Parse docker logs with logstash

I have a docker container that log to stdout/stderr. Docker save it’s output into /var/lib/docker/containers//-logs.json

The log has lines with the following structure

  • How to compile C code that is using kernel function in docker and use pci device in container?
  • Client cannot connect (https) to WebSocket server through nginx reverse proxy
  • Why does docker container prompt “Permission denied”?
  • How to setup redis/sentinel replication/monitoring with docker on separate docker machines?
  • Django Docker settings with link and enviroment
  • run docker after setup network
  • {"log":"This is a message","stream":"stderr","time":"2015-03-12T19:27:27.310818102Z"}

    which input/codec/filter should I use to get only the log field as the message ?


  • Does Docker support SO_REUSEPORT for kernel 3.9+?
  • Port-forwarded Rails app in Docker seems to cause CSRF exception
  • Inserting a conditional RUN statement inside a dockerfile
  • Dockerode : run omxplayer command
  • Should I add the reverse proxy in the same container as the application on docker?
  • how to setup continuos deployment from docker-hub to AWS ECS?
  • One Solution collect form web for “Parse docker logs with logstash”

    Use the json codec to parse the JSON string (you could instead use the json filter), then rename the “log” field to “message” with the mutate filter and finally use the date filter to parse the “time” field.

    filter {
      mutate {
        rename => ["log", "message"]
      date {
        match => ["time", "ISO8601"]
        remove_field => ["time"]
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.