Streaming Docker Logs to the Elastic Stack (ELK Stack) using Fluentd



Fluentd and Docker’s native logging driver for Fluentd makes it easy to stream Docker logs from multiple running containers to the Elastic Stack. In this post, we will use Fluentd to stream Docker logs from multiple instances of a Dockerized Spring Boot RESTful service and MongoDB, to the Elastic Stack (ELK).


In a recent post, Distributed Service Configuration with Consul, Spring Cloud, and Docker, we built a Consul cluster using Docker swarm mode, to host distributed configurations for a Spring Boot service. We will use the resulting swarm cluster from the previous post as a foundation for this post.


According to the Fluentd website, Fluentd is described as an open source data collector, which unifies data collection and consumption for a better use and understanding of data. Fluentd combines all facets of processing log data: collecting, filtering, buffering, and outputting logs across multiple sources and destinations. Fluentd structures data as JSON as much as possible.

Logging Drivers

Docker includes multiple logging mechanisms to get logs from running containers and services. These mechanisms are called logging drivers. Fluentd is one of the ten current Docker logging drivers. According to Docker, The fluentd logging driver sends container logs to the Fluentd collector as structured log data. Then, users can utilize any of the various output plugins, from Fluentd, to write these logs to various destinations.

Elastic Stack

The ELK Stack, now known as the Elastic Stack, is the combination of Elastic’s very popular products: Elasticsearch, Logstash, and Kibana. According to Elastic, the Elastic Stack provides real-time insights from almost any type of structured and unstructured data source.


All code for this post has been tested on both MacOS and Linux. For this post, I am provisioning and deploying to a Linux workstation, running the most recent release of Fedora and Oracle VirtualBox. If you want to use AWS or another infrastructure provider instead of VirtualBox to build your swarm, it is fairly easy to switch the Docker Machine driver and change a few configuration items in the script (see Provisioning, below).

Required Software

If you want to follow along with this post, you will need the latest versions of git, Docker, Docker Machine, Docker Compose, and VirtualBox installed.

cat /etc/*release | sed -n '1p'
# Fedora release 25 (Twenty Five)
git –version \
docker –version \
docker-compose –version \
docker-machine –version \
virtualbox –help | sed -n '1p'
# git version 2.9.3
# Docker version 17.04.0-ce, build 4845c56
# docker-compose version 1.11.2, build dfed245
# docker-machine version 0.10.0, build 76ed2a6
# Oracle VM VirtualBox Manager 5.1.18

Source Code

All source code for this post is located in two GitHub repositories. The first repository contains scripts to provision the VMs, create an overlay network and persistent host-mounted volumes, build the Docker swarm, and deploy Consul, Registrator, Swarm Visualizer, Fluentd, and the Elastic Stack. The second repository contains scripts to deploy two instances of the Widget Spring Boot RESTful service and a single instance of MongoDB. You can execute all scripts manually, from the command-line, or from a CI/CD pipeline, using tools such as Jenkins.

Provisioning the Swarm

To start, clone the first repository, and execute the single script, or execute the seven individual scripts necessary to provision the VMs, create the overlay network and host volumes, build the swarm, and deploy Consul, Registrator, Swarm Visualizer, Fluentd, and the Elastic Stack. Follow the steps below to complete this part.

git clone –depth 1 –branch fluentd \
cd microservice-docker-demo-consul/scripts/
sh ./ # single uber-script
# alternately, run the individual scripts
sh ./ # creates vms using docker machine
sh ./ # creates the swarm
sh ./ # creates overlay network and volumes
sh ./ # deploys consul to all nodes
sh ./ # deploys registrator
sh ./ # deploys fluentd, visualizer, elastic stack
sh ./ # waits/tests for all containers to start

When the scripts have completed, the resulting swarm should be configured similarly to the diagram below. Consul, Registrator, Swarm Visualizer, Fluentd, and the Elastic Stack containers should be distributed across the three swarm manager nodes and the three swarm worker nodes (VirtualBox VMs).


Deploying the Application

Next, clone the second repository, and execute the single script, or execute the four scripts necessary to deploy the Widget Spring Boot RESTful service and a single instance of MongoDB. Follow the steps below to complete this part.

git clone –depth 1 –branch fluentd \
cd ../../microservice-docker-demo-widget/scripts/
sh ./ # single uber-script
# alternately, run the individual scripts
sh ./ # pushes widget spring profiles to consul
sh ./ # deploys widget and mongodb containers
sh ./ # waits/tests for all containers to start
sh ./ # creates a series of sample widget entries

When the scripts have completed, the Widget service and MongoDB containers should be distributed across two of the three swarm worker nodes (VirtualBox VMs).


