Good day @ChrsMark,
I followed the installation. I figured out that the path.home was set to "/usr/share/filebeat/bin/" instead of "/usr/share/filebeat/" where the "module" directory could be found. I fixed this issue by setting the paths in filebeat's configuration file "/etc/filebeat/filebeat.yml" right after the first comments in the document.
path.home : /usr/share/filebeat
path.config : /etc/filebeat
path.data : /var/lib/filebeat
path.logs : /var/log/filebeat
I installed filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.7.1-amd64.deb
sudo dpkg -i filebeat-7.7.1-amd64.deb
This seems to be a bug that in some installations appears and in some others disappears even when using the sam cloud image.
Another issue I have encountered is that the modules configuration path is changed from "/etc/filebeat". Therefore, to solve this issue I need to set "path.config : /etc/filebeat", as stated on the comments above, along with the following changes in filebeat's configuration:
From this configuration:
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
To the following specific path:
filebeat.config.modules:
path : /etc/filebeat/modules.d/*.yml
I hope this helps other users going through the same struggles. This has been a recurring issue that has not been properly addressed.
Notes:
- The directory "/etc/filebeat/modules.d/" contains a list of yml files that state which modules are enabled and disabled in filebeat.
- The directory "/usr/share/filebeat/module/" contains subdirectories named after each available module (enabled or disabled). Each subdirectory contains the following:
a) A file named "module.yml" presenting a list of dashboards associated to the module and the corresponding IDs
b) A set of sub-sub-directories associated with the fileset/dataset of the corresponding module (e.g, auth and syslog for the system module). Each of these contain 3 additional yml files; one for configuration, one to set the pipeline when connecting filebeat directly to elasticsearch, and one manifest file.