Unable to connect docker container to logstash via gelf driver

Question

Hi guys i'm having trouble to send my server container logs to my ELK stack. No input is sent to logstash so i'm unable to set kibana index for collecting logs. I think my problem is in the port settings.

Here is the docker-compose yml for the LAMP stack (only the server service):

version: '3'

services:
  server:
    build: ./docker/apache
    links:
      - fpm
    ports:
      - 80:80 # HTTP
      - 443:443 # HTTPS
    logging:
      driver: "gelf"
      options:
        gelf-address: "udp://127.0.0.1:5000"
        tag: "server"

And here is the docker-compose yml for the ELK stack, based on deviantony/docker-elk github project

version: '2'

services:

  elasticsearch:
    build: elasticsearch/
    volumes:
      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    ports:
      - "9200:9200"
      - "9300:9300"
    environment:
      ES_JAVA_OPTS: "-Xmx256m -Xms256m"
    networks:
      - elk

  logstash:
    build: logstash/
    volumes:
      - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
      - ./logstash/pipeline:/usr/share/logstash/pipeline
    ports:
      - "5000:5000"
    environment:
      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
    networks:
      - elk
    depends_on:
      - elasticsearch

  kibana:
    build: kibana/
    volumes:
      - ./kibana/config/:/usr/share/kibana/config
    ports:
      - "5601:5601"
    networks:
      - elk
    depends_on:
      - elasticsearch

networks:

  elk:
    driver: bridge

Answer 1

I've found the mistake, i've to specify the UDP protocol in the logstash service port definition.

logstash:
  build: logstash/
  volumes:
    - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
    - ./logstash/pipeline:/usr/share/logstash/pipeline
  ports:
    - "5000:5000/udp"
  environment:
    LS_JAVA_OPTS: "-Xmx256m -Xms256m"
  networks:
    - elk
  depends_on:
    - elasticsearch

Answer 2

You need to use the gelf input plugin. Here an example of a functioning compose file:

services:
  logstash:
    image: docker.elastic.co/logstash/logstash:5.3.1
    logging:
      driver: "json-file"
    networks:
      - logging
    ports:
      - "127.0.0.1:12201:12201/udp"
    entrypoint: logstash -e 'input { gelf { } } output { stdout{ } }'    

You can test it by running:

docker run --log-driver=gelf --log-opt gelf-address=udp://127.0.0.1:12201 ubuntu /bin/sh -c 'while true; do date "+%d-%m-%Y %H:%M:%S:%3N"; sleep 1 ; done

and checking docker logs on the logstash container.