Appreciate your frustration, it looks like there was a few missteps here that is causing grief 
What is the output from ls -l /var/lib/filebeat/filebeat.keystore?
You can. I would make sure you copy any config you need, look at removing it with the purge option of your installer (eg apt/yum/etc). Then a new install as per the docs - Filebeat quick start: installation and configuration | Filebeat Reference [8.11] | Elastic
I get
ls: cannot access '/var/lib/filebeat/filebeat.keystore': Permission denied
So is it not there or do I just not have permission?
So, to purge...
I used
sudo dpkg -i filebeat-7.10.0-amd64.deb
to install, so I would use
sudo dpkg -P filebeat-7.10.0-amd64.deb
to purge? Are there any other arguments I should include?
And just to be clear - keystores are used to house secure info, correct? Because I never set anything like that up (intentionally), this is a test system that I'm learning to dump Cisco logs into & run reports on, so I don't mess up our production system. And boy am I glad I did it this way! 
I tried the above command, but I get the following error:
dpkg: error: you mush specify packages by their own names, not by quoting the names of the files they come in
so I ran
sudo dpkg -l
to get a list of package names. I wanted to remove filebeat, so I ran
sudo dpkg -P filebeat
and it was successful. It did not remove the /etc/filebeat/modules.d directory as it was not empty (I'm guessing because I had edited the cisco.yml since installation), so I'll manually delete those & see what happens when I reinstall.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.