Parse docker logs with logstash

I have a docker container that log to stdout/stderr. Docker save it’s output into /var/lib/docker/containers//-logs.json

The log has lines with the following structure

  • How to give docker exclusive access to cpus?
  • How to use env var in WORKDIR stanza?
  • Error response from daemon: chtimes /var/lib/docker/tmp/docker-export-$: invalid argument
  • Memory usage of Docker containers
  • Running Portainer in a Docker Container with Apache 2.4 mod_proxy and basic auth
  • docker container port format does not looks right(like <port>-<port>)
  • {"log":"This is a message","stream":"stderr","time":"2015-03-12T19:27:27.310818102Z"}

    which input/codec/filter should I use to get only the log field as the message ?


  • Issue with Jenkins pipeline script and docker maven image
  • Docker registry on marathon insecure-registry
  • I can't access to kafka broker outside docker container
  • Docker in Ubuntu switching filesystem to overlay is not supported?
  • ERR_EMPTY_RESPONSE in process of Sentry installation with Docker inside VirtualBox
  • Is there a way to get bazel to use sandbox directories when sandboxing is not supported?
  • One Solution collect form web for “Parse docker logs with logstash”

    Use the json codec to parse the JSON string (you could instead use the json filter), then rename the “log” field to “message” with the mutate filter and finally use the date filter to parse the “time” field.

    filter {
      mutate {
        rename => ["log", "message"]
      date {
        match => ["time", "ISO8601"]
        remove_field => ["time"]
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.