🐳 Elastic Stack (ELK) v9+ on Docker with Compose. Pre-configured out of the box to enable Logging, Metrics, APM, Alerting, ML, and SIEM features. Up with a Single Command.
Elastic Stack on Docker
Preconfigured Security, Tools, and Self-Monitoring
Configured to be ready to be used for Log, Metrics, APM, Alerting, Machine Learning, and Security (SIEM) usecases.
Introduction
Elastic Stack (ELK) Docker Composition, preconfigured with Security, Monitoring, and Tools; Up with a Single Command.
Suitable for Demoing, MVPs and small production deployments.
Stack Version: 9.4.2 🎉 - Based on Official Elastic Docker Images
You can change Elastic Stack version by setting>ELK_VERSIONin.envfile and rebuild your images. Any version >= 9.0.0 is compatible with this template.
⚠️ Upgrading from 8.x? See the Upgrade Notes section below for breaking changes and migration steps.
Main Features 📜
- Configured as a Production Single Node Cluster. (With a multi-node cluster option for experimenting).
- Security Enabled By Default.
- Configured to Enable:
mise run collect-docker-logs.
- APM
- Alerting
- Machine Learning
- Anomaly Detection
- SIEM (Security information and event management).
- Enabling Trial License
- Use Docker Compose and
.envto configure your entire stack parameters. - Persist Elasticsearch's Keystore and SSL Certifications.
- Self-Monitoring Metrics Enabled (using Metricbeat for ES 9+).
- Prometheus Exporters for Stack Metrics.
- Embedded Container Healthchecks for Stack Images.
More points
And comparing Elastdocker and the popular deviantony/docker-elk
One of the most popular ELK on Docker repositories is the awesome deviantony/docker-elk. Elastdocker differs from Expand...
deviantony/docker-elk in the following points.elastich:changeme in every component config.
Automatic Docker Container Log Collection
Collect logs from all Docker containers on your host with a single command:
mise run collect-docker-logs
Filebeat automatically discovers containers, parses logs, and ships them to Elasticsearch. View and analyze everything in Kibana with zero configuration.
Requirements
- Docker 20.05 or higher with Docker Compose v2
- 4GB RAM (For Windows and MacOS make sure Docker's VM has more than 4GB+ memory.)
Setup
- Clone the Repository
git clone https://github.com/sherifabdlnaby/elastdocker.git
- Initialize Elasticsearch Keystore and TLS Self-Signed Certificates
mise run stack:setup
> For Linux's docker hosts only. By default virtual memory is not enough so run the next command as root sysctl -w vm.maxmap_count=262144
- Start Elastic Stack
mise run up # <OR> docker compose up -d
- Visit Kibana at https://localhost:5601 or
https://<yourpublic_ip>:5601
elastic, Password: changeme
> - Notice that Kibana is configured to use HTTPS, so you'll need to write https:// before localhost:5601 in the browser. > - Modify .env file for your needs, most importantly ELASTICPASSWORD that setup your superuser elastic's password, ELASTICSEARCHHEAP & LOGSTASH_HEAP for Elasticsearch & Logstash Heap Size.
Whatever your Host (e.g AWS EC2, Azure, DigitalOcean, or on-premise server), once you expose your host to the network, ELK component will be accessible on their respective ports. Since the enabled TLS uses a self-signed certificate, it is recommended to SSL-Terminate public traffic using your signed certificates.>
🏃🏻♂️ To start ingesting logs, you can start by running mise run collect-docker-logs which will collect your host's container logs.
Additional Commands
Expand
To Start Monitoring and Prometheus Exporters
mise run monitoringTo Ship Docker Container Logs to ELK
mise run collect-docker-logsTo Start Elastic Stack, Tools and Monitoring
mise run allTo Start 2 Extra Elasticsearch nodes (recommended for experimenting only)
mise run nodesTo Rebuild Images
mise run buildBring down the stack
mise run downReset everything, Remove all containers, and delete DATA
mise run prune
Configuration
- Some Configuration are parameterized in the
.envfile.
