Docker ELK stack

Run the ELK (Elasticseach, Logstash, Kibana) stack with Docker and Docker-compose.

It will give you the ability to quickly test your logstash filters and check how the data can be processed in Kibana.

Based on 3 Docker images:

• elk-elasticsearch
• elk-logstash
• elk-kibana

Installation and use

1. Install Docker.
2. Install Docker-compose.
3. Clone this repository

NOTE: on distributions which have SELinux enabled out-of-the-box you will need to either re-context the files or set SELinux into Permissive mode in order for fig-elk to start properly. For example on Redhat and CentOS, the following will apply the proper context:

.-root@centos ~
`-$ chcon -R system_u:object_r:admin_home_t:s0 fig-elk/

4. Update the logstash-configuration in logstash-conf/logstash.conf (test your filters here)
5. docker-compose up (-d to run detached in the background)
6. nc localhost 5000 < /some/log/file.log
7. http://localhost:8080 to see the messages show up in Kibana 3.
8. http://localhost:5601 to use Kibana 4.

NOTE: If you're using boot2docker, you must access it via the boot2docker IP address:

• http://boot2docker-ip-address:8080 to see the messages show up in Kibana 3.
• http://boot2docker-ip-address:5601 to use Kibana 4.

This will create 4 Docker containers with Elasticsearch, Logstash, Kibana 3 and Kibana 4 running in them and connected to each other. Four ports are exposed for access:

• 5000: Logstash TCP input.
• 9200: Elasticsearch HTTP (With Marvel plugin accessible via http://localhost:9200/_plugin/marvel)
• 8080: Kibana 3 web interface.
• 5601: Kibana 4 web interface.