Filebeat not logging to /var/log/filebeat

newmember · April 7, 2020, 8:00pm

I read this reference:

https://discuss.elastic.co/t/filebeat-refuses-to-log-to-file-7-0-1/181846

I am on Ubuntu 18.04
Installed filebeat from the package:

root@chris-Standard-PC-Q35-ICH9-2009:/etc# apt list filebeat
Listing... Done
filebeat/now 7.6.2 amd64 [installed,local]

Filebeat Service:

root@chris-Standard-PC-Q35-ICH9-2009:/etc# service filebeat status
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-04-07 13:32:02 MDT; 6min ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 25716 (filebeat)
    Tasks: 12 (limit: 4915)
   CGroup: /system.slice/filebeat.service
           └─25716 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebteat

I added logging to filebeat.yml

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

logging.level: debug
#logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

At this point the logging is to syslog

For checking I ran the same start command from the service WITHOUT the "-e"

root@chris-Standard-PC-Q35-ICH9-2009:/var/log/filebeat# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeatpath.logs /var/log/filebeat &
[1] 32443

I can see the log files now

root@chris-Standard-PC-Q35-ICH9-2009:/var/log/filebeat# ls
filebeat  filebeat.1

Summary:

I see the filebeat service start is using the "-e" option which is default from the filebeat package.

In /etc/init.d/filebeat there is this line:

# Do NOT "set -e"

Question:

How do I remove the "-e" from the filebeat service?
Is this correct approach to get the logging to work to the /var/log/filebeat folder?

Thanks

rugenl · April 8, 2020, 2:39am

See this: https://www.elastic.co/guide/en/beats/filebeat/7.1/running-with-systemd.html#_customize_systemd_unit_for_filebeat

I think you create a file /etc/systemd/system/filebeat.service.d/debug.conf containing

[Service]
Environment="BEAT_LOG_OPTS="

system · May 6, 2020, 2:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.