Filebeat: connection to Elasticsearch OK but no documents indexed

decibel83 · September 29, 2025, 2:03pm

Hi everyone,
I’m facing an issue with Filebeat 8.19.3 on Debian 12 (Bookworm).

Symptoms

Filebeat starts without errors and connects successfully to Elasticsearch:

Connection to backoff(elasticsearch(https://<ES_HOST>:9200)) established
doBulkRequest: 1600 events have been sent to elasticsearch in ~70ms

No Failed to index event or status code errors appear in the logs.
However, in Kibana I can’t see any documents in the filebeat-* or logs-* data streams.

Environment

OS: Debian GNU/Linux 12 (bookworm), kernel 6.1.0-38-amd64
Filebeat: 8.19.3 (installed from official Elastic package)
Output: direct to Elasticsearch 8.19.3 over HTTPS
Minimal configuration: enabled system (auth) and system (syslog) modules.
Configured paths:
```
/var/log/auth.log*
/var/log/syslog*
```

Filebeat configuration file

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: localhost:5601
  space.id:

output.elasticsearch:
  hosts: ["https://<ES_HOST>:9200"]
  preset: balanced
  protocol: "https"
  api_key: ""
  username: "filebeat_setup"
  password: "<ES_PASSWORD>"

output.logstash:
  enabled: false

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

logging.level: debug
logging.selectors: ["elasticsearch"]

setup.ilm.check_exists: true

Log excerpt

{"log.level":"info","message":"filebeat start running.","service.name":"filebeat"}
{"log.level":"info","message":"Enabled modules/filesets: system (auth), system (syslog)","service.name":"filebeat"}
{"log.level":"info","message":"Configured paths: [/var/log/auth.log*]","service.name":"filebeat"}
{"log.level":"info","message":"Configured paths: [/var/log/syslog*]","service.name":"filebeat"}
{"log.level":"info","message":"Connection to backoff(elasticsearch(https://<ES_HOST>:9200)) established","service.name":"filebeat"}
{"log.level":"debug","message":"doBulkRequest: 1600 events have been sent to elasticsearch in 69ms.","service.name":"filebeat"}

What I’ve already checked

Filebeat communicates with Elasticsearch without errors.
/var/log/syslog and /var/log/auth.log contain new events.
In Kibana → Data view filebeat-* shows no documents.
ILM is enabled (lifecycle policy filebeat exists already.) and the filebeat-8.19.3 template exists.

Question

What am I missing?
If bulk requests are being successfully sent to Elasticsearch, why can’t I find any documents in the filebeat-* data streams?

Thanks a lot in advance!

Topic		Replies	Views
Filebeat - It is not creating index on Elasticsearch Beats filebeat	4	4515	July 5, 2017
Filebeat 0 hits? Require help to resolve Elasticsearch	3	2490	May 11, 2016
Filebeat cannot able to index into elasticsearch Beats filebeat	27	6470	May 4, 2017
Elasticsearch, Where is my filebeat data? Elasticsearch	11	593	March 15, 2019
Filebeat dashboard : No results found Kibana	3	2062	September 17, 2017