Filebeat 7.17 is not logging to files under Ubuntu

Hi,

I have a question similar to this one: Filebeat not logging to /var/log/filebeat

With the exception that the version I'm using (7.17.6, DEB package) does not use "-e" by default according to documentation: Filebeat and systemd | Filebeat Reference [7.17] | Elastic

and according to systemctl status output:

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2022-09-05 10:18:24 CEST; 2h 18min ago
Docs: Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic
Main PID: 2567213 (filebeat)
Tasks: 31 (limit: 76945)
Memory: 50.5M
CGroup: /system.slice/filebeat.service
└─2567213 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

Content of /lib/systemd/system/filebeat.service:

[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/beats/filebeat
Wants=network-online.target
After=network-online.target

[Service]

Environment="GODEBUG='madvdontneed=1'"
Environment="BEAT_LOG_OPTS="
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
Environment="BEAT_PATH_OPTS=--path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat"
ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always

[Install]
WantedBy=multi-user.target

Here is excerpt from filebeat.yml:

logging.level: info
logging.to_files: true
logging.files:
  keepfiles: 7
  rotateonstartup: true
  rotateeverybytes: 10485760 # 10Mb
  interval: 24h

Filebeat still logs only to syslog and directory /var/log/filebeat with log files don't exist. What am I missing?

Hello There!
Which user is filebeat started by? Is it root?

$ systemctl show -pUser,UID filebeat

UID=[not set]
User=

Change ownership on the /var/log/filebeat directory and files to filebeat:filebeat

Since Filebeat logs only to syslog, directory /var/log/filebeat does not exist.

If directory permissions are wrong it won't exist. Please show us a result of ls -lah /var/log/ command.

Have you tried to explicitly set the path?

This is what I use and is working, it creates a file named filebeat inside of /var/log/filebeat.

You don't need to change ownership nor create the path before, as default filebeat runs with the root user, so it already has any needed permissions, the user filebeat will not exist and is not needed.

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0640