Filebeat 7.17 is not logging to files under Ubuntu

andreycha · September 5, 2022, 10:39am

Hi,

I have a question similar to this one: Filebeat not logging to /var/log/filebeat

With the exception that the version I'm using (7.17.6, DEB package) does not use "-e" by default according to documentation: Filebeat and systemd | Filebeat Reference [7.17] | Elastic

and according to systemctl status output:

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2022-09-05 10:18:24 CEST; 2h 18min ago
Docs: Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic
Main PID: 2567213 (filebeat)
Tasks: 31 (limit: 76945)
Memory: 50.5M
CGroup: /system.slice/filebeat.service
└─2567213 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

Content of /lib/systemd/system/filebeat.service:

[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/beats/filebeat
Wants=network-online.target
After=network-online.target

[Service]

Environment="GODEBUG='madvdontneed=1'"
Environment="BEAT_LOG_OPTS="
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
Environment="BEAT_PATH_OPTS=--path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat"
ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always

[Install]
WantedBy=multi-user.target

Here is excerpt from filebeat.yml:

logging.level: info
logging.to_files: true
logging.files:
  keepfiles: 7
  rotateonstartup: true
  rotateeverybytes: 10485760 # 10Mb
  interval: 24h

Filebeat still logs only to syslog and directory /var/log/filebeat with log files don't exist. What am I missing?

cheshirecat · September 5, 2022, 10:54am

Hello There!
Which user is filebeat started by? Is it root?

andreycha · September 5, 2022, 11:36am

$ systemctl show -pUser,UID filebeat

UID=[not set]
User=

Rios · September 5, 2022, 11:48am

Change ownership on the /var/log/filebeat directory and files to filebeat:filebeat

andreycha · September 5, 2022, 11:56am

Since Filebeat logs only to syslog, directory /var/log/filebeat does not exist.

cheshirecat · September 5, 2022, 11:58am

If directory permissions are wrong it won't exist. Please show us a result of ls -lah /var/log/ command.

leandrojmp · September 5, 2022, 12:55pm

Have you tried to explicitly set the path?

This is what I use and is working, it creates a file named filebeat inside of /var/log/filebeat.

You don't need to change ownership nor create the path before, as default filebeat runs with the root user, so it already has any needed permissions, the user filebeat will not exist and is not needed.

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0640

system · October 3, 2022, 2:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.