Summary: Easy to use configuration for running and integrating ELK stack with Docker Enterprise Edition. The goal here is to ship docker engine and container/service logs to ELK. This can be done using the following steps:
Step 1 On a separate/dedicated node for ELK (recommended to be outside of the Docker EE cluster), run the following:
$ docker swarm init # this would allow us to run services on this node
$ git clone https://github.com/nicolaka/elk-dee.git
$ cd elk-dee
$ docker stack deploy -c elk-docker-compose.yml elk
Step 2: Set up Docker cluster logging
You need to set up Docker daemon logging configuration to default to using journald. The reason we're doing this is to ensure that you can have a local copy of the logs to be able to use docker logs and docker service logs.
This is the recommended logging configuration to place in/etc/docker/daemon.json:
{
"log-driver": "journald",
"log-level": "debug",
"log-opts": {
"tag":"{{.ImageName}}/{{.Name}}/{{.ID}}"
}
}
Make sure you restart or SIGHUP the Docker daemon after you change these configs.
Step 3 Stream all Docker logs to ELK
This is done using a tool called journalbeat. A modified version of it that we're using to work with Docker can be found here.
We will run journalbeat as a global service in our Docker cluster. This requires that you configure Step 2 before hand.
On one of the Docker manager nodes run the following:
$ git clone https://github.com/nicolaka/elk-dee.git
$ cd elk-dee
$ export LOGSTASH_HOST=<ELK NODE IP or DNS>
$ docker stack deploy -c journalbeat-docker-compose.yml journalbeat
Step 4: Proceed to access Kibana at http://<ELK_IP_ADDRESS>:5601. Enjoy!