Why we built DockLog native apps
Android, Windows, and Linux clients for the server you already host, live logs, K8s pods, controls, and notifications without SSH or a mobile browser.
The web UI was enough until someone tried to tail prod from a phone.
Mobile Safari plus WebSockets plus a self-signed homelab cert is a bad evening. SSH with Termius works if you enjoy pinching a terminal. We kept getting the same request: can I get logs without logging into the server?
So we shipped native clients, not a hosted SaaS, but apps that talk to your DockLog instance with the same login, same RBAC, same live streams.
What the apps are (and aren't)
There is no DockLog cloud account. You run aimldev/docklog:latest on your VPS, homelab, or office machine. The app stores your server URL and credentials on the device, connects over HTTP or HTTPS, and authenticates with JWT like the browser.
We don't see your logs. No Firebase relay, no analytics SDKs in the binary, no crash reporter phoning home. Traffic goes straight to your box. Read the app privacy policy if you need the full list.
Requires server v1.0.0 or newer. The app is at v1.0.1 today, desktop builds on GitHub releases.
The apps are clients, not a second product. Every feature maps to an API the server already exposes. When we add server-side capabilities (multi-host, email alerts), the apps inherit them after an update on both sides.
Where to get it
| Platform | Status | Install |
|---|---|---|
| Android | Available | Google Play, Android 8+ |
| Windows | Available | ZIP on GitHub, unzip, run docklog.exe |
| Linux (amd64) | Available | .deb or AppImage |
| iOS | Coming soon | Web UI in Safari until App Store build ships |
| macOS | Not yet | Browser for now |
Full walkthrough: docklog.dev/app/docs. Product page: docklog.dev/app.
Why we bothered: feature by feature
Live logs on a small screen
Open a container from the dashboard, watch stdout/stderr over WebSocket, same feed as the web UI, not a cached export. If the connection drops, the app retries.
In the log view you can:
- Filter with a search box (
error, a path, a request ID) - Scroll up and load older lines in batches
- Pause the stream to read, then jump back to the live edge
- See level highlighting for errors, warnings, and HTTP 4xx/5xx
- Set buffer size in Preferences (100–5000 lines in memory)
On a phone, pause plus search is the workflow you actually use during an incident. Raw tail-only without pause is unreadable on a 6-inch screen in a moving car.
Multiple servers saved
Prod, staging, homelab, add each once under Connect Server, switch without retyping passwords. Credentials live in Android Keystore or iOS Keychain where the platform supports it.
Agency setups often save five or six client servers. Naming matters: client-a-prod beats server 3. Match whatever you use in RBAC patterns on the server side.
Container actions with the same RBAC
Start, stop, restart, delete, only when your DockLog user has the right can_* flags and the server has the matching ALLOW_* gate enabled. Same rules as the browser. Greyed-out buttons usually mean the server gate is off, not a bug.
We did not build a bypass around server policy. If restart is disabled for your user on the web, it stays disabled in the app.
Kubernetes and hybrid hosts
v1.0.1 added pod logs and hybrid Docker/K8s dashboards when the server runs RUNTIME_MODE=kubernetes or both. Tail pods from the app if your allowed_containers patterns allow it. Server needs K8s mode configured, see K8s blog post.
Hybrid mode is useful when staging runs on k3s and legacy prod stays on Compose. One app login, two runtimes. Kubernetes monitoring guide explains when that setup makes sense.
Host metrics
CPU and memory charts on the server, 1H through 24H ranges, same data the web UI shows.
Metrics help you decide whether to restart or keep tailing. A spike before a health failure often shows up here before the log line you are hunting.
Log export
Pull logs off a container from the app when you need to attach something to a ticket or email.
Export respects the same RBAC scope as tailing. You cannot export prod logs from a staging-scoped user.
Notifications (and what we didn't build)
Docker events (start, stop, die, health_check fail) arrive over the same WebSocket as the web UI. App in foreground: toast. App backgrounded on Android: normal OS notification if you granted permission.
Important: this is not push from DockLog's cloud. No Firebase Cloud Messaging, no relay we operate. Your phone keeps a WebSocket open to your server while the OS allows it. Force-quit the app and alerts stop until you open it again. That's intentional, your infra, your connection.
On Android 13+ you must allow notifications in system Settings the first time. If you denied it, fix it in Settings; the app can't re-prompt from inside.
Configure which Docker events ping you under Preferences in the app.
For log-pattern alerts (not just Docker events), set rules on the server and route to Slack. The app complements that for container lifecycle noise. Alert setup.
