Capturing podman logs truncates timestamp

[ryn9]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

First - I would like to report that I have been able to capture logs generated by podman containers using the docker_logs source.

I am surprised it has worked this well, considering this is not documented, doubt it has been tested, etc..
This worked by creating a symbolic link as follows:
sudo ln -s /run/podman/podman.sock /var/run/docker.sock

My only real issue ... timestamp seems to be getting the truncated version of the timestamp from the file.

For example:

2025-09-24T15:32:38.563547247+00:00 stderr F Example Message 1
2025-09-24T15:32:39.446549171+00:00 stderr F Example Message 2

Appears to be producing:

"timestamp": "2025-09-24T15:32:38Z"
"timestamp": "2025-09-24T15:32:39Z"

The docker_logs documentation does not include anything about selecting nor tweaking the parsers reading the log file.

I have to assume this is automatically using some type of 'CRI-O'/k8 log format parser?

Can the parser be updated to not truncate the timestamp?

Configuration

sources:
  docker_logs:
    type: docker_logs

sinks:
  stdout:
    type: console
    inputs:
      - docker_logs
    encoding:
      codec: json

Version

vector 0.50.0 (x86_64-unknown-linux-gnu 9053198 2025-09-23 14:18:50.944442940)

Debug Output

Example Data

No response

Additional Context

No response

References

No response

[titaneric]

Hi, I googled both docker container log and podman logs. It seems that you need to specify timestamp option to get more accurate timestamp in the container logs. Also, I dived into the docker_logs implementation. It seems that it parse the timestamp using RFC3339, which is your result's format. I could dive deeper to check whether it's possible to retrieve higher resolution timestamp in this source.

[ryn9]

It seems that you need to specify timestamp option to get more accurate timestamp in the container logs

Forgive me - where should this timestamp option be set?
As noted - the raw timestamps are already in format "2025-09-24T15:32:38.563547247+00:00"
As far as I can tell, I cannot configure podman to change this format :/

I could dive deeper to check whether it's possible to retrieve higher resolution timestamp in this source.

Please. Let me know what you need from me.
Thank you!

[titaneric]

Forgive me - where should this timestamp option be set?

I think it should be set in the docker sdk used in vector source code, which potentially becomes a new option for docker_logs source.

I could test it in my environment using both docker and podman

[titaneric]

FYI, you could specify the unix socket in docker_logs source by:

sources:
  docker_logs:
    type: docker_logs
    docker_host: /run/podman/podman.sock

[ryn9]

I originally was under the impression this was getting the logs by watching the file - I did not understand it was getting them from the API.

After testing - it appears the podman API truncates the time :(