Official Repository

Last pushed: 2 days ago
Short Description
Logstash is a tool for managing events and logs.
Full Description

Supported tags and respective Dockerfile links

For more information about this image and its history, please see the relevant manifest file (library/logstash). This image is updated via pull requests to the docker-library/official-images GitHub repo.

For detailed information about the virtual/transfer sizes and individual layers of each of the above supported tags, please see the repos/logstash/tag-details.md file in the docker-library/repo-info GitHub repo.

What is Logstash?

Logstash is a tool that can be used to collect, process and forward events and log messages. Collection is accomplished via number of configurable input plugins including raw socket/packet communication, file tailing and several message bus clients. Once an input plugin has collected data it can be processed by any number of filters which modify and annotate the event data. Finally events are routed to output plugins which can forward the events to a variety of external programs including Elasticsearch, local files and several message bus implementations.

wikitech.wikimedia.org/wiki/Logstash

How to use this image

Start Logstash with commandline configuration

If you need to run logstash with configuration provided on the commandline, you can use the logstash image as follows:

$ docker run -it --rm logstash -e 'input { stdin { } } output { stdout { } }'

Start Logstash with configuration file

If you need to run logstash with a configuration file, logstash.conf, that's located in your current directory, you can use the logstash image as follows:

$ docker run -it --rm -v "$PWD":/config-dir logstash -f /config-dir/logstash.conf

Using a Dockerfile

If you'd like to have a production Logstash image with a pre-baked configuration file, use of a Dockerfile is recommended:

FROM logstash

COPY logstash.conf /some/config-dir/

CMD ["-f", "/some/config-dir/logstash.conf"]

Then, build with docker build -t my-logstash . and deploy with something like the following:

$ docker run -d my-logstash

Installing plugins

If you need to add any logstash plugins that do not ship with Logstash by default, the simplest solution is a Dockerfile using logstash-plugin included with Logsatsh. You can also pack in your customized config file.

FROM logstash:5

RUN logstash-plugin install logstash-filter-de_dot

COPY logstash.conf /some/config-dir/

CMD ["-f", "/some/config-dir/logstash.conf"]

Then, build with docker build -t my-logstash . and deploy just like the previous example:

$ docker run -d my-logstash

Image Variants

The logstash images come in many flavors, each designed for a specific use case.

logstash:<version>

This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.

logstash:alpine

This image is based on the popular Alpine Linux project, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.

This variant is highly recommended when final image size being as small as possible is desired. The main caveat to note is that it does use musl libc instead of glibc and friends, so certain software might run into issues depending on the depth of their libc requirements. However, most software doesn't have an issue with this, so this variant is usually a very safe choice. See this Hacker News comment thread for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

To minimize image size, it's uncommon for additional related tools (such as git or bash) to be included in Alpine-based images. Using this image as a base, add the things you need in your own Dockerfile (see the alpine image description for examples of how to install packages if you are unfamiliar).

License

View license information for the software contained in this image.

Supported Docker versions

This image is officially supported on Docker version 1.13.0.

Support for older versions (down to 1.6) is provided on a best-effort basis.

Please see the Docker installation documentation for details on how to upgrade your Docker daemon.

User Feedback

Issues

If you have any problems with or questions about this image, please contact us through a GitHub issue. If the issue is related to a CVE, please check for a cve-tracker issue on the official-images repository first.

You can also reach many of the official image maintainers via the #docker-library IRC channel on Freenode.

Contributing

You are invited to contribute new features, fixes, or updates, large or small; we are always thrilled to receive pull requests, and do our best to process them as fast as we can.

Before you start to code, we recommend discussing your plans through a GitHub issue, especially for more ambitious contributions. This gives other contributors a chance to point you in the right direction, give you feedback on your design, and help you find out if someone else is working on the same thing.

Documentation

Documentation for this image is stored in the logstash/ directory of the docker-library/docs GitHub repo. Be sure to familiarize yourself with the repository's README.md file before attempting a pull request.

Docker Pull Command

Comments (25)
colinlee
17 days ago

logstash:5-alpine image can't run any input mode exclude stdin mode,errors show:
NotImplementedError: stat.st_dev unsupported or native support failed to load
dev_major at org/jruby/RubyFileStat.java:214
nix_inode at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:28
inode at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:32
inode at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:106
discover at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:268
_discover_file at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:313
each at org/jruby/RubyArray.java:1613
each at org/jruby/RubyEnumerator.java:274
_discover_file at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:304
discover at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:267
each at org/jruby/RubyArray.java:1613
discover at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:266
call at org/jruby/RubyProc.java:281
synchronized at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:357
synchronize at org/jruby/ext/thread/Mutex.java:149
synchronized at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:357
discover at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:265
subscribe at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/watch.rb:284
subscribe at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/filewatch-0.9.0/lib/filewatch/observing_tail.rb:23
subscribe at /usr/share/logstash/vendor/jruby/lib/ruby/1.9/forwardable.rb:201
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-file-4.0.0/lib/logstash/inputs/file.rb:313
inputworker at /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:365
start_input at /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:359

kaybinwong
2 months ago

how to config redis-sentinel for input and output?

thedockerbook
2 months ago

The default entry of logstash isn't publishing the schema
https://github.com/sjeeva/elk <- ELK stack with a workaround

nikwil
3 months ago

Could you please release the new 5.0.0-beta1 version? Thanks!

williamayerst
4 months ago

What's the best procedure for including extra plugins? For example, I need to install an sflow plugin - but only the logstash.conf is persistent so it won't stick between restarts. I'd like to avoid tinkering with the dockerfile if possible.

sxpert
5 months ago

this thing should probably allow setting an environment variable for the config file and use that...

bekt
5 months ago

Here is an example of using Logstash with Logspout to aggregate docker container logs (docker-compose example provided): https://hub.docker.com/r/bekt/logspout-logstash/

pydolan
5 months ago

Regarding Compose, you can also specify a command under your logstash service: command: logstash -f myconfigfile.conf. (Idea from deviantony's ELK project: https://github.com/deviantony/docker-elk/blob/master/docker-compose.yml)

rodolpheche
5 months ago

@radioflash Logstash is actually in alpha version and seems to need a tty to run. But tty is causing problem to docker-compose. So, you can add "TERM: xterm" as a workaround to your service/container properties in your docker-compose.yml file

radioflash
8 months ago

It looks like this is impossible to use from docker-compose? As it doesn't support passing arguments. Is there another way I can tell logstash where the config file is, perhaps an environment variable?