[Filebeat] Changing filebeat's path for it's configuration module

Elastic Stack Beats
3

Good day @ChrsMark,

I followed the installation. I figured out that the path.home was set to "/usr/share/filebeat/bin/" instead of "/usr/share/filebeat/" where the "module" directory could be found. I fixed this issue by setting the paths in filebeat's configuration file "/etc/filebeat/filebeat.yml" right after the first comments in the document.

path.home : /usr/share/filebeat
path.config : /etc/filebeat
path.data : /var/lib/filebeat
path.logs : /var/log/filebeat

I installed filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.7.1-amd64.deb
sudo dpkg -i filebeat-7.7.1-amd64.deb

This seems to be a bug that in some installations appears and in some others disappears even when using the sam cloud image.

Another issue I have encountered is that the modules configuration path is changed from "/etc/filebeat". Therefore, to solve this issue I need to set "path.config : /etc/filebeat", as stated on the comments above, along with the following changes in filebeat's configuration:

From this configuration:

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

To the following specific path:

filebeat.config.modules:
  path : /etc/filebeat/modules.d/*.yml

I hope this helps other users going through the same struggles. This has been a recurring issue that has not been properly addressed.

Notes:

  1. The directory "/etc/filebeat/modules.d/" contains a list of yml files that state which modules are enabled and disabled in filebeat.
  2. The directory "/usr/share/filebeat/module/" contains subdirectories named after each available module (enabled or disabled). Each subdirectory contains the following:
    a) A file named "module.yml" presenting a list of dashboards associated to the module and the corresponding IDs
    b) A set of sub-sub-directories associated with the fileset/dataset of the corresponding module (e.g, auth and syslog for the system module). Each of these contain 3 additional yml files; one for configuration, one to set the pipeline when connecting filebeat directly to elasticsearch, and one manifest file.
2 Likes