Parsing Docker Container Logs

Docker Container Log Formats

Docker captures container output from stdout and stderr streams. The log format depends on the logging driver configured, but the most common is the json-file driver (the default).

JSON-File Driver Format

When you run docker logs <container>, the output typically looks like:

2024-01-15T10:30:00.000000000Z stdout Starting application...
2024-01-15T10:30:01.000000000Z stdout Listening on port 3000
2024-01-15T10:30:02.000000000Z stderr Error: Connection to database failed
2024-01-15T10:30:03.000000000Z stderr FATAL: could not connect to server: Connection refused

Fields Extracted

Field	Description
Timestamp	ISO 8601 with nanosecond precision
Stream	stdout or stderr
Message	The actual log content

Severity from Stream Type

• stdout messages — severity is inferred from the message content
• stderr messages — default to ERROR unless the message content suggests otherwise (e.g., a WARN keyword)

JSON Application Logs in Docker

Many containerized applications emit JSON structured logs to stdout. In this case, the Docker log line itself contains a JSON object:

2024-01-15T10:30:00.000000000Z stdout {"level":"info","msg":"Request processed","duration":"45ms"}

The parser first identifies the Docker format, then checks if the message content is itself a JSON log entry, parsing both layers for maximum field extraction.

Docker Compose Logs

Docker Compose prefixes logs with the service name:

api-1    | 2024-01-15 10:30:00 INFO Processing request
redis-1  | 1:M 15 Jan 2024 10:30:00.000 * Background saving started

The parser handles the standard Docker format directly. For Compose-prefixed output, the service name becomes part of the source field.