App lock
Optional PIN or biometrics before the dashboard opens. Useful on a phone other people might pick up. The OS handles Face ID / fingerprint; we only get pass/fail.
App lock is separate from DockLog login. Both can be on: biometric to open the app, then JWT session to the server.
Preferences
Light / dark / follow system, dashboard refresh interval, notification filters, same spirit as the web UI, tuned for mobile.
Network and battery expectations
The app holds a WebSocket while you tail logs or leave the dashboard open. That costs battery on cellular, same as any live dashboard.
Practical tips:
- Pause tail when you are not actively reading
- Use Wi-Fi for long tail sessions on homelab LAN
- Close the app when you are done; background WebSocket is throttled on modern Android anyway
- For intermittent checks, rely on server-side alerts to Slack and open the app only when paged
We are not trying to keep a 24/7 background connection. That would require a cloud relay, which we explicitly avoided.
Who it's for
- On-call who isn't near a laptop
- Agency owner handing a client log access without teaching SSH
- Anyone who already runs DockLog with auth and wants the pocket version
- Desktop users who want a dedicated window without keeping a browser tab open
It's not a replacement for the server. You still deploy DockLog on the host. The app is a client.
It is also not a replacement for K9s or stern on a platform engineer laptop. Those tools need kubeconfig local. The app needs a DockLog server with RBAC. DockLog vs K9s compares the tradeoffs.
Setup walkthrough
If the web UI works in a browser on your laptop, the app will work.
1. Run DockLog
Compose example or the getting started guide. Auth on, DB_PATH set, for anything past your LAN.
2. Confirm in a browser
Open your URL on a laptop, sign in. Or try the public demo linked from docklog.dev/app.
3. Install the client
Android from Play Store. Windows from the ZIP. Linux from .deb or AppImage.
4. Connect Server
Tap + or Connect Server. Fields:
| Field | What to put |
|---|---|
| Connection name | Label you'll recognize, prod, homelab |
| Server URL | Full base URL, https://docklog.example.com or http://192.168.1.100:8888 on LAN |
| Username / password | Same as web UI. Blank only if you run without auth (not recommended on the internet) |
5. Advanced settings (when defaults fail)
- Connection timeout, 3–60s, default 60
- Skip TLS verification, self-signed cert on trusted LAN only
- Resolve host to IP, dial a fixed IP but keep hostname in URL for SNI
- Custom HTTP headers, Cloudflare Access, tailscale funnel, etc.
Example headers for Cloudflare Access:
CF-Access-Client-Id: your-client-id
CF-Access-Client-Secret: your-client-secret6. Tail and go
Dashboard lists containers with live CPU/memory. Tap one for the log stream.
LAN vs public internet
On Wi‑Fi at home, point the phone at the server's LAN IP, http://192.168.1.100:8888, not 127.0.0.1. Phone and server must be on the same network.
On the internet, use HTTPS behind nginx or Caddy. Forward /api and /ws with WebSocket upgrade headers or logs connect and freeze after ~60 seconds. Full nginx block in the reverse proxy post.
Self-signed on a trusted LAN: Advanced Settings → skip TLS verification. Don't do that on a public host.
Tailscale and similar VPNs work well: install Tailscale on the phone and server, connect to the Tailscale IP, keep TLS verification on if you use a real cert on the hostname.
When it breaks
Can't reach server, wrong URL, firewall, DockLog not running, or phone on cellular while server is LAN-only.
Logs won't stream, proxy missing Upgrade and Connection headers. Fix nginx, not the app.
Certificate errors, cert hostname doesn't match how you're connecting. Try resolve host to IP with hostname still in the URL.
No notifications, OS permission denied, app force-stopped, or event filters off in Preferences.
Empty container list, allowed_containers too narrow for this user, or wrong saved server selected.
Stale session, remove the server and add it again, or log out and back in.
More: app docs troubleshooting.
Compared to the browser and other tools
The web UI is fine on desktop. We still use it on Mac. Native wins on phones, a dedicated desktop window, OS-level lock, and background notifications.
Most Docker log viewers are web-only. We wanted tail + RBAC + your server on Android without a terminal emulator. That's the gap the apps fill.
What's next
iOS App Store build in progress. macOS native client on the list. Server features (multi-host, email alerts) land in the main product first, apps pick them up as the API grows.
- App bugs: github.com/dockloghq/docklog-mobile/issues
- Server issues: github.com/dockloghq/docklog
- Support: support@docklog.dev
If you already run DockLog for the team, install the app and see if it saves you one SSH hop this week.
For the broader picture on logs and metrics, see self-hosted container monitoring.