To confirm the final state of the swarm and the running container stacks, use the following Docker commands.

$ docker-machine env manager1 \
&& eval $(docker-machine env manager1)
$ docker-machine ls
manager1 * virtualbox Running tcp:// v17.04.0-ce
manager2 – virtualbox Running tcp:// v17.04.0-ce
manager3 – virtualbox Running tcp:// v17.04.0-ce
worker1 – virtualbox Running tcp:// v17.04.0-ce
worker2 – virtualbox Running tcp:// v17.04.0-ce
worker3 – virtualbox Running tcp:// v17.04.0-ce
$ docker node ls
1c7lyvega5qqwqrz0nsudfmpb * manager1 Ready Active Leader
86md2td2a1zxh4x82tp8zwnim worker2 Ready Active
iw82eojks2q82nvmdu07kz7ap manager3 Ready Active Reachable
valelhqb6p6rtvi1jw970cwfu worker3 Ready Active
vx34axhfwil16iudyba09pb38 manager2 Ready Active Reachable
xhnpumc22fht87z49y5ze3zkh worker1 Ready Active
$ docker stack ls
monitoring_stack 3
widget_stack 2
$ docker service ls
6jf2bkbu3k2w widget_stack_mongodb replicated 1/1 mongo:latest
iyu9yvs3xnly widget_stack_widget global 2/2 garystafford/microservice-docker-demo-widget:latest
rzarts0oi0se monitoring_stack_visualizer global 3/3 manomarks/visualizer:latest
yjnpg9tmcss8 monitoring_stack_fluentd global 2/2 garystafford/custom-fluentd:latest
zf0oovhzf0ow monitoring_stack_elk replicated 1/1 sebp/elk:latest

Open the Swarm Visualizer web UI, using any of the swarm manager node IPs, on port 5001, to confirm the swarm health, as well as the running container’s locations.


Lastly, open the Consul Web UI, using any of the swarm manager node IPs, on port 5601, to confirm the running container’s health, as well as their placement on the swarm nodes.


Streaming Logs

Elastic Stack

If you read the previous post, Distributed Service Configuration with Consul, Spring Cloud, and Docker, you will notice we deployed a few additional components this time. First, the Elastic Stack (aka ELK), is deployed to the worker3 swarm worker node, within a single container. I have increased the CPU count and RAM assigned to this VM, to minimally run the Elastic Stack. If you review the docker-compose.yml file, you will note I am using Sébastien Pujadas’ sebp/elk:latest Docker base image from Docker Hub to provision the Elastic Stack. At the time of the post, this was based on the 5.3.0 version of ELK.

Docker Logging Driver

The Widget stack’s docker-compose.yml file has been modified since the last post. The compose file now incorporates a Fluentd logging configuration section for each service. The logging configuration includes the address of the Fluentd instance, on the same swarm worker node. The logging configuration also includes a tag for each log message.

version: '3.0'
image: garystafford/microservice-docker-demo-widget:fluentd
hostname: widget
driver: fluentd
tag: docker.{{.Name}}
fluentd-address: localhost:24224
labels: com.widget.environment
"com.widget.environment: ${ENVIRONMENT}"
mode: global
node.role == worker
node.hostname != worker3
command: "java${ACTIVE_PROFILE} \ \
-jar widget/widget-service.jar"


In addition to the Elastic Stack, we have deployed Fluentd to the worker1 and worker2 swarm nodes. This is also where the Widget and MongoDB containers are deployed. Again, looking at the docker-compose.yml file, you will note we are using a custom Fluentd Docker image, garystafford/custom-fluentd:latest, which I created. The custom image is available on Docker Hub.

version: '3.0'
image: garystafford/custom-fluentd:latest
hostname: fluentd
mode: global
node.role == worker
node.hostname != worker3
SERVICE_TAGS: monitoring

The custom Fluentd Docker image is based on Fluentd’s official onbuild Docker image, fluent/fluentd:onbuild. Fluentd provides instructions for building your own custom images, from their onbuild base images.

