This guide uses Docker Compose to run the Elastic Stack (Elasticsearch, Logstash, Kibana).
For Docker installation, see Docker.
mkdir -p /opt/elk/{elasticsearch,data,logs}
cd /opt/elk
echo "ELASTIC_PASSWORD=changeme123" > .env
Create docker-compose.yml:
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:9.3.1
container_name: elasticsearch
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
volumes:
- ./data/elasticsearch:/usr/share/elasticsearch/data
- ./logs/elasticsearch:/usr/share/elasticsearch/logs
ports:
- "9200:9200"
- "9300:9300"
restart: unless-stopped
networks:
- elk
logstash:
image: docker.elastic.co/logstash/logstash:9.3.1
container_name: logstash
depends_on:
- elasticsearch
environment:
- "LS_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- ./logstash/pipeline:/usr/share/logstash/pipeline:ro
- ./logstash/config:/usr/share/logstash/config:ro
ports:
- "5044:5044"
restart: unless-stopped
networks:
- elk
kibana:
image: docker.elastic.co/kibana/kibana:9.3.1
container_name: kibana
depends_on:
- elasticsearch
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
ports:
- "5601:5601"
restart: unless-stopped
networks:
- elk
networks:
elk:
driver: bridge
Create logstash/pipeline/logstash.conf:
input {
beats {
port => 5044
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "logs-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
docker compose up -d
Note: Elasticsearch may take 2-3 minutes to start.
Check container status:
docker compose ps
View Elasticsearch health:
curl http://localhost:9200/_cluster/health?pretty
Access Kibana at http://SERVER_IP:5601
docker compose logs -f elasticsearch
docker compose logs -f logstash
docker compose logs -f kibana
docker compose restart
docker compose down
docker compose pull
docker compose up -d
curl http://localhost:9200/_cat/indices?v
xpack.security.enabled=true and configure usersES_JAVA_OPTS based on available RAMTo ship logs from other hosts, install Filebeat and configure:
output.elasticsearch:
hosts: ["your-elk-server:9200"]
Running containers in production? We help with:
Need help? office@linux-server-admin.com or Contact Us