I'm trying to get the Filebeat service to log to /var/log/filebeat.log on Centos 7. I added the following to the config:
logging.level: debug
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
Logs are still going to /var/log/messages and are not going to /var/log/filebeat. The file isn't even being created - even though the process is running as root. Selinux is set to permissive. How can I get Filebeat to log correctly?
Hi Kenneth, thanks for reaching out about filebeat on CentOS 7. Your configuration looks like what is recommended here.
After you saved the config, did you restart filebeat?
systemctl stop filebeat
systemctl start filebeat
There's also the following note. I've seen case where logs get stored only in journald. You may want to run journalctl -u filebeat.service to see if the logs are getting stored in journald.
When Filebeat is running on a Linux system with systemd, it uses by default the -e command line option, that makes it write all the logging output to stderr so it can be captured by journald. Other outputs are disabled.
The logs are stored in journald. Is there no way to override this?
It’s documented in the manual:
https://www.elastic.co/guide/en/beats/filebeat/current/running-with-systemd.html
That’s also linked from the logging manual page Michael linked to in his answer.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.