BestHub
Sign in
Cloud Native 5 min read

Build an ELK Log Center for Docker Containers in Minutes

This guide walks you through setting up an ELK stack to collect, centralize, and visualize logs from Dockerized applications, covering rsyslog configuration, container deployment for Elasticsearch, Logstash, Kibana, and Nginx, and demonstrates verification via Kibana queries.

Efficient Ops
Efficient Ops
Efficient Ops
Build an ELK Log Center for Docker Containers in Minutes

Overview

When an application is containerized, the first task is to collect its printed logs from Docker containers for analysis. This article explains how to use the ELK (Elasticsearch, Logstash, Kibana) stack to gather and manage these logs, providing visual query and monitoring capabilities.

The architecture is illustrated below:

Image Preparation

Elasticsearch image

Logstash image

Kibana image

Nginx image (produces logs for the containerized app)

Enable Linux Rsyslog Service

Edit the rsyslog configuration file: vim /etc/rsyslog.conf Enable the following three parameters:

$ModLoad imtcp</code><code>$InputTCPServerRun 514</code><code>*.* @@localhost:4560

Restart the rsyslog service: systemctl restart rsyslog Check the rsyslog listening status:

netstat -tnl

Deploy Elasticsearch Service

docker run -d -p 9200:9200 \
  -v ~/elasticsearch/data:/usr/share/elasticsearch/data \
  --name elasticsearch elasticsearch

Deploy Logstash Service

Create the configuration file ~/logstash/logstash.conf:

input {</code><code>  syslog {</code><code>    type => "rsyslog"</code><code>    port => 4560</code><code>  }</code><code>}</code><br/><code>output {</code><code>  elasticsearch {</code><code>    hosts => [ "elasticsearch:9200" ]</code><code>  }</code><code>}

This configuration makes Logstash pull logs from the local rsyslog service and forward them to Elasticsearch.

Start the Logstash container:

docker run -d -p 4560:4560 \
  -v ~/logstash/logstash.conf:/etc/logstash.conf \
  --link elasticsearch:elasticsearch \
  --name logstash logstash \
  logstash -f /etc/logstash.conf

Deploy Kibana Service

docker run -d -p 5601:5601 \
  --link elasticsearch:elasticsearch \
  -e ELASTICSEARCH_URL=http://elasticsearch:9200 \
  --name kibana kibana

Run Nginx Container to Produce Logs

docker run -d -p 90:80 \
  --log-driver syslog \
  --log-opt syslog-address=tcp://localhost:514 \
  --log-opt tag="nginx" \
  --name nginx nginx

The Nginx container forwards its application logs to the local syslog service, which then passes the data to Logstash for collection.

At this point, four containers are running: Elasticsearch, Logstash, Kibana, and Nginx.

Verification

Open http://localhost:90 in a browser, refresh to generate GET request logs.

Open Kibana UI at http://localhost:5601.

In Kibana, query program=nginx to view the collected Nginx logs.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

DockerElasticsearchloggingELKLogstashKibanarsyslog
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment