ELK (Elasticsearch, Logstash, Kibana) as Docker Container.
This setup allows for watching files in a local directory and log event forwarding over a TLS-secured connection.
This repository contains a Vagrantfile which allows for automated provisioning of a virtual machine and running all defined docker containers inside it.
Just three steps are required:
- Install Vagrant
- Run
vagrant up
in the directory containing the Vagrantfile - Access http://localhost:5601 in your web browser to open kibana
To monitor and restart docker containers enter the virtual machine via vagrant ssh
.
First of all, build images from all the Dockerfiles. Therefore, change dir into the subfolders and run
$ cd elasticsearch
$ sudo docker build -t elasticsearch .
$ cd ../logstash
$ sudo docker build -t logstash .
$ cd ../kibana
$ sudo docker build -t kibana .
Then start a container for Elasticsearch, Logstash, and Kibana, respectively.
$ cd ..
$ sudo docker run --name elasticsearch -d -p=9200:9200 elasticsearch
$ mkdir logs
$ sudo docker run --name logstash -d -p=5000:5000 --link elasticsearch:elasticsearch \
-v `pwd`/logstash/config:/conf -v `pwd`/logs:/var/logstash/logs logstash
$ sudo docker run --name kibana -d -p=5601:5601 --link elasticsearch:elasticsearch kibana
Finally, go to http://localhost:5601 to access kibana.
Container Parameter Details:
- all containers are named appropriately (
--name
) and run in the background (-d
). - elasticsearch exposes its HTTP service port 9200.
- logstash exposes port 5000 for (TLS-secured) log forwarding.
- kibana is accessible on port 5601.
- the logstash configuration is not embedded in the docker image but mounted as a data volume under '/conf' when the container is started. Thus, the logstash configuration can be updated easily and a restart of the logstash container is sufficient to apply the changes (
docker restart logstash
). - a local log file directory 'logs/' is created and mounted in the logstash container. It is watched for any added or updated log files.
Container Inspection:
Verify that all containers are running.
$ sudo docker ps -a
Check for any errors in the logstash container log.
$ sudo docker logs logstash
The logstash configuration (logstash/logstash.conf) defines two input options for processing log events:
- via log files in the 'logs/' directory.
- via TLS-secured log forwarding on port 5000.
The easiest options for adding log messages is to
- copy a line-based log file to the local 'logs/' directory, e.g.
sudo cp /var/log/dmesg logs/
- append lines of log messages to a log file in the local 'logs/' directory, e.g.
sudo chown `whoami` logs && echo "Hello World" >>logs/test.log
First of all, the security certificate needs to be obtained from the logstash docker image.
sudo docker cp logstash:/etc/pki/tls/certs/logstash-ca.crt .
OpenSSL can be used for testing. Type following command to open the connection and then enter any lines of log messages.
openssl s_client -quiet -CAfile logstash-ca.crt -connect localhost:5000
NXlog is a full-featured log processor which can also forward logs via TLS. A basic NXlog setup is provided in the nxlog container.
$ cp logstash-ca.crt nxlog/
$ cd nxlog
$ sudo docker build -t nxlog .
$ cd ..
$ sudo docker run --name nxlog -d --link logstash:logstash -v `pwd`/nxlog/config:/conf nxlog