Send data via Docker to your Logstash instance provided by


Collect and ship Docker container application logs to Logstash and Elasticsearch.

Filebeat is a lightweight shipper that enables you to send your Docker container application logs to Logstash and Elasticsearch. Configure Filebeat using the pre-defined examples below to start sending and analysing your Docker application logs.

Step 1 - Install Filebeat

deb (Debian/Ubuntu/Mint)

curl -L -O
sudo dpkg -i filebeat-oss-7.6.2-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O
sudo rpm -vi filebeat-oss-7.6.2-x86_64.rpm


  • Download the Filebeat Windows zip file from the official downloads page.
  • Extract the contents of the zip file into C:\Program Files.
  • Rename the filebeat-<version>-windows directory to Filebeat.
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
  • Run the following commands to install Filebeat as a Windows service:
PS > cd 'C:\Program Files\Filebeat'
PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1`
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.
My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Step 2 - Locate The Configuration File



Change the owner of the filebeat.yml file to root to allow access to the docker container logs.

sudo chown root:root filebeat.yml
ls -la

Skip this step if you are using windows.

Step 3 - Configure The Inputs


On Linux we want filebeat to read the container logs from /var/lib/docker/containers/*/*.log which is where docker's container logs are stored, this is handled by default.

Add to your filebeat.inputs section the docker type.

- type: docker
    - '*'


On Windows we want filebeat to read the container logs from C:\ProgramData\docker\containers\

- type: docker
  ids: - '*'
  path: C:\ProgramData\docker\containers\

If you do not want to read all container logs then you can specify the continer ID to logs from specific containers.

Step 4 - Configure Output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - Validate Configuration

Let's check the configuration file is syntactically correct.


sudo filebeat -e -c /etc/filebeat/filebeat.yml


filebeat.exe -e -c filebeat.yml

Step 6 - Start Filebeat

Ok, time to start ingesting data!


sudo systemctl enable filebeat
sudo systemctl start filebeat


Start-Service filebeat
expand view

Expand View

compact view

Compact View

Return to Search
Sign Up