Thank you for your kick reply!
Yes I do it using setup user.
Here is the logs:
2021-05-04T13:20:40.323-0300 INFO instance/beat.go:660 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2021-05-04T13:20:40.324-0300 INFO instance/beat.go:668 Beat ID: d6830ea7-51e6-4131-9b6e-c09d1f7dfb4f
2021-05-04T13:20:40.328-0300 INFO [beat] instance/beat.go:996 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "d6830ea7-51e6-4131-9b6e-c09d1f7dfb4f"}}}
2021-05-04T13:20:40.328-0300 INFO [beat] instance/beat.go:1005 Build info {"system_info": {"build": {"commit": "08e20483a651ea5ad60115f68ff0e53e6360573a", "libbeat": "7.12.0", "time": "2021-03-18T06:16:51.000Z", "version": "7.12.0"}}}
2021-05-04T13:20:40.328-0300 INFO [beat] instance/beat.go:1008 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.15.8"}}}
2021-05-04T13:20:40.329-0300 INFO [beat] instance/beat.go:1012 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-04-08T11:50:15-03:00","containerized":false,"name":"xxx","ip":["127.0.0.1/8","::1/128","xxx/24","xxx/64"],"kernel_version":"3.10.0-1160.21.1.el7.x86_64","mac":["00:15:5d:64:4a:90"],"os":{"type":"linux","family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"-03","timezone_offset_sec":-10800,"id":"82b3bf2b70734010a21dd9xxx7ecada4b"}}}
2021-05-04T13:20:40.330-0300 INFO [beat] instance/beat.go:1041 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/home/yyy/elastic-agent/elastic-agent-7.12.1-linux-x86_64", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 48948, "ppid": 16876, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2021-05-04T13:20:39.490-0300"}}}
2021-05-04T13:20:40.330-0300 INFO instance/beat.go:304 Setup Beat: filebeat; Version: 7.12.0
2021-05-04T13:20:40.330-0300 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'filebeat-7.12.0' as ILM is enabled.
2021-05-04T13:20:40.330-0300 WARN [cfgwarn] tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2021-05-04T13:20:40.331-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:40.331-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxx
2021-05-04T13:20:40.331-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:40.331-0300 INFO [publisher] pipeline/module.go:113 Beat name: filebeat-logserver
2021-05-04T13:20:40.359-0300 INFO beater/filebeat.go:117 Enabled modules/filesets: fortinet (clientendpoint, firewall, fortimail, fortimanager)
2021-05-04T13:20:40.387-0300 WARN [cfgwarn] tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2021-05-04T13:20:40.387-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:40.387-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxx
2021-05-04T13:20:40.387-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:40.491-0300 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.0
2021-05-04T13:20:40.493-0300 WARN [cfgwarn] tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2021-05-04T13:20:40.493-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:40.493-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxx
2021-05-04T13:20:40.493-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:40.506-0300 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.0
2021-05-04T13:20:40.674-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-pipeline"}
2021-05-04T13:20:40.796-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-event"}
2021-05-04T13:20:40.916-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-utm"}
2021-05-04T13:20:41.143-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-traffic"}
2021-05-04T13:20:41.144-0300 WARN [cfgwarn] tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2021-05-04T13:20:41.144-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:41.144-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxx
2021-05-04T13:20:41.144-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:41.167-0300 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.0
2021-05-04T13:20:41.280-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-logstash-log-pipeline"}
2021-05-04T13:20:41.420-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-logstash-log-pipeline-plaintext"}
2021-05-04T13:20:41.516-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-logstash-log-pipeline-json"}
2021-05-04T13:20:41.657-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-logstash-slowlog-pipeline"}
2021-05-04T13:20:41.779-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-logstash-slowlog-pipeline-plaintext"}
2021-05-04T13:20:41.891-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-logstash-slowlog-pipeline-json"}
2021-05-04T13:20:41.892-0300 WARN [cfgwarn] tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2021-05-04T13:20:41.892-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:41.892-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxx
2021-05-04T13:20:41.892-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:41.915-0300 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.0
2021-05-04T13:20:42.087-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-system-auth-pipeline"}
2021-05-04T13:20:42.205-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-system-syslog-pipeline"}
2021-05-04T13:20:42.208-0300 WARN [cfgwarn] tlscommon/config.go:101 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
2021-05-04T13:20:42.208-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:42.208-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxx
2021-05-04T13:20:42.208-0300 INFO eslegclient/connection.go:99 elasticsearch url: https://xxxxxx
2021-05-04T13:20:42.223-0300 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.0
2021-05-04T13:20:42.359-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-threatintel-abusemalware-pipeline"}
2021-05-04T13:20:42.490-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-threatintel-abuseurl-pipeline"}
2021-05-04T13:20:42.599-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-threatintel-anomali-pipeline"}
2021-05-04T13:20:42.752-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-threatintel-misp-pipeline"}
2021-05-04T13:20:42.866-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-threatintel-otx-pipeline"}
2021-05-04T13:20:42.866-0300 INFO cfgfile/reload.go:262 Loading of config files completed.
2021-05-04T13:20:42.866-0300 INFO [load] cfgfile/list.go:129 Stopping 4 runners ...
2021-05-04T13:20:43.327-0300 INFO [add_cloud_metadata] add_cloud_metadata/add_cloud_metadata.go:101 add_cloud_metadata: hosting provider type not detected.
2021-05-04T13:20:47.925-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-clientendpoint-pipeline"}
2021-05-04T13:20:48.098-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-pipeline"}
2021-05-04T13:20:48.227-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-event"}
2021-05-04T13:20:48.364-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-utm"}
2021-05-04T13:20:48.493-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-firewall-traffic"}
2021-05-04T13:20:49.205-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-fortimail-pipeline"}
2021-05-04T13:20:49.782-0300 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.12.0-fortinet-fortimanager-pipeline"}