LinuxCommandLibrary

filebeat

TLDR

Start filebeat with default configuration

$ filebeat
copy
Start with a specific configuration file
$ filebeat -c [path/to/filebeat.yml]
copy
Test configuration file syntax
$ filebeat test config
copy
Test output connectivity (Elasticsearch, Logstash, etc.)
$ filebeat test output
copy
Enable a module
$ filebeat modules enable [nginx]
copy
List available modules
$ filebeat modules list
copy
Set up dashboards and index templates
$ filebeat setup
copy
Run once and exit (process existing files)
$ filebeat --once
copy

SYNOPSIS

filebeat [COMMAND] [FLAGS]

DESCRIPTION

Filebeat is a lightweight log shipper from the Elastic Stack (ELK). It monitors log files, collects log events, and forwards them to Elasticsearch, Logstash, or other outputs for indexing and analysis.
Filebeat uses harvesters to read log files line by line and sends the data to configured outputs. It maintains state information to track read positions, ensuring reliable delivery even after restarts. Modules provide pre-built configurations for common applications like nginx, Apache, MySQL, and system logs.
Configuration is defined in filebeat.yml, specifying inputs (log paths), outputs (Elasticsearch/Logstash endpoints), and processing options.

PARAMETERS

-c FILE

Specify configuration file (default: filebeat.yml).
-e
Log to stderr instead of syslog/file.
--modules MODULES
Comma-separated list of modules to run.
--once
Run harvesters once and exit when done.
--path.config PATH
Path to configuration files.
--path.data PATH
Path to data directory.
--path.logs PATH
Path to log files.
--strict.perms
Enforce strict permission checking on config files (default: true).
-v
Enable verbose logging.
-d SELECTOR
Enable debug output for specific components.

COMMANDS

run

Run Filebeat (default command if none specified).
test config
Test configuration file syntax.
test output
Test connectivity to configured outputs.
modules enable MODULE...
Enable one or more modules.
modules disable MODULE...
Disable one or more modules.
modules list
List available and enabled modules.
setup
Set up index templates, dashboards, and pipelines.
export config
Export current configuration to stdout.
export template
Export index template to stdout.
export dashboard
Export a Kibana dashboard to stdout.

CAVEATS

Configuration files require strict permissions (owner read/write only) by default. When running via systemd, the -e flag may override logging settings. Modules must be enabled before use. Index templates and dashboards require Elasticsearch and Kibana connectivity during setup.

HISTORY

Filebeat is part of the Beats family of lightweight data shippers developed by Elastic. It evolved from Logstash Forwarder (Lumberjack) to provide a more resource-efficient solution for log collection. The Beats platform was introduced around 2015, with Filebeat becoming the primary choice for log shipping in the Elastic Stack.

SEE ALSO

metricbeat(1), logstash(1), elasticsearch(1), journalctl(1)

Copied to clipboard