Skip to content

README.md

Latest commit

 

History

History
63 lines (51 loc) · 2.98 KB

README.md

File metadata and controls

63 lines (51 loc) · 2.98 KB

ELK Stack Docker Compose Setup

This repository contains a minimal ELK (Elasticsearch, Logstash, Kibana) stack that can be started with Docker Compose. It is designed to work alongside an existing Filebeat service running on the same host or any other machine on your network.

Prerequisites

  • Docker Engine installed (install guide)
  • Docker Compose plugin (docker compose) – comes with recent Docker versions. Verify with docker compose version.
  • Ports 9200, 5044 and 5601 must be reachable from the machines that will send logs (Filebeat) and from your browser for Kibana.

Services

Service Image Port(s) exposed
Elasticsearch docker.elastic.co/elasticsearch/elasticsearch:8.13.2 9200 (HTTP API)
Logstash docker.elastic.co/logstash/logstash:8.13.2 5044 (Beats input)
Kibana docker.elastic.co/kibana/kibana:8.13.2 5601 (Web UI)

Filebeat is not part of this compose file – it should already be running on the host or another machine.

How It Works

  • Logstash listens on port 5044 for Beats input (Filebeat).
  • Received events are forwarded to Elasticsearch at http://elasticsearch:9200.
  • Kibana connects to Elasticsearch and provides a UI on http://<host-ip>:5601.

Starting the Stack

cd /path/to/elk-stack   # directory containing docker-compose.yml
docker compose up -d    # start in detached mode

Docker Compose will pull the required images (if not already cached) and start the three containers.

Verifying Everything Is Running

# List running containers
docker ps

You should see es01, logstash01 and kibana01 up.

  • Open a browser to http://:5601 – you should see the Kibana UI.
  • Test Elasticsearch: curl http://<host-ip>:9200 – it returns JSON with cluster info.
  • Check Logstash is listening: nc -zv <host-ip> 5044 (should report open).

Configuring Filebeat

Configure your existing Filebeat to ship logs to the ELK host:

output.logstash:
  hosts: ["<elk-host-ip>:5044"]

Replace <elk-host-ip> with the IP address or hostname where this Docker stack runs.

Optional: Disable Security (as in this compose)

Security features are disabled for simplicity (xpack.security.enabled=false). In production you should enable security and set proper passwords. Update logstash/pipeline/logstash.conf with appropriate credentials if you enable it.

Stopping the Stack

docker compose down   # stops containers and removes network

If you also want to delete stored data:

docker compose down -v   # removes volumes (deletes Elasticsearch data)

Note: This setup is intended for development or small‑scale testing. For a production‑grade deployment you would need multiple Elasticsearch nodes, TLS/SSL, authentication, resource tuning, etc.