diff --git a/README.md b/README.md
index 38c7cc5..fda949f 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,8 @@ spec:
                 fieldRef:
                   fieldPath: spec.nodeName
         volumeMounts:
+        - name: config-volume
+          mountPath: /etc/filebeat
         - name: varlog
           mountPath: /var/log/containers
         - name: varlogpods
@@ -62,6 +64,12 @@ spec:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
       volumes:
+      - name: config-volume
+        configMap:
+          name: logging-cfg
+          items:
+            - key: filebeat.yml
+              path: filebeat.yml
       - name: varlog
         hostPath:
           path: /var/log/containers
diff --git a/k8s-logging-cfg.yml b/k8s-logging-cfg.yml
new file mode 100644
index 0000000..44b4369
--- /dev/null
+++ b/k8s-logging-cfg.yml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logging-cfg
+  namespace: default
+data:
+  filebeat.yml: |
+    filebeat.registry_file: /var/log/containers/filebeat_registry
+
+    filebeat.prospectors:
+    - input_type: log
+      paths:
+        - "/var/log/containers/*.log"
+      symlinks: true
+      json.keys_under_root: true
+      json.add_error_key: true
+      json.message_key: log
+      multiline.pattern: '^\s'
+      multiline.match: after
+      document_type: kube-logs
+      fields:
+        host: ${FILEBEAT_HOST:${HOSTNAME}}
+      fields_under_root: true
+
+    output.logstash:
+      hosts: ${LOGSTASH_HOSTS:?No logstash host configured. Use env var LOGSTASH_HOSTS to set hosts.}
+      timeout: 15
+    # Available log levels are: critical, error, warning, info, debug
+    logging.level: ${LOG_LEVEL:error}
diff --git a/k8s-logging-filebeat.yml b/k8s-logging-filebeat.yml
new file mode 100644
index 0000000..24abf29
--- /dev/null
+++ b/k8s-logging-filebeat.yml
@@ -0,0 +1,66 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: logging-filebeat
+  namespace: default
+  labels:
+    name: logging-filebeat
+spec:
+  template:
+    metadata:
+      labels:
+        name: logging-filebeat
+      name: logging-filebeat
+    spec:
+      containers:
+      - name: filebeat
+        image: apsops/filebeat-kubernetes
+        env:
+          - name: LOGSTASH_HOSTS
+            value:  logstash.default.svc.cluster.local:5044
+          - name: LOG_LEVEL
+            value: info
+          - name: FILEBEAT_HOST
+            valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+        resources:
+          requests:
+            cpu: 50m
+            memory: 50Mi
+          limits:
+            cpu: 50m
+            memory: 100Mi
+        securityContext:
+          privileged: true
+          runAsUser: 0
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/filebeat
+        - name: varlogcontainers
+          mountPath: /var/log/containers
+        - name: varlogpods
+          mountPath: /var/log/pods
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+      terminationGracePeriodSeconds: 30
+      volumes:
+      # mount /var/log/containers to get friendly named symlinks to actual logs
+      - name: varlogcontainers
+        hostPath:
+          path: /var/log/containers
+      # mount /var/log/pods as its where pod logs are collected
+      - name: varlogpods
+        hostPath:
+          path: /var/log/pods
+      # mount /var/lib/docker/containers which is where the logs _actually_ are
+      - name: varlibdockercontainers
+        hostPath:
+          path: /var/lib/docker/containers
+      # mount the configmap with the filebeat config file
+      - name: config-volume
+        configMap:
+          name: logging-cfg
+          items:
+            - key: filebeat.yml
+              path: filebeat.yml