FROM fluent/fluentd:onbuild
LABEL maintainer "Gary A. Stafford <>"
USER root
RUN apk add –update –virtual .build-deps \
sudo build-base ruby-dev \
# cutomize following instruction as you wish
&& sudo -u fluent gem install \
fluent-plugin-secure-forward \
fluent-plugin-elasticsearch \
fluent-plugin-concat \
&& sudo -u fluent gem sources –clear-all \
&& apk del .build-deps \
&& rm -rf /var/cache/apk/* \
USER fluent

view raw


hosted with ❤ by GitHub

There were two reasons I chose to create a custom Fluentd Docker image. First, I added the Uken Games’ Fluentd Elasticsearch Plugin, to the Docker Image. This highly configurable Fluentd Output Plugin allows us to push Docker logs, processed by Fluentd to the Elasticsearch. Adding additional plugins is a common reason for creating a custom Fluentd Docker image.

The second reason to create a custom Fluentd Docker image was configuration. Instead of bind-mounting host directories or volumes to the multiple Fluentd containers, to provide Fluentd’s configuration, I baked the configuration file into the immutable Docker image. The bare-bones, basicFluentd configuration file defines three processes, which are Input, Filter, and Output. These processes are accomplished using Fluentd plugins. Fluentd has 6 types of plugins: Input, Parser, Filter, Output, Formatter and Buffer. Fluentd is primarily written in Ruby, and its plugins are Ruby gems.

@type forward
@id input1
@label @mainstream
port 24224
<filter **>
@type stdout
<label @mainstream>
<match **>
@type copy
@type file
@id output_docker1
path /fluentd/log/docker.*.log
symlink_path /fluentd/log/docker.log
append true
time_slice_format %Y%m%d
time_slice_wait 1m
time_format %Y%m%dT%H%M%S%z
buffer_path /fluentd/log/docker.*.log
@type elasticsearch
logstash_format true
flush_interval 5s
host elk
port 9200
index_name fluentd
type_name fluentd

view raw


hosted with ❤ by GitHub

Fluentd listens for input on tcp port 24224, using the forward Input Plugin. Docker logs are streamed locally on each swarm node, from the Widget and MongoDB containers to the local Fluentd container, over tcp port 24224, using Docker’s fluentd logging driver, introduced earlier. Fluentd

Fluentd then filters all input using the stdout Filter Plugin. This plugin prints events to stdout, or logs if launched with daemon mode. This is the most basic method of filtering.

Lastly, Fluentd outputs the filtered input to two destinations, a local log file and Elasticsearch. First, the Docker logs are sent to a local Fluentd log file. This is only for demonstration purposes and debugging. Outputting log files is not recommended for production, nor does it meet the 12-factor application recommendations for logging. Second, Fluentd outputs the Docker logs to Elasticsearch, over tcp port 9200, using the Fluentd Elasticsearch Plugin, introduced above.


Additional Metadata

In addition to the log message itself, in JSON format, the fluentd log driver sends the following metadata in the structured log message: container_id, container_name, and source. This is helpful in identifying and categorizing log messages from multiple sources. Below is a sample of log messages from the raw Fluentd log file, with the metadata tags highlighted in yellow. At the bottom of the output is a log message parsed with jq, for better readability.


Using Elastic Stack

Now that our two Docker stacks are up and running on our swarm, we should be streaming logs to Elasticsearch. To confirm this, open the Kibana web console, which should be available at the IP address of the worker3 swarm worker node, on port 5601.


For the sake of this demonstration, I increased the verbosity of the Spring Boot Widget service’s log level, from INFO to DEBUG, in Consul. At this level of logging, the two Widget services and the single MongoDB instance were generating an average of 250-400 log messages every 30 seconds, according to Kibana.

If that seems like a lot, keep in mind, these are Docker logs, which are single-line log entries. We have not aggregated multi-line messages, such as Java exceptions and stack traces messages, into single entries. That is for another post. Also, the volume of debug-level log messages generated by the communications between the individual services and Consul is fairly verbose.


Inspecting log entries in Kibana, we find the metadata tags contained in the raw Fluentd log output are now searchable fields: container_id, container_name, and source, as well as log. Also, note the _type field, with a value of ‘fluentd’. We injected this field in the output section of our Fluentd configuration, using the Fluentd Elasticsearch Plugin. The _type fiel allows us to differentiate these log entries from other potential data sources.



All opinions in this post are my own and not necessarily the views of my current employer or their clients.

, , , , , , ,

  1. #1 by amir on July 12, 2017 - 7:01 pm

    Hey — your repo links are invalid; they’re missing your username.
    Thanks for the article and repos — very well organized.

  2. #2 by max on August 24, 2017 - 10:16 am

    This is a great article. Got me started with Elastic stack in docker swarm, with my own applications pretty smoothly.

  3. #3 by Michael Hobbs on January 18, 2019 - 9:10 am

    Gary, you saved me so much time! Awesome work!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: