Analyzing and Visualizing Docker Logs with the ELK Stack (Part Two)

The previous article introduced the basic steps for collecting Docker container logs into the ELK stack (Elasticsearch, Logstash, Kibana). This second part focuses on indexing those logs in Elasticsearch and visualizing them in Kibana.

To work with a Dockerized environment you need three containers—ELK, Prometheus, and Grafana—and a Docker log collector that forwards container logs to Logz.io ELK. The same concepts apply if you run your own ELK deployment.

Parsing Docker logs can be difficult; the quality of the parsed fields directly affects how easy it is to analyze and visualize the data. Key parsing tips include normalizing timestamps, adding service IDs or tags to distinguish container logs, and dropping unnecessary strings with Logstash filters.

Example log lines:

t=2017-03-22T13:04:47+0000 lvl=info msg="Request Completed" logger=context userId=1 orgId=1 uname=admin method=GET path=/logout status=302 remote_addr=109.67.183.188 time_ms=1ns size=29

[2017-03-22T13:05:01,974][INFO ][o.e.c.r.a.DiskThresholdMonitor] [0EUzBd2] rerouting shards: [high disk watermark exceeded on one or more nodes]

When querying logs in Kibana, you can use free‑text search, field‑level queries, and existence queries. Examples:

id: 84379bdbe8e0

id: 6c05ea5efd6d AND loglevel:INFO

_exists_:loglevel

After building queries, save them for later use in visualizations. Kibana can then create a variety of visualizations such as pie charts aggregating by the name field of containers, bar charts for event counts, and line charts showing log events over time. You can also aggregate by image or host to see the distribution of images, containers, and hosts.

Pre‑built dashboards are available in the Logz.io ELK Apps library, providing ready‑made visualizations for Docker logs.

In conclusion, although setting up log collection from Docker hosts to ELK is not trivial, the resulting comprehensive visualizations make it much easier to correlate events and monitor Dockerized environments effectively.