This is a short HowTo for running LogStash in Docker. We’re using Ubuntu 22.04.
Install Docker and create our directory structure:
apt install docker docker.io mkdir ~/logstash mkdir ~/logstash/config/ ~/logstash/pipeline/
Create the Dockerfile file “~/Dockerfile”:
# The image to use: FROM docker.elastic.co/logstash/logstash:8.15.0 # Remove the pre-existing config file from within the docker image, and install dependencies: RUN rm -f /usr/share/logstash/pipeline/logstash.conf && \ bin/logstash-plugin install logstash-output-syslog && \ bin/logstash-plugin install logstash-input-syslog # Copy the new configuration files into place within the docker image: COPY logstash/pipeline/ /usr/share/logstash/pipeline/ COPY logstash/config/ /usr/share/logstash/config/ # Expose the Syslog Input: EXPOSE 10514/tcp EXPOSE 10514/udp
Create the configuration file “logstash/config/logstash.yml”:
node.name: my-syslog-project api.environment: dev
Create the pipeline configuration (not the pipeline its self, but the reference to it) file “logstash/config/pipeline.yml”:
- pipeline.id: my-syslog-pipeline path.config: "/usr/share/logstash/pipeline/syslog.conf"
Create the pipeline file to be copied into the docker image “~/logstash/pipeline/syslog.conf”:
vi ~/logstash/pipeline/syslog.conf
The following is an example Logstash pipeline. It takes input in the Syslog format (but listening on TCP and UDP port 10514 rather than 514), manipulates the timestamp, and then sends the log to another Syslog server.
input { tcp { port => 10514 type => syslog } udp { port => 10514 type => syslog } } filter { } output { syslog { host => "syslog.example.local" port => 514 protocol => "tcp" } # Uncomment the following for debugging. # stdout {} }
Build the new image. Replace “my-syslog-logstash” with an appropriate name for your image:
docker build -t my-syslog-logstash .
Start it using the following command:
docker run -p 10514:10514/tcp -p 10514:10514/udp -t my-syslog-logstash
At this point we have a docker container listening on udp and tcp port 10514, and sending those logs (filtered) to an upstream syslog server on tcp port 9514.
References:
https://www.elastic.co/guide/en/logstash/current/docker.html
https://www.elastic.co/guide/en/logstash/current/configuration.html
https://medium.com/@bsrini/dockerizing-logstash-a-step-by-step-guide-ed7f4e594cb4