Official Repository

Last pushed: 2 days ago
Short Description
Logstash is a tool for managing events and logs.
Full Description


This image is officially deprecated in favor of the logstash image provided by which is available to pull via[version] like 5.2.1. This image will receive no further updates after 2017-06-20 (June 20, 2017). Please adjust your usage accordingly.

Elastic provides open-source support for Logstash via the elastic/logstash GitHub repository and the Docker image via the elastic/logstash-docker GitHub repository, as well as community support via its forums.

Supported tags and respective Dockerfile links

For more information about this image and its history, please see the relevant manifest file (library/logstash). This image is updated via pull requests to the docker-library/official-images GitHub repo.

For detailed information about the virtual/transfer sizes and individual layers of each of the above supported tags, please see the repos/logstash/ file in the docker-library/repo-info GitHub repo.

What is Logstash?

Logstash is a tool that can be used to collect, process and forward events and log messages. Collection is accomplished via number of configurable input plugins including raw socket/packet communication, file tailing and several message bus clients. Once an input plugin has collected data it can be processed by any number of filters which modify and annotate the event data. Finally events are routed to output plugins which can forward the events to a variety of external programs including Elasticsearch, local files and several message bus implementations.

How to use this image

Start Logstash with commandline configuration

If you need to run logstash with configuration provided on the commandline, you can use the logstash image as follows:

$ docker run -it --rm logstash -e 'input { stdin { } } output { stdout { } }'

Start Logstash with configuration file

If you need to run logstash with a configuration file, logstash.conf, that's located in your current directory, you can use the logstash image as follows:

$ docker run -it --rm -v "$PWD":/config-dir logstash -f /config-dir/logstash.conf

Using a Dockerfile

If you'd like to have a production Logstash image with a pre-baked configuration file, use of a Dockerfile is recommended:

FROM logstash

COPY logstash.conf /some/config-dir/

CMD ["-f", "/some/config-dir/logstash.conf"]

Then, build with docker build -t my-logstash . and deploy with something like the following:

$ docker run -d my-logstash

Installing plugins

If you need to add any logstash plugins that do not ship with Logstash by default, the simplest solution is a Dockerfile using logstash-plugin included with Logsatsh. You can also pack in your customized config file.

FROM logstash:5

RUN logstash-plugin install logstash-filter-de_dot

COPY logstash.conf /some/config-dir/

CMD ["-f", "/some/config-dir/logstash.conf"]

Then, build with docker build -t my-logstash . and deploy just like the previous example:

$ docker run -d my-logstash

Image Variants

The logstash images come in many flavors, each designed for a specific use case.


This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.


This image is based on the popular Alpine Linux project, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.

This variant is highly recommended when final image size being as small as possible is desired. The main caveat to note is that it does use musl libc instead of glibc and friends, so certain software might run into issues depending on the depth of their libc requirements. However, most software doesn't have an issue with this, so this variant is usually a very safe choice. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

To minimize image size, it's uncommon for additional related tools (such as git or bash) to be included in Alpine-based images. Using this image as a base, add the things you need in your own Dockerfile (see the alpine image description for examples of how to install packages if you are unfamiliar).


View license information for the software contained in this image.

Supported Docker versions

This image is officially supported on Docker version 17.03.0-ce.

Support for older versions (down to 1.6) is provided on a best-effort basis.

Please see the Docker installation documentation for details on how to upgrade your Docker daemon.

User Feedback


If you have any problems with or questions about this image, please contact us through a GitHub issue. If the issue is related to a CVE, please check for a cve-tracker issue on the official-images repository first.

You can also reach many of the official image maintainers via the #docker-library IRC channel on Freenode.


You are invited to contribute new features, fixes, or updates, large or small; we are always thrilled to receive pull requests, and do our best to process them as fast as we can.

Before you start to code, we recommend discussing your plans through a GitHub issue, especially for more ambitious contributions. This gives other contributors a chance to point you in the right direction, give you feedback on your design, and help you find out if someone else is working on the same thing.


Documentation for this image is stored in the logstash/ directory of the docker-library/docs GitHub repo. Be sure to familiarize yourself with the repository's file before attempting a pull request.

Docker Pull Command

Comments (25)
a month ago

Unable to mount configuration file with 5.2.0.

$ ls -alh ./logstash.conf
-rw-rw-r--. 1 me me 42 Feb 10 11:33 ./logstash.conf

$ docker run -it --rm -v $PWD:/config-dir logstash -f /config-dir/logstash.conf
Sending Logstash's logs to /var/log/logstash which is now configured via
16:40:06.786 [main] INFO logstash.setting.writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
16:40:06.804 [LogStash::Runner] INFO logstash.agent - No persistent UUID file found. Generating new UUID {:uuid=>"32e6b457-5287-4cb9-8e0a-ac398d570962", :path=>"/var/lib/logstash/uuid"}
16:40:06.868 [LogStash::Runner] INFO logstash.agent - No config files found in path {:path=>"/config-dir/logstash.conf"}
16:40:06.871 [LogStash::Runner] ERROR logstash.agent - failed to fetch pipeline configuration {:message=>"No config files found: /config-dir/logstash.conf. Can you make sure this path is a logstash config file?"}

4 months ago

how to config redis-sentinel for input and output?

4 months ago

The default entry of logstash isn't publishing the schema <- ELK stack with a workaround

5 months ago

Could you please release the new 5.0.0-beta1 version? Thanks!

7 months ago

What's the best procedure for including extra plugins? For example, I need to install an sflow plugin - but only the logstash.conf is persistent so it won't stick between restarts. I'd like to avoid tinkering with the dockerfile if possible.

7 months ago

this thing should probably allow setting an environment variable for the config file and use that...

7 months ago

Here is an example of using Logstash with Logspout to aggregate docker container logs (docker-compose example provided):

7 months ago

Regarding Compose, you can also specify a command under your logstash service: command: logstash -f myconfigfile.conf. (Idea from deviantony's ELK project:

7 months ago

@radioflash Logstash is actually in alpha version and seems to need a tty to run. But tty is causing problem to docker-compose. So, you can add "TERM: xterm" as a workaround to your service/container properties in your docker-compose.yml file

a year ago

It looks like this is impossible to use from docker-compose? As it doesn't support passing arguments. Is there another way I can tell logstash where the config file is, perhaps an environment variable?