无需Filebeat:如何将多节点Docker容器日志导入Elasti Cloud的ELK Stack至Logstash
Great question—totally get why you don’t want to clutter your app containers with Filebeat; keeping concerns separated is core to Docker’s design. Here are the most clean, scalable approaches to get your container logs into Logstash without modifying your app images:
1. Use Docker’s Built-in Logstash Logging Driver
Docker has a native logstash driver that lets containers send logs directly to your Logstash server, no extra tools needed inside the app container.
Setup Steps:
- For individual containers: When starting a container, add these flags to route logs to Logstash:
docker run --log-driver logstash \ --log-opt logstash-address=tcp://<your-logstash-host>:5000 \ --log-opt tag="my-app-container" \ your-app-image - Global configuration (all containers): Edit your Docker daemon config (
/etc/docker/daemon.json) to set this as the default:
Then restart the Docker daemon:{ "log-driver": "logstash", "log-opts": { "logstash-address": "tcp://<your-logstash-host>:5000", "tag": "{{.Name}}/{{.ID}}" } }systemctl restart docker
On Logstash Side:
Configure a TCP input to receive these logs:
input { tcp { port => 5000 codec => json_lines } }
Pros & Cons:
- ✅ No extra containers or tools to manage
- ❌ Limited filtering/processing capabilities (no multiline log support out of the box)
- ❌ Less control over log enrichment compared to dedicated shippers
2. Deploy a Global Filebeat Service (Docker Swarm)
This is my go-to approach for ELK stack setups—it leverages Filebeat’s strength in log processing while keeping your app containers clean. You’ll run a single Filebeat container per node (via Docker Swarm global mode) that reads directly from Docker’s log directory.
Setup Steps:
- Create a Filebeat config file (
filebeat.yml):filebeat.inputs: - type: container paths: - /var/lib/docker/containers/*/*.log processors: - add_docker_metadata: ~ # Adds container name, labels, image info to logs output.logstash: hosts: ["<your-logstash-host>:5044"] - Deploy as a global Swarm service:
docker service create \ --name filebeat \ --mode global \ --mount type=bind,source=/var/lib/docker/containers,target=/var/lib/docker/containers,readonly \ --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock,readonly \ --mount type=bind,source=$(pwd)/filebeat.yml,target=/usr/share/filebeat/filebeat.yml \ docker.elastic.co/beats/filebeat:8.10.0 # Use your ELK stack version
On Logstash Side:
Configure a Beats input:
input { beats { port => 5044 } }
Pros & Cons:
- ✅ Full access to Filebeat’s features (multiline merging, filtering, log enrichment)
- ✅ Scales automatically as you add nodes (global mode ensures one per node)
- ✅ No changes needed to your app containers
- ⚠️ Requires Docker Swarm (or you can manually run a Filebeat container on each node if not using Swarm)
3. Use Fluentd as an Intermediate Shipper
If you’re already using Fluentd in your stack, or need advanced log routing, this works well. Docker has a native fluentd log driver that sends logs to a local Fluentd container, which then forwards to Logstash.
Setup Steps:
- Deploy Fluentd as a global Swarm service (with a config that forwards to Logstash):
Create afluent.conf:
Then deploy:<source> @type docker tag docker.* path /var/lib/docker/containers/*/*.log pos_file /var/log/fluentd-docker.pos read_from_head true </source> <match docker.**> @type logstash host <your-logstash-host> port 5000 codec json </match>docker service create \ --name fluentd \ --mode global \ --mount type=bind,source=/var/lib/docker/containers,target=/var/lib/docker/containers,readonly \ --mount type=bind,source=$(pwd)/fluent.conf,target=/fluentd/etc/fluent.conf \ fluent/fluentd:v1.16-debian-1 - Configure Docker to use the fluentd driver:
Update/etc/docker/daemon.json:
Restart Docker:{ "log-driver": "fluentd", "log-opts": { "fluentd-address": "localhost:24224" } }systemctl restart docker
Pros & Cons:
- ✅ Advanced log routing and filtering capabilities
- ✅ Works well with multi-tool logging stacks
- ❌ Adds an extra layer of complexity compared to the Filebeat approach
Final Recommendations
If you’re fully invested in the ELK ecosystem, the global Filebeat service is the best choice—it’s robust, integrates seamlessly with Logstash, and keeps your app containers focused on their core job. The Docker logstash driver is great for simple setups where you don’t need advanced processing.
内容的提问来源于stack exchange,提问作者Ashok Reddy
