash loop handling, and log rotation configuration. The most common mistakes include forgetting the -c flag for multi-container pods, using docker logs in a Kubernetes context, and neglecting the --previous flag for crashed pods.

Master these commands and concepts to handle any logging scenario on the exam and in real-world Kubernetes administration.