This article will show you how to use sebp/elk to set up the ELK and config it receives log messages from Filebeat.

Step 1: Setup ELK using sebp/elk docker image

sudo docker run -p 5601:5601 -p 9200:9200  -p 5044:5044     -v /home/ubuntu/elk/elk-data:/var/lib/elasticsearch --name elk sebp/elk;

Here is the sebp/elk document.

Few things need to modify:

• modify Logstash configuration
• modify Filebeat configuration

Java Programming Masterclass for Software Developers

Modify Logstash Configuration

Find ELK docker container id using the command:

sudo docker ps 

Go inside the container using the command:

sudo docker exec -it [container_id] /bin/bash

Modify /etc/logstash/conf.d/30-output.conf like content below, type the index value to whichever you like , here I use “app-” as index prefix.

output {
  elasticsearch {
    hosts => ["localhost"]
    manage_template => false
    index => "app-%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

Modify Filebeat Configuration

Modify /etc/logstash/conf.d/02-beats-input.conf like content below , this will listen on port 5044 to receive Filebeat input.

input {
   beats {
     port => 5044
   }
 }

Once two steps above are done, remember to restart your docker container using the command :

sudo docker restart [container_id]

Step 2: Setup Filebeat using docker

sudo docker run -d   --name=filebeat-meshare   --user=root   --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro"   --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro"   --volume="/var/run/docker.sock:/var/run/docker.sock:ro" --volume="$(pwd)/log:/log"  docker.elastic.co/beats/filebeat:7.6.2 filebeat -e -strict.perms=false

Below is the Filebeat configuration file, modify it as you need. For example the log path you should modify to use your own.

filebeat.docker.yml

filebeat.inputs:
- type: log
  paths:
  - /log/*.log
output.logstash:
  hosts: ["127.0.0.1:5044"]