Public | Automated Build

Last pushed: 7 days ago
Short Description
Collect, search and visualise log data with Elasticsearch, Logstash, Kibana, and X-Pack.
Full Description

Elasticsearch, Logstash, Kibana, X-Pack (ELKX) Docker image

This Docker image provides a convenient centralised log server and log management web interface, by packaging Elasticsearch, Logstash, and Kibana, collectively known as ELK, and extends this stack with X-Pack, which bundles security, alerting, monitoring, reporting, and graph capabilities.

This image is hosted on Docker Hub at

The following tags are available:

  • 542, latest: ELKX 5.4.2.

  • 541: ELKX 5.4.1.

  • 540: ELKX 5.4.0.

  • 532: ELKX 5.3.2.

  • 531: ELKX 5.3.1.

  • 530: ELKX 5.3.0.

  • 522: ELKX 5.2.2.

  • 521: ELKX 5.2.1.

  • 520: ELKX 5.2.0.

  • 512: ELKX 5.1.2.

  • 511: ELKX 5.1.1.

  • 502: ELKX 5.0.2.

Usage notes

This image extends the sebp/elk image, so unless otherwise noted below the documentation for the seb/elk image applies.


This image uses the default configuration of X-Pack, meaning that out of the box, two users are built in:

  • elastic, a superuser,

  • kibana, a basic Kibana user that can't do much.

Their default password is changeme.

In order to create a dummy log entry in Elasticsearch using the elastic superuser account, docker exec inside the running container (see the Creating a dummy log entry section of the ELK Docker image documentation), and use the following command instead of the original one:

# /opt/logstash/bin/logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["localhost"] user => "elastic" password => "changeme" } }'

This entry can then be viewed by logging into Kibana as elastic (password: changeme).

To run the example Filebeat set-up with ELKX, use the nginx-filebeat subdirectory of the source Git repository on GitHub, which has been updated from the original example to work with X-Pack, and log in to Kibana as elastic (password: changeme) to view the logs.

Security considerations

X-Pack allows for a secured set-up of the ELK stack, but by default this image is insecure (default passwords, no message authentication, no auditing, default certificates).

See the X-Pack documentation on Getting Started with Security for guidance on how to secure ELK with X-Pack.


In order for the container to display the proper log files for the running Elasticsearch cluster, it retrieves the name of the cluster by querying Elasticsearch at start-up (in the start-up script). With an X-Pack-enabled set-up, this request needs to be authenticated, and uses elastic with the default password to do this.

Therefore, if the password is changed, the start-up script will fail. Possible workarounds include :

  • Extending the image to dynamically use an environment-variable-provided password.

  • Setting the cluster name with the CLUSTER_NAME environment variable (see documentation for the sebp/elk image), to avoid querying Elasticsearch at start-up time.

In the same way, the Elasticsearch output Logstash plugin configuration file (30-output.conf) contains the hardcoded username and password for elastic to send log data to Elasticsearch, and will no longer work if another user/password needs to be used. Similar means as those suggested above can be used.


Written by Sébastien Pujadas, released under the Apache 2 license.

Docker Pull Command
Source Repository

Comments (0)