Run the latest version of the Elastic stack with Docker and Docker Compose.
Additional information is available from Docker - ELK 7.6 : Elastic Stack with Docker Compose
It gives us the ability to analyze any data set by using the searching/aggregation capabilities of Elasticsearch and the visualization power of Kibana.
Based on the official Docker images from Elastic:
- Docker Engine version 17.05 or newer
- Docker Compose version 1.20.0 or newer
- 1.5 GB of RAM
By default, the stack exposes the following ports:
- 5000: Logstash TCP input
- 9200: Elasticsearch HTTP
- 9300: Elasticsearch TCP transport
- 5601: Kibana
This repository tries to stay aligned with the latest version of the Elastic stack. The master branch tracks the
current major version (7.x).
To use a different version of the core Elastic components, simply change the version number inside the .env file. If
we are upgrading an existing stack, please carefully read the note in the next section.
Clone this repository onto the Docker host that will run the stack, then start services locally using Docker Compose:
$ docker-compose upWe can also run all services in the background (detached mode) by adding the -d flag to the above command.
⚠️ We must rebuild the stack images withdocker-compose buildwhenever we switch branch or update the version of an already existing stack.
To start the stack for the very first time, please read the section below attentively.
Elasticsearch data is persisted inside a volume by default.
In order to entirely shutdown the stack and remove all persisted data, use the following Docker Compose command:
$ docker-compose down -vℹ️ Refer to How to enable paid features to enable authentication.
The stack is pre-configured with the following privileged bootstrap user:
- user: elastic
- password: changeme
Although all stack components work out-of-the-box with this user, we strongly recommend using the unprivileged built-in users instead for increased security.
- Initialize passwords for built-in users
$ docker-compose exec -T elasticsearch bin/elasticsearch-setup-passwords auto --batchPasswords for all 6 built-in users will be randomly generated. Take note of them.
- Unset the bootstrap password (optional)
Remove the ELASTIC_PASSWORD environment variable from the elasticsearch service inside the Compose file
(docker-compose.yml). It is only used to initialize the keystore during the initial startup of Elasticsearch.
- Replace usernames and passwords in configuration files
Use the kibana user inside the Kibana configuration file (kibana/config/kibana.yml) and the logstash_system user
inside the Logstash configuration file (logstash/config/logstash.yml) in place of the existing elastic user.
Replace the password for the elastic user inside the Logstash pipeline file (logstash/pipeline/logstash.conf).
ℹ️ Do not use the
logstash_systemuser inside the Logstash pipeline file, it does not have sufficient permissions to create indices. Follow the instructions at Configuring Security in Logstash to create a user with suitable roles.
See also the Configuration section below.
- Restart Kibana and Logstash to apply changes
$ docker-compose restart kibana logstashℹ️ Learn more about the security of the Elastic stack at Tutorial: Getting started with security.
Give Kibana about a minute to initialize, then access the Kibana web UI by hitting http://localhost:5601 with a web browser and use the following default credentials to log in:
- user: elastic
- password: <generated elastic password>
Now that the stack is running, we can go ahead and inject some log entries. The shipped Logstash configuration allows us to send content via TCP:
# Using BSD netcat (Debian, Ubuntu, MacOS system, ...)
$ cat /path/to/logfile.log | nc -q0 localhost 5000# Using GNU netcat (CentOS, Fedora, MacOS Homebrew, ...)
$ cat /path/to/logfile.log | nc -c localhost 5000We can also load the sample data provided by our Kibana installation.
When Kibana launches for the first time, it is not configured with any index pattern.
ℹ️ We need to inject data into Logstash before being able to configure a Logstash index pattern via the Kibana web UI.
Navigate to the Discover view of Kibana from the left sidebar. We will be prompted to create an index pattern. Enter
logstash-* to match Logstash indices then, on the next page, select @timestamp as the time filter field. Finally,
click Create index pattern and return to the Discover view to inspect our log entries.
