Docker image for Logstash Forwarder, formerly known as lumberjack.
Switch branches/tags
Nothing to show
Clone or download
willdurand Merge pull request #2 from stlorenz/master
Correct Link fpr lc-tls cert
Latest commit 6034486 Mar 1, 2016
Failed to load latest commit information.
Dockerfile Initial commit Dec 13, 2014 Correct Link Feb 27, 2016

Docker Logstash Forwarder

Docker image for Logstash Forwarder, formerly known as lumberjack.


In order to use this image, you MUST create an SSL certificate, and configure Logstash Forwarder using a config.json file. This configuration file MUST be named config.json and MUST be located in /etc/logstash-forwarder.

SSL Certificate

If you want to generate self-signed SSL certificates and use an IP address rather than a DNS record to point to your logstash server(s), then you SHOULD use this lc-tlscert tool:

$ wget
$ go run lc-tlscert.go

Copy the generated selfsigned.{crt,key} files to the logstash-forwarder server and to the logstash server.

Logstash Forwarder Configuration

Below is a basic configuration for Logstash Forwarder:

    "network": {
        "servers": [ "" ],
        "ssl certificate": "/etc/ssl/selfsigned.crt",
        "ssl key": "/etc/ssl/selfsigned.key",
        "ssl ca": "/etc/ssl/selfsigned.crt"
    "files": [
            "paths":  [ "/var/log/nginx/access.log" ],
            "fields": { "type": "nginx-access" }


Let's say your selfsigned.{crt,key} files are located in /path/to/your/ssl/files, and your config.json file is in /path/to/your/config/file.

You can start forwarding nginx logs to your logstash server by running the following command:

$ docker run \
    --volume /path/to/your/ssl/files:/etc/ssl \
    --volume /path/to/your/config/file:/etc/logstash-forwarder \
    --volume /var/log/nginx:/var/log/nginx \

However, this solution is not satisfying as you have to mount a host directory as a volume. A better approach would be to use a data-only container with a /var/log/nginx volume:

$ docker run \
    --volume /path/to/your/ssl/files:/etc/ssl \
    --volume /path/to/your/config/file:/etc/logstash-forwarder \
    --volume-from logs \

Using Docker Compose

  image: willdurand/logstash-forwarder
    - /path/to/your/ssl/files:/etc/ssl
    - /path/to/your/config/file:/etc/logstash-forwarder
    - logs

  image: busybox
    - /var/log/nginx

Extend It

One of the Docker best practices is to avoid mapping a host folder to a container volume. Instead of specifying a volume, it is recommended to use this image as base image and configure your own image.