Filebeat not logging to /var/log/filebeat

newmember · April 7, 2020, 8:00pm

I read this reference:

https://discuss.elastic.co/t/filebeat-refuses-to-log-to-file-7-0-1/181846

I am on Ubuntu 18.04
Installed filebeat from the package:

root@chris-Standard-PC-Q35-ICH9-2009:/etc# apt list filebeat
Listing... Done
filebeat/now 7.6.2 amd64 [installed,local]

Filebeat Service:

root@chris-Standard-PC-Q35-ICH9-2009:/etc# service filebeat status
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-04-07 13:32:02 MDT; 6min ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 25716 (filebeat)
    Tasks: 12 (limit: 4915)
   CGroup: /system.slice/filebeat.service
           └─25716 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebteat

I added logging to filebeat.yml

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

logging.level: debug
#logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

At this point the logging is to syslog

For checking I ran the same start command from the service WITHOUT the "-e"

root@chris-Standard-PC-Q35-ICH9-2009:/var/log/filebeat# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeatpath.logs /var/log/filebeat &
[1] 32443

I can see the log files now

root@chris-Standard-PC-Q35-ICH9-2009:/var/log/filebeat# ls
filebeat  filebeat.1

Summary:

I see the filebeat service start is using the "-e" option which is default from the filebeat package.

In /etc/init.d/filebeat there is this line:

# Do NOT "set -e"

Question:

How do I remove the "-e" from the filebeat service?
Is this correct approach to get the logging to work to the /var/log/filebeat folder?

Thanks

rugenl · April 8, 2020, 2:39am

See this: https://www.elastic.co/guide/en/beats/filebeat/7.1/running-with-systemd.html#_customize_systemd_unit_for_filebeat

I think you create a file /etc/systemd/system/filebeat.service.d/debug.conf containing

[Service]
Environment="BEAT_LOG_OPTS="

system · May 6, 2020, 2:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 7.17 is not logging to files under Ubuntu Beats filebeat	7	513	October 3, 2022
Filebeat refuses to log to file (7.0.1) Beats filebeat	3	1583	June 18, 2019
No logs found for filebeat Beats filebeat	9	716	December 31, 2020
Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch Beats filebeat	3	1752	August 14, 2022
Filebeat not read log, log msg "File didn't change" Beats filebeat	2	407	June 22, 2022

Filebeat not logging to /var/log/filebeat

Related topics