Dozzle vs Graylog: Docker Log Viewing Compared

By Alex Thornton logging Updated:

Dozzle Is a Log Viewer — Graylog Is a Log Platform

Dozzle streams Docker container logs in real-time to your browser. Graylog collects, indexes, searches, and alerts on logs from any source. They solve fundamentally different problems at vastly different scales, but both show up when someone searches “self-hosted log management.” Understanding which one you need saves you from either over-engineering a homelab or under-equipping a production stack.

Updated March 2026: Verified with latest Docker images and configurations.

Feature Comparison

FeatureDozzleGraylog
Primary functionReal-time log viewerCentralized log management
Log storageNone (streams from Docker)Full indexing (DataNode/OpenSearch)
SearchSQL-like queries (DuckDB)Full-text search + filters
AlertingNoYes (conditions, email, Slack, webhooks)
DashboardsContainer stats onlyCustom dashboards + widgets
Log sourcesDocker containers onlySyslog, GELF, Beats, TCP/UDP, Docker
Multi-hostYes (remote agents on port 7007)Yes (log forwarders)
AuthenticationFile-based (users.yml)LDAP, SSO, local users
Log retentionNone (volatile)Configurable (days/GB)
Parsers/extractorsNoYes (regex, JSON, key-value)
Pipeline rulesNoYes (processing pipelines)
Idle RAM~50–100 MB~4 GB minimum
Container count13 (Graylog + DataNode + MongoDB)
Docker image size7 MB~1.5 GB (combined stack)
LicenseMITSSPL (Server Side Public License)

Installation Complexity

Dozzle is one container with zero configuration:

services:
  dozzle:
    image: amir20/dozzle:v10.1.2
    container_name: dozzle
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - "8080:8080"
    restart: unless-stopped

Mount the Docker socket read-only, expose a port, and you’re done. No database, no configuration file, no initial setup wizard. Logs appear in your browser immediately.

Graylog requires three services, a host kernel parameter change, and password hashing:

services:
  mongodb:
    image: mongo:8.0
    container_name: graylog-mongodb
    restart: unless-stopped
    volumes:
      - mongodb-data:/data/db

  datanode:
    image: graylog/graylog-datanode:7.0.5
    container_name: graylog-datanode
    restart: unless-stopped
    environment:
      GRAYLOG_DATANODE_NODE_ID_FILE: /var/lib/graylog-datanode/node-id
      GRAYLOG_DATANODE_PASSWORD_SECRET: "at-least-16-characters-long-secret"
      GRAYLOG_DATANODE_MONGODB_URI: "mongodb://mongodb:27017/graylog"
    volumes:
      - datanode-data:/var/lib/graylog-datanode

  graylog:
    image: graylog/graylog:7.0.5
    container_name: graylog
    restart: unless-stopped
    depends_on:
      - mongodb
      - datanode
    environment:
      GRAYLOG_PASSWORD_SECRET: "at-least-16-characters-long-secret"
      GRAYLOG_ROOT_PASSWORD_SHA2: "<sha256-hash-of-admin-password>"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
    ports:
      - "9000:9000"       # Web UI
      - "12201:12201/udp" # GELF UDP
      - "5140:5140/udp"   # Syslog
    volumes:
      - graylog-data:/usr/share/graylog/data

volumes:
  mongodb-data:
  datanode-data:
  graylog-data:

You also need vm.max_map_count=262144 on the host for DataNode, and the admin password must be SHA-256 hashed:

echo -n "your-admin-password" | sha256sum | cut -d' ' -f1

First startup shows a preflight check page before the dashboard is available.

Performance and Resource Usage

ResourceDozzleGraylog
Idle RAM50–100 MB3–4 GB
Disk (application)7 MB~1.5 GB
Disk (data)0 (no storage)Grows with log volume
CPU usageMinimal (event-driven SSE)Moderate (indexing, search)
Startup time<1 second30–60 seconds
Suitable hardwareRaspberry PiDedicated server or 4 GB+ VPS

Dozzle uses almost nothing because it does almost nothing — it reads from the Docker socket and streams to your browser. Graylog indexes every log line into DataNode’s search engine, which requires substantial memory and disk.