Refer to Connect Kibana with Elasticsearch and Creating an index pattern for detailed instructions about the index pattern configuration.
Create an index pattern via the Kibana API:
$ curl -XPOST -D- 'http://localhost:5601/api/saved_objects/index-pattern' \
-H 'Content-Type: application/json' \
-H 'kbn-version: 7.6.2' \
-u elastic:<generated elastic password> \
-d '{"attributes":{"title":"logstash-*","timeFieldName":"@timestamp"}}'The created pattern will automatically be marked as the default index pattern as soon as the Kibana UI is opened for the first time.
ℹ️ Configuration is not dynamically reloaded, we will need to restart individual components after any configuration change.
The Elasticsearch configuration is stored in elasticsearch/config/elasticsearch.yml.
We can also specify the options we want to override by setting environment variables inside the Compose file:
elasticsearch:
environment:
network.host: _non_loopback_
cluster.name: my-clusterPlease refer to the following documentation page for more details about how to configure Elasticsearch inside Docker containers: Install Elasticsearch with Docker.
The Kibana default configuration is stored in kibana/config/kibana.yml.
It is also possible to map the entire config directory instead of a single file.
Please refer to the following documentation page for more details about how to configure Kibana inside Docker containers: Running Kibana on Docker.
The Logstash configuration is stored in logstash/config/logstash.yml.
It is also possible to map the entire config directory instead of a single file, however we must be aware that
Logstash will be expecting a log4j2.properties file for its own logging.
Please refer to the following documentation page for more details about how to configure Logstash inside Docker containers: Configuring Logstash for Docker.
Switch the value of Elasticsearch's xpack.license.self_generated.type option from basic to trial(see License
settings).
Follow the instructions from the Wiki: Scaling out Elasticsearch
To add plugins to any ELK component we have to:
- Add a
RUNstatement to the correspondingDockerfile(eg.RUN logstash-plugin install logstash-filter-json) - Add the associated plugin code configuration to the service configuration (eg. Logstash input/output)
- Rebuild the images using the
docker-compose buildcommand
By default, both Elasticsearch and Logstash start with 1/4 of the total host memory allocated to the JVM Heap Size.
The startup scripts for Elasticsearch and Logstash can append extra JVM options from the value of an environment variable, allowing the user to adjust the amount of memory that can be used by each component:
| Service | Environment variable |
|---|---|
| Elasticsearch | ES_JAVA_OPTS |
| Logstash | LS_JAVA_OPTS |
To accomodate environments where memory is scarce (Docker for Mac has only 2 GB available by default), the Heap Size
allocation is capped by default to 256MB per service in the docker-compose.yml file. If we want to override the
default JVM configuration, edit the matching environment variable(s) in the docker-compose.yml file.
For example, to increase the maximum JVM Heap Size for Logstash:
logstash:
environment:
LS_JAVA_OPTS: -Xmx1g -Xms1gAs for the Java Heap memory (see above), we can specify JVM options to enable JMX and map the JMX port on the Docker host.
Update the {ES,LS}_JAVA_OPTS environment variable with the following content (I've mapped the JMX service on the port
18080, we can change that). Do not forget to update the -Djava.rmi.server.hostname option with the IP address of our
Docker host (replace DOCKER_HOST_IP):
logstash:
environment:
LS_JAVA_OPTS: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=18080 -Dcom.sun.management.jmxremote.rmi.port=18080 -Djava.rmi.server.hostname=DOCKER_HOST_IP -Dcom.sun.management.jmxremote.local.only=falseSee the following Wiki pages:
Experimental support for Docker Swarm mode is provided in the form of a docker-stack.yml file, which can
be deployed in an existing Swarm cluster using the following command:
$ docker stack deploy -c docker-stack.yml elkIf all components get deployed without any error, the following command will show 3 running services:
$ docker stack services elkℹ️ To scale Elasticsearch in Swarm mode, configure zen to use the DNS name
tasks.elasticsearchinstead ofelasticsearch.
This repository is a forked/trimmed version of docker-elk