ELASTICPASSWORD, user elastic's password (default: changeme pls_).
- ELK_VERSION Elastic Stack Version (default: 9.4.2)
- ELASTICSEARCH_HEAP, how much Elasticsearch allocate from memory (default: 1GB -good for development only-)
- LOGSTASH_HEAP, how much Logstash allocate from memory.
- Other configurations which their such as cluster name, and node name, etc.
- Elasticsearch Configuration in
elasticsearch.ymlat./elasticsearch/config. - Logstash Configuration in
logstash.ymlat./logstash/config/logstash.yml. - Logstash Pipeline in
main.confat./logstash/pipeline/main.conf. - Kibana Configuration in
kibana.ymlat./kibana/config. - Metricbeat Configuration in
metricbeat.ymlat./metricbeat/config(for Stack Monitoring in ES 9+).
Setting Up Keystore
You can extend the Keystore generation script by adding keys to ./setup/keystore.sh script. (e.g Add S3 Snapshot Repository Credentials)
To Re-generate Keystore:
mise run keystore
Notes
- ⚠️ Elasticsearch HTTP layer is using SSL, thus mean you need to configure your elasticsearch clients with the
CAinsecrets/certs/ca/ca.crt, or configure client to ignore SSL Certificate Verification (e.g--insecureincurl).
- Adding Two Extra Nodes to the cluster will make the cluster depending on them and won't start without them again.
- The stack is driven by mise tasks; run
mise tasksto list them. TheMakefilekeeps the same commands but is deprecated.
- Elasticsearch will save its data to a volume named
elasticsearch-data
- Elasticsearch Keystore (that contains passwords and credentials) and SSL Certificate are generated in the
./secretsdirectory by the setup command.
- Make sure to run
mise run stack:setupif you changedELASTIC_PASSWORDand to restart the stack afterwards.
- For Linux Users it's recommended to set the following configuration (run as
root)
sysctl -w vm.maxmapcount=262144
By default, Virtual Memory is not enough.

Working with Elastic APM
After completing the setup step, you will notice a container named apm-server which gives you deeper visibility into your applications and can help you to identify and resolve root cause issues with correlated traces, logs, and metrics.
Authenticating with Elastic APM
In order to authenticate with Elastic APM, you will need the following:
- The value of
ELASTICAPMSECRETTOKENdefined in.envfile as we have secret token enabled by default - The ability to reach port
8200 - Install elastic apm client in your application e.g. for NodeJS based applications you need to install elastic-apm-node
- Import the package in your application and call the start function, In case of NodeJS based application you can do the following:
const apm = require('elastic-apm-node').start({
serviceName: 'foobar',
secretToken: process.env.ELASTICAPMSECRET_TOKEN,
// https is enabled by default as per elastdocker configuration serverUrl: 'https://localhost:8200', })
Make sure that the agent is started before you require any other modules in your Node.js application - i.e. before express, http, etc. as mentioned in Elastic APM Agent - NodeJS initialization
For more details or other languages you can check the following:
Monitoring The Cluster
Via Stack Monitoring (Metricbeat)
Elasticsearch 9+ uses Metricbeat for Stack Monitoring (the recommended approach). When you start monitoring with mise run monitoring, Metricbeat will collect metrics from all stack components and send them to Elasticsearch.
Head to Stack Monitoring tab in Kibana to see cluster metrics for all stack components.

Architecture Change in ES 9:
- ES 8.x and earlier: Used internal
xpack.monitoringfor self-monitoring - ES 9.x: Uses external Metricbeat collection (more scalable and reliable)
In Production, cluster metrics should be shipped to another dedicated monitoring cluster.
Via Prometheus Exporters
If you started Prometheus Exporters using mise run monitoring command. Prometheus Exporters will expose metrics at the following ports.
| Prometheus Exporter | Port | Recommended Grafana Dashboard | |-------------------------- |---------- |------------------------------------------------ | | elasticsearch-exporter | 9114 | Elasticsearch by Kristian Jensen | | logstash-exporter | 9304 | logstash-monitoring by dpavlos |
Note: Elasticsearch Exporter uses updated flags for ES 9 compatibility (--es.indices instead of deprecated --collector.indices).