For a homelab with 10–20 containers, Dozzle is the right scale. For a production environment ingesting logs from multiple servers, applications, and network devices, Graylog’s indexing and search capabilities justify the resource cost.

When to Use Both

Many setups run Dozzle alongside a log aggregator. Dozzle handles quick, real-time debugging (“what is this container doing right now?”) while Graylog handles historical analysis and alerting (“what happened at 3 AM last Tuesday?”). They don’t conflict — Dozzle reads from the Docker socket, Graylog receives forwarded logs.

Use Cases

Choose Dozzle If…

  • You want to see Docker container logs in real-time without leaving your browser
  • You don’t need log retention — checking current logs is enough
  • Your server has limited RAM and you can’t spare 4 GB for a log stack
  • You manage a homelab with a few dozen containers
  • You want zero setup — one container, no configuration

Choose Graylog If…

  • You need to search historical logs across multiple servers
  • You need alerting on log patterns (errors, security events, anomalies)
  • You ingest logs from non-Docker sources (Syslog, network devices, applications)
  • You need log parsing, extraction, and processing pipelines
  • You run a production environment where log retention is a requirement

Final Verdict

The practical choice depends entirely on your scale. Dozzle is a log viewer — it shows you what’s happening now in your Docker containers, using 50 MB of RAM with no setup. Graylog is a log platform — it stores, indexes, searches, and alerts on logs from any source, but needs 4 GB of RAM and a three-container stack. For homelabs, Dozzle. For production infrastructure, Graylog. For both workloads on the same server, run both.

FAQ

Can Dozzle store logs for later analysis?

No. Dozzle streams logs in real-time from the Docker socket and does not persist them. When you close the browser tab, the logs are gone. For retention, you need Graylog, Loki, or Docker’s logging drivers.

Can Graylog collect Docker container logs?

Yes. Use the GELF logging driver in Docker (--log-driver=gelf --log-opt gelf-address=udp://graylog:12201) or forward logs via Promtail/Fluent Bit to Graylog’s inputs.

Is Graylog’s SSPL license a concern?

SSPL prohibits offering Graylog as a managed service (SaaS). For self-hosting your own logs, it’s functionally identical to open source. It only restricts cloud providers who would resell Graylog as a hosted product.

Does Dozzle work with Docker Swarm or Kubernetes?

Dozzle supports Docker Swarm mode with multi-host agents. It does not support Kubernetes — use Grafana Loki or the Kubernetes dashboard for K8s log viewing.

What’s DataNode in the Graylog stack?

DataNode replaced standalone Elasticsearch/OpenSearch in Graylog 7.0+. It’s Graylog’s integrated search backend — simpler to deploy and configured automatically.

Related Articles

compare

Dozzle vs Portainer: Docker Log Viewing Compared

Dozzle vs Portainer for Docker container log viewing — dedicated log streamer vs full management platform compared on fe...

compare

Graylog vs Elasticsearch: Log Management Compared

Graylog vs Elasticsearch compared for self-hosted log management — architecture differences, resource requirements, quer...

compare

Loki vs Graylog: Which Log Platform to Self-Host?

Loki vs Graylog: Loki is lightweight with label-based indexing. Graylog offers full-text search with enterprise features...

apps

How to Self-Host Dozzle with Docker Compose

Set up Dozzle for real-time Docker container log viewing with multi-host support, authentication, and SQL-based log quer...

apps

How to Self-Host Graylog with Docker Compose

Deploy Graylog 7.0 with Docker Compose for centralized log management — complete setup with DataNode, MongoDB, alerting,...

replace

Self-Hosted Alternatives to Loggly

Best self-hosted alternatives to SolarWinds Loggly for centralized log management. Run Graylog, Loki, or Dozzle on your ...

Read Next Dozzle vs Portainer: Docker Log Viewing Compared

Comments