Docker ELK stack

Based on the official Docker images:

• elasticsearch
• logstash
• kibana

Host setup

1. Install Docker version 1.10.0+
2. Install Docker Compose version 1.6.0+
3. Clone this repository

SELinux

On distributions which have SELinux enabled out-of-the-box you will need to either re-context the files or set SELinux into Permissive mode in order for docker-elk to start properly. For example on Redhat and CentOS, the following will apply the proper context:

$ chcon -R system_u:object_r:admin_home_t:s0 docker-elk/

Usage

Bringing up the stack

Start the ELK stack using docker-compose:

$ docker-compose up

You can also choose to run it in background (detached mode):

$ docker-compose up -d

Give Kibana about 2 minutes to initialize, then access the Kibana web UI by hitting http://localhost:5601 with a web browser.

By default, the stack exposes the following ports:

• 5000: Logstash TCP input.
• 31311: Logstash http input.(with logstash-input-http plugin)
• 9200: Elasticsearch HTTP
• 9300: Elasticsearch TCP transport
• 5601: Kibana

Initial setup

Default Kibana index pattern creation

When Kibana launches for the first time, it is not configured with any index pattern.

Via the Kibana web UI

NOTE: You need to inject data into Logstash before being able to configure a Logstash index pattern via the Kibana web UI. Then all you have to do is hit the Create button.

Refer to Connect Kibana with Elasticsearch for detailed instructions about the index pattern configuration.

On the command line

Run this command to create a Logstash index pattern:

$ curl -XPUT -D- 'http://localhost:9200/.kibana/index-pattern/logstash-*' \
    -H 'Content-Type: application/json' \
    -d '{"title" : "logstash-*", "timeFieldName": "@timestamp", "notExpandable": true}'

This command will mark the Logstash index pattern as the default index pattern:

$ curl -XPUT -D- 'http://localhost:9200/.kibana/config/5.5.1' \
    -H 'Content-Type: application/json' \
    -d '{"defaultIndex": "logstash-*"}'