Filebeat Logging on Centos 7

I'm trying to get the Filebeat service to log to /var/log/filebeat.log on Centos 7. I added the following to the config:

logging.level: debug
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

Logs are still going to /var/log/messages and are not going to /var/log/filebeat. The file isn't even being created - even though the process is running as root. Selinux is set to permissive. How can I get Filebeat to log correctly?

Hi Kenneth, thanks for reaching out about filebeat on CentOS 7. Your configuration looks like what is recommended here.

After you saved the config, did you restart filebeat?

systemctl stop filebeat
systemctl start filebeat

There's also the following note. I've seen case where logs get stored only in journald. You may want to run journalctl -u filebeat.service to see if the logs are getting stored in journald.

When Filebeat is running on a Linux system with systemd, it uses by default the -e command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled.

The logs are stored in journald. Is there no way to override this?

It’s documented in the manual:
https://www.elastic.co/guide/en/beats/filebeat/current/running-with-systemd.html

That’s also linked from the logging manual page Michael linked to in his answer.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.