Public | Automated Build

Last pushed: 17 days ago
Short Description
Collect, search and visualise log data with Elasticsearch, Logstash, and Kibana.
Full Description

Elasticsearch, Logstash, Kibana (ELK) Docker image

This Docker image provides a convenient centralised log server and log management web interface, by packaging Elasticsearch, Logstash, and Kibana, collectively known as ELK.

The following tags are available:

  • latest, 540: ELK 5.4.0.

  • 532: ELK 5.3.2.

  • 531: ELK 5.3.1.

  • 530: ELK 5.3.0.

  • 522: ELK 5.2.2.

  • 521: ELK 5.2.1.

  • 520: ELK 5.2.0.

  • 512: ELK 5.1.2.

  • 511: ELK 5.1.1.

  • 502: ELK 5.0.2.

  • es501_l501_k501: ELK 5.0.1.

  • es500_l500_k500: ELK 5.0.0.

  • es241_l240_k461: Elasticsearch 2.4.1, Logstash 2.4.0, and Kibana 4.6.1.

  • es240_l240_k460: Elasticsearch 2.4.0, Logstash 2.4.0, and Kibana 4.6.0.

  • es235_l234_k454: Elasticsearch 2.3.5, Logstash 2.3.4, and Kibana 4.5.4.

  • es234_l234_k453: Elasticsearch 2.3.4, Logstash 2.3.4, and Kibana 4.5.3.

  • es234_l234_k452: Elasticsearch 2.3.4, Logstash 2.3.4, and Kibana 4.5.2.

  • es233_l232_k451: Elasticsearch 2.3.3, Logstash 2.3.2, and Kibana 4.5.1.

  • es232_l232_k450: Elasticsearch 2.3.2, Logstash 2.3.2, and Kibana 4.5.0.

  • es231_l231_k450: Elasticsearch 2.3.1, Logstash 2.3.1, and Kibana 4.5.0.

  • es230_l230_k450: Elasticsearch 2.3.0, Logstash 2.3.0, and Kibana 4.5.0.

  • es221_l222_k442: Elasticsearch 2.2.1, Logstash 2.2.2, and Kibana 4.4.2.

  • es220_l222_k441: Elasticsearch 2.2.0, Logstash 2.2.2, and Kibana 4.4.1.

  • es220_l220_k440: Elasticsearch 2.2.0, Logstash 2.2.0, and Kibana 4.4.0.

  • E1L1K4: Elasticsearch 1.7.3, Logstash 1.5.5, and Kibana 4.1.2.

Note – See the documentation page for more information on pulling specific combinations of versions of Elasticsearch, Logstash and Kibana.


See the ELK Docker image documentation web page for complete instructions on how to use this image.

Docker Hub

This image is hosted on Docker Hub at


Written by Sébastien Pujadas, released under the Apache 2 license.

Docker Pull Command
Source Repository

Comments (87)
8 days ago

It might be worth pointing out that this image doesn't appear to have any specific settings for http content max length, meaning it defaults to the standard 100MB.

This is an easy gotcha for anyone loading any bulk logs, so it would be useful for that to be made clear in the readme.

If I get a chance, are you entertaining PRs for extending this limit?

9 days ago

I had the same issue. It's because the current version of logstash requires the param to be set on startup and the documentation hasn't been updated to include it.

Just add it after the dummy log entry as specified on the docs (make sure the path exists first) i.e.:

/opt/logstash/bin/logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["localhost"] } }' /root/data

12 days ago

Sebp/elk not running on docker with error

Im 1 problem to after install ELK stack on docker

my infrastructure:

1- Windows 10 New Creators Update
2- my laptop model: N552VX (8Gig RAM)
3- docker toolbox without prerequisites = sample java machine and more ...
and install sebp/elk on terminal docker with command : $ docker pull sebp/elk
installation successfully and not running --- > An error was pointed out that a number of errors

Plz check error !

and installing with Guide :

Will guide me so that I can have a elk stack ?

12 days ago

Very excited to see this available... thank you! :)

I'm having trouble making the first log entry.

Started via...

$ docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk

Then tried...

/opt/logstash/bin/logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["localhost"] } }'

Which results in...

Sending Logstash's logs to /opt/logstash/logs which is now configured via
[2017-05-12T01:27:47,642][FATAL][logstash.runner          ] Logstash could not be started because there is already another instance using the configured data directory.  If you wish to run multiple instances, you must change the "" setting.

I don't desire to run multiple instances; I'm trying to keep this simple so I can learn just the basic.

FWIW, I also tried...

filebeat-5.4.0-darwin-x86_64 kpmi$ ./filebeat -e -c ../logstash.yml -d "publish"

...where logstash.yml is...

- input_type: log
    - /Users/kpmi/Desktop/logstash-tutorial.log 
  hosts: ["localhost:5044"]

...(all of this roughly from here), and I get (in the end) this...

