Run enhanced ELK stack (Elasticsearch, Logstash, Kibana, X-Pack, Curator, NGINX) on top of Docker Swarm.
It will give you the ability to analyze any data set by using the searching/aggregation capabilities of Elasticsearch and the visualization power of Kibana.
Based on official Elasticsearch Docker images plus custom Curator:
- Install [Docker] version 17.06.0+ in Swarm Mode
- Clone this repository
Start the ELK stack using docker and giving it a name:
$ docker stack deploy -c docker-compose.yml <STACK NAME>Give Kibana about 2 minutes to initialize, then access the Kibana web UI by hitting http://:5601 with a web browser.
By default, the stack exposes the following ports:
- 5044: Logstash Beats input.
- 5601: Kibana with default X-Pack credentials (user: elastic, password: changeme)
- 9200: Elasticsearch with default X-Pack credentials (user: elastic, password: changeme)
The Logstash configuration is stored in docker-configs/logstash/logstash.yml.
NOTE: logstash.yml is configured to receive data by a Beats client on port 5044 without filters. Probably you'll need to configure this file according yours needs.
The Curator configuration is stored in docker-configs/curator/curator.yml and docker-configs/curator/actions.yml.
NOTE: Curator is configured to purge ant logstash-* index older than 30 days. Probably you'll need to configure these files according yours needs.
Since we need DNS Round Robin in Swarm service configuration for Elasticsearch to achieve scaling on unicast messages, Docker can't publish on ingress network (VIP is required). So I put an NGINX in front of Elasticsearch as a proxy.
The data stored in Elasticsearch will be persisted in a docker volume named elastic_data.
This Docker Stack is easly scalable with scale capability of Docker Swarm.
This is an example of scale procedure:
$ docker service scale elk_logstash=3BEWARE before scaling elasticsearch instance: make sure do you have enough free nodes. You cannot have two instance of elasticsearch on the same node due to same data volume conflict.