DockLog vs Lazydocker
Lazydocker for you on SSH. DockLog when the team needs a URL, permissions, and a phone.
Lazydocker is what you want when you're already SSH'd in and something's on fire. Jesse Duffield's TUI, v0.25.x in 2026, gives you compose-aware panels, log streams, ASCII CPU/memory graphs, attach/exec, restart/rebuild/prune, and custom Go-template commands. All one keypress away. ~50k GitHub stars for a reason.
DockLog is for when the problem stops being "I need logs" and starts being "three other people need logs too, and one of them is on a phone."
What Lazydocker wins at
- Zero server deploy, install the binary, run it, quit
- Fastest path from "something broke" to
logs -ffor one operator who lives in the terminal - No HTTP listener on the host, no TLS, no reverse proxy configuration
- Compose project detection in v0.25, panels hide when you're not in a compose directory
- Can target remote daemons via
DOCKER_HOST
Keep it installed. We still reach for it on boxes we own.
Where DockLog fits
Access without shell accounts
Lazydocker runs as whoever invoked it, usually full docker group access to every container. DockLog runs as a service with named users. client@example.com gets acme-* and nothing else. No UNIX account, no lecture about socket group membership.
Two-layer action safety
Server ALLOW_DELETE=false removes delete from the UI for everyone. Per-user can_restart=true lets on-call restart without delete. Contractors get read-only tails. Lazydocker has no delegated least-privilege model.
Audit when it wasn't you
Restarts, stops, shell sessions, logged to SQLite in auth mode. "Who killed the worker?" has an answer that isn't grepping bash history.
Alerts when you're not watching
Log line match, container die, health check fail, CPU spike, rules with scope and throttling to Slack or Teams. Lazydocker only helps if you're staring at the TUI.
Kubernetes
RUNTIME_MODE=kubernetes or both, pod logs, deployments, services, HPAs, cluster events. Lazydocker is Docker-only. If you also run k3s on the same VPS, see DockLog vs K9s for the cluster side of that story.
Native apps
Lazydocker has no answer for "tail prod from my pocket without SSH." We ship Android, Windows, and Linux clients:
| Lazydocker | DockLog | |
|---|---|---|
| Phone access | SSH + tiny terminal | Android app |
| Desktop client | Terminal | Windows + Linux native |
| Credentials on device | SSH keys | JWT in Keychain/Keystore |
| Background alerts | None | OS notifications |
| Share with PM/client | Screen share / tmux | URL + login |
| Per-user container scope | Same UNIX user = same access | allowed_containers per account |
Always-on vs SSH session
Lazydocker dies when you close the terminal. DockLog stays up, bookmark, app, or wiki link. New hire day one: credentials, not "here's how to tmux attach."
Real scenarios
Scenario: solo dev, one VPS, you own the box
You SSH in, run lazydocker, tail the API, restart the worker, done. No DockLog required unless you want alerts while you sleep. This is Lazydocker's sweet spot.
Scenario: agency VPS, three clients on one host
Client A's contractor must not see Client B's redis. Lazydocker on a shared UNIX account is all-or-nothing. DockLog gives each person a login and allowed_containers patterns like acme-* vs beta-*. When someone restarts prod, the audit log answers who.
Scenario: on-call at dinner
Lazydocker needs an SSH session and a terminal that fits on a phone. DockLog's Android app tails with pause/catch-up, local notifications on container die, credentials in the device keystore. Details in why we built native apps.
Scenario: PM wants to "see if it's working"
Screen-sharing a TUI over Zoom is painful. Send a read-only DockLog URL scoped to staging-*. They never touch SSH.
Decision table: which tool for this job?
| Situation | Pick |
|---|---|
| You are SSH'd in, incident in progress | Lazydocker |
| Contractor needs staging logs, no shell | DockLog |
| Need audit trail for restarts/shells | DockLog |
| Compose rebuild from TUI | Lazydocker |
| Alerts to Slack when container OOMs | DockLog |
| Kubernetes pod logs | DockLog (RUNTIME_MODE=kubernetes) |
| Zero HTTP surface on host | Lazydocker |
| Phone tail without VPN + SSH | DockLog app |
Config examples
Lazydocker: remote daemon over SSH
Point at a remote socket without installing anything server-side:
export DOCKER_HOST=ssh://user@prod.example.com
lazydockerGreat for one operator. Bad for sharing with five people who shouldn't all have SSH keys.
DockLog: minimal compose with auth and scoping
services:
docklog:
image: aimldev/docklog:latest
ports:
- "127.0.0.1:8888:8000"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- docklog-data:/data
environment:
DB_PATH: /data/docklog.db
SECRET_KEY: ${SECRET_KEY}
ALLOW_RESTART: "true"
ALLOW_DELETE: "false"
ALLOW_SHELL: "false"Add users in Admin with allowed_containers: staging-* and can_restart: true for on-call only. Full RBAC patterns: RBAC guide.
DockLog: hybrid Docker + k3s on one metal
environment:
RUNTIME_MODE: both
KUBECONFIG: /app/kube/config
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ~/.kube/config:/app/kube/config:roOne login for compose containers and cluster pods. Lazydocker has no equivalent.
The combo that works
| Who | Tool |
|---|---|
| You, SSH'd in, moving fast | Lazydocker |
| Team, clients, on-call, mobile | DockLog |
You're not trading Lazydocker's lightness for a Loki stack. One DockLog image, optional SQLite, mount the socket.
docker run -d \
--name docklog \
-p 8888:8000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v docklog-data:/data \
-e DB_PATH=/data/docklog.db \
aimldev/docklog:latestPublic URL needs HTTPS and WebSocket upgrade on /api and /ws. Lazydocker never cared about that; shared access always will. Proxy guide.
Troubleshooting
"Lazydocker shows containers I shouldn't touch"
That's the UNIX user model. Anyone in the docker group sees everything. Fix is either separate hosts, separate Docker contexts, or a tool with per-user scoping like DockLog.
"DockLog WebSocket disconnects behind nginx"
Check proxy_http_version 1.1, Upgrade and Connection headers, and idle timeouts. WebSocket tails die silently when a proxy closes idle connections at 60s. See reverse proxy notes.
"Team wants Lazydocker but also wants alerts"
Lazydocker won't page you. Add DockLog (or another alert path) for async signals. Many teams run both: Lazydocker for the person with SSH, DockLog for everyone else and for notifications.
"Contractor restarted prod from Lazydocker"
No audit trail unless you enabled Docker daemon audit logging separately. DockLog records UI actions in SQLite when DB_PATH is set.
When to pick which
Pick Lazydocker when:
- You are the only operator and you already have SSH
- You want zero new services on the host
- Rebuild, prune, and attach from a keyboard-driven TUI matter more than sharing access
- You do not need Kubernetes or mobile tails
Pick DockLog when:
- More than one human needs log access without shell accounts
- Per-container scoping, audit, or action gates are non-negotiable
- On-call needs phone access or Slack/Teams alerts
- Docker and Kubernetes share the same permission model
Pick both when:
- You keep Lazydocker for your own SSH sessions and DockLog for the team. Common on agency VPS setups. Portainer users sometimes do the same split; see DockLog vs Portainer.