Running Logstash on Dockeredit

Docker images for Logstash are available from the Elastic Docker registry.

The base image is centos:7 and the source code can be found on GitHub.

The images are shipped with X-Pack installed.

Pulling the imageedit

Obtaining Logstash for Docker is as simple as issuing a docker pull command against the Elastic Docker registry.

The Docker image for Logstash 5.6.1 can be retrieved with the following command:

docker pull

Configuring Logstash for Dockeredit

Logstash differentiates between two types of configuration: Settings and Pipeline Configuration.

Pipeline Configurationedit

It is essential to place your pipeline configuration where it can be found by Logstash. By default, the container will look in /usr/share/logstash/pipeline/ for pipeline configuration files.

In this example we use a bind-mounted volume to provide the configuration via the docker run command:

docker run --rm -it -v ~/pipeline/:/usr/share/logstash/pipeline/

Every file in the host directory ~/pipeline/ will then be parsed by Logstash as pipeline configuration.

If you don’t provide configuration to Logstash, it will run with a minimal config that listens for messages from the Beats input plugin and echoes any that are received to stdout. In this case, the startup logs will be similar to the following:

Sending Logstash logs to /usr/share/logstash/logs which is now configured via
[2016-10-26T05:11:34,992][INFO ][    ] Beats inputs: Starting input listener {:address=>""}
[2016-10-26T05:11:35,068][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2016-10-26T05:11:35,078][INFO ][] Starting server on port: 5044
[2016-10-26T05:11:35,078][INFO ][logstash.pipeline        ] Pipeline main started
[2016-10-26T05:11:35,105][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

This is the default configuration for the image, defined in /usr/share/logstash/pipeline/logstash.conf. If this is the behaviour that you are observing, ensure that your pipeline configuration is being picked up correctly, and that you are replacing either logstash.conf or the entire pipeline directory.


The image provides several methods for configuring settings. The conventional approach is to provide a custom logstash.yml file, but it’s also possible to use environment variables to define settings.

Bind-mounted settings filesedit

Settings files can also be provided through bind-mounts. Logstash expects to find them at /usr/share/logstash/config/.

It’s possible to provide an entire directory containing all needed files:

docker run --rm -it -v ~/settings/:/usr/share/logstash/config/

Alternatively, a single file can be mounted:

docker run --rm -it -v ~/settings/logstash.yml:/usr/share/logstash/config/logstash.yml

Bind-mounted configuration files will retain the same permissions and ownership within the container that they have on the host system. Be sure to set permissions such that the files will be readable and, ideally, not writeable by the container’s logstash user (UID 1000).

Custom Imagesedit

Bind-mounted configuration is not the only option, naturally. If you prefer the Immutable Infrastructure approach, you can prepare a custom image containing your configuration by using a Dockerfile like this one:

RUN rm -f /usr/share/logstash/pipeline/logstash.conf
ADD pipeline/ /usr/share/logstash/pipeline/
ADD config/ /usr/share/logstash/config/

Be sure to replace or delete logstash.conf in your custom image, so that you don’t retain the example config from the base image.

Environment variable configurationedit

Under Docker, Logstash settings can be configured via environment variables. When the container starts, a helper process checks the environment for variables that can be mapped to Logstash settings. Settings that are found in the environment are merged into logstash.yml as the container starts up.

For compatibility with container orchestration systems, these environment variables are written in all capitals, with underscores as word separators

Some example translations are shown here:

Table 1. Example Docker Environment Variables

Environment Variable

Logstash Setting







In general, any setting listed in the settings documentation can be configured with this technique.


Defining settings with environment variables causes logstash.yml to be modified in place. This behaviour is likely undesirable if logstash.yml was bind-mounted from the host system. Thus, it is not reccomended to combine the bind-mount technique with the environment variable technique. It is best to choose a single method for defining Logstash settings.

Logging Configurationedit

Under Docker, Logstash logs go to standard output by default. To change this behaviour, use any of the techniques above to replace the file at /usr/share/logstash/config/