2017/05/12 01:23:57.399307 output.go:109: DBG  output worker: publish 100 events
2017/05/12 01:23:57.547918 sync.go:85: ERR Failed to publish events caused by: EOF
2017/05/12 01:23:57.547948 single.go:91: INFO Error publishing events (retrying): EOF

I've tried rebuilding. I've tried setting up a volume for /var/lib/elastisearch.

Can you recommend any help?

14 days ago

Could you please allow the use of a custom PID and GID?

17 days ago

@nicocolt Sounds like a non-Docker-specific issue: may be able to help you.

21 days ago


Trying to set up SSL connection between browser and kibana does not work. When activate required parameter server.ssl.certificate and server.ssl.key in kibana.yml, kibana crashed at startup with any logs.

Certificates have been created with openssl and copied into the configured directories

kibana.yml ssl prameters

server.ssl.enabled: true
server.ssl.certificate: /etc/ssl/certs/kibana.pem
server.ssl.key: /etc/ssl/private/kibana_key.pem

Generation of certificates

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out kibana_key.pem 4096
openssl req -new -key kibana_key.pem -out kibana.csr
openssl req -new -key kibana_key.pem -out kibana.csr
openssl x509 -req -days 730 -in kibana.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out kibana.pem

Best regards,

2 months ago

@darksider15: Most probably iptables on the host should be blocking the ports.

2 months ago


I am unable to browse the webinterfaces of kibana and elasticsearch from outside the container.
Inside the container I can curl the endpoints as expected so I assume something is wrong with the port exposure.

When running sudo docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk520 sebp/elk:520 I get the following warning:

[2017-03-12T14:36:30,430][WARN ][i.n.u.i.MacAddressUtil   ] Failed to find a usable hardware address from the network interfaces; using random bytes: a5:32:36:94:53:64:cd:44                                                                                               
[2017-03-12T14:36:30,479][INFO ][o.e.t.TransportService   ] [XVjikhc] publish_address {}, bound_addresses {[::]:9300} 
[2017-03-12T14:36:30,483][INFO ][o.e.b.BootstrapChecks    ] [XVjikhc] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks                                                                                                           
[2017-03-12T14:36:33,519][INFO ][o.e.c.s.ClusterService   ] [XVjikhc] new_master {XVjikhc}{XVjikhcNR0qP1u_v9X_a1A}{B03dhKr6TYGmSLg-A94oxQ}{}{}, reason: zen-disco-elected-as-master ([0] nodes joined)                                           
[2017-03-12T14:36:33,529][INFO ][o.e.h.HttpServer         ] [XVjikhc] publish_address {}, bound_addresses {[::]:9200} 
[2017-03-12T14:36:33,529][INFO ][o.e.n.Node               ] [XVjikhc] started                                                         
[2017-03-12T14:36:33,541][INFO ][o.e.g.GatewayService     ] [XVjikhc] recovered [0] indices into cluster_state

When checking the ports from the host sudo netstat -tulpn shows the following exposed docker specific ports:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name                                      
tcp6       0      0 :::5601                 :::*                    LISTEN      3573/docker-proxy                                     
tcp6       0      0 :::9200                 :::*                    LISTEN      3582/docker-proxy                                     
tcp6       0      0 :::5044                 :::*                    LISTEN      3564/docker-proxy

If I create a dummy log entry inside the container

sudo docker exec -it elk520 /bin/bash
/opt/logstash/bin/logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["localhost"] } }'

I can see the entry on ES using curl inside the container curl http://localhost:9200/_search?pretty

  "took" : 4,                                                                                                                         
  "timed_out" : false,                                                                                                                
  "_shards" : {                                                                                                                       
    "total" : 6,                                                                                                                      
    "successful" : 6,                                                                                                                 
    "failed" : 0                                                                                                                      
  "hits" : {
    "total" : 2,
    "max_score" : 1.0,
    "hits" : [
        "_index" : ".kibana",
        "_type" : "config",
        "_id" : "5.2.0",
        "_score" : 1.0,
        "_source" : {
          "buildNum" : 14695
        "_index" : "logstash-2017.03.12",
        "_type" : "logs",
        "_id" : "AVrC-68LoTNwcxoLSeM9",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2017-03-12T14:45:58.501Z",
          "@version" : "1",
          "host" : "ba9450f24de0",
          "message" : "dummy entry"

However I am unable to do the same outside the container.

I already tried setting the and the by hand but didn't observe any change.

sudo docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -e "" -e "" -it --name elk520 sebp/elk:520

Any help would be greatly appreciated.

3 months ago

@checkmarx2017 @atreyeegupta first port of call is
If that doesn't help then please open an issue on GitHub

@senninpo is Elasticsearch actually running? If not please look at and open an issue on GitHub as needed (with information on your set-up, the complete logs output by the image, etc.).