Filebeat 8.3.2 module and file stream issues

Modules in filebeat 8.3.2 had changed the file input to filestream and indexing is happening through filestream.

When we enable modules. It is not working at all.

We tried to enable manually using
filebeat setup --pipelines --dashboards --index-management --modules cef -M "cef.log.enable=true" -M "cef.log.var.input=file" -M "cef.log.var.paths=["/Syslog////.forcepointlog"]"

It did configure the module but still throughs error that cef doesn't have fileset configured.

I have also configured cef module as in below

Module: cef

Docs: CEF module | Filebeat Reference [8.3] | Elastic

  • module: cef
    enabled: true
    input: file
    path: /Syslog////.forcepointlog

Filebeat configuration is as below

============================== Filebeat inputs ===============================


Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

filestream is an input for collecting log messages from files.

  • type: filestream

    Unique ID among all inputs, an ID is required.

    id: my-filestream-id

    Change to true to enable this input configuration.

    enabled: true

    Paths that should be crawled and fetched. Glob based paths.


    • /var/log/*.log

============================== Filebeat modules ==============================


Glob pattern for configuration loading

path: ${path.config}/modules.d/.yml
#path: /etc/filebeat/modules.d/

Set to true to enable config reloading

reload.enabled: true

Period on which files under path should be checked for changes

reload.period: 10s


---------------------------- Elasticsearch Output ----------------------------


Array of hosts to connect to.

hosts: ["node1:9200","node2:9200","node3:9200"]

Protocol - either http (default) or https.

protocol: "https"

Authentication credentials - either API key or username/password.

#api_key: "id:api_key"
username: "elastic"
password: "password"
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.pem"]

Any help with this latest issue please?

Hi, could you please format your post first using code tags?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.