Upgrade Notes from 8.x to 9.x
Elasticsearch 9 introduced several breaking changes. This section documents the changes made to ElastDocker for ES 9 compatibility. File: Before (ES 8.x): The Files Modified: File: File: The following deprecation warnings are expected and originate from upstream Elastic components. They will be resolved in future component releases: These warnings don't affect functionality and are logged to the deprecation data stream for visibility. Important: You must upgrade to Elasticsearch 8.19.x before upgrading to 9.x. Recommended Path: For a clean installation on ES 9, simply:Expand to see breaking changes and migration details...
Breaking Changes Fixed
1. Logstash Configuration Changes
logstash/config/logstash.yml
File: http.host → api.http.hostlogstash/pipeline/main.conf
ssl → ssl_enabledsslcertificateverification → sslverificationmodecacert → sslcertificateauthorities2. Monitoring Architecture Change
After (ES 9.x):
xpack.monitoring.collection.enabled setting
Files Modified:
metricbeat service in docker-compose.monitor.ymlelasticsearch/config/elasticsearch.yml - Removed xpack.monitoring.collection.enabledlogstash/config/logstash.yml - Removed xpack.monitoring settingsapm-server/config/apm-server.yml - Removed monitoring sectionmetricbeat/config/metricbeat.yml - NEW FILE for Stack Monitoring3. Filebeat Migration to Filestream Input
container input type is deprecated in Filebeat 9. Migrated to the modern filestream input with container parser - the ES 9+ recommended approach.
Key Changes:
filebeat/filebeat.docker.logs.yml - Now uses type: filestream with container parserfilebeat/filebeat.monitoring.yml - All module inputs migrated to filestreamtype: container → type: filestream with unique IDsparsers.container configuration for Docker log parsingprospector.scanner.symlinks: true for Docker log paths4. Certificate Generation Script
setup/setup-certs.shopenssl command (not available in ES 9 containers)/dev/urandom for random password generation5. Elasticsearch Exporter Flags
docker-compose.monitor.yml--collector.indices → --es.indicesKnown Deprecation Warnings
- Source: Metricbeat
- Will be fixed in future Beats releases
- Note: Filebeat no longer generates these warnings after migrating to filestream input
?local parameter (CRITICAL) - ~446 occurrences
- Source: Kibana cleanup process
- Expected during ES 9 migration
- Will resolve once cleanup completes
- Source: APM Server
- Will be fixed in future APM Server releases
Upgrade Path
8.17.0 → 8.19.x (run Upgrade Assistant) → 9.xELK_VERSION=9.4.2 in .envmise run stack:setupmise run up (or mise run all for full stack with monitoring)
Development
Running the stack only needs Docker (see Setup). Contributing to the repo additionally uses mise to pin the linters/formatters, expose tasks, and wire git hooks, so everyone lints with the same tool versions as CI.
Install mise (first time on this machine)
curl https://mise.run | sh # or: brew install mise
echo 'eval "$(mise activate zsh)"' >> ~/.zshrc # bash: mise activate bash
mise doctor # confirm the install is healthy
See the installation docs for other shells and Windows.
Set up the toolchain once:
mise trust # allow this repo's mise config to load
mise run setup # install the pinned tools; git hooks self-install
Everyday commands:
| Command | What it does | |------------------------------------|-------------------------------------------------------------------| | mise run check (alias lint) | Run every linter/formatter/validator. Add --fix to auto-fix. | | mise tasks | List all tasks (up, down, logs, stack:setup, …). | | mise run <task> --help | Show a task's flags. |
On commit, hk runs the same check on your staged files, so lint problems surface before CI. Need to bypass it for a WIP commit? git commit --no-verify. Tools, tasks, and hooks all live in mise.toml and hk.pkl.
License
MIT License Copyright (c) 2022-2026 Sherif Abdel-Naby
Contribution
PR(s) are Open and Welcomed. Run mise run check before opening one (see Development).