Filebeat not started

Hi,
My filebeat was not running, if can i change any settings in filebeat.yml it goes to inactive.

sudo service filebeat status

ā— filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2022-05-19 05:20:37 UTC; 2s ago
     Docs: https://www.elastic.co/beats/filebeat
  Process: 4386 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
 Main PID: 4386 (code=exited, status=1/FAILURE)

May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service holdoff time over, scheduling restart.
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: start request repeated too quickly for filebeat.service
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 19 05:20:37 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.

Please anyone help me.

Thanks in advance

What does your config look like?
What do the full Filebeat logs show?

@warkolm
This is my filebeat.yml file

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false
  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
#setup.ilm.overwrite: true
# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
  host: "34.205.74.243:5601"

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["34.205.74.243:9200"]
    #ssl:
    #enabled: true
  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

@warkolm
where can i see my filebeat logs

Thanks in advance

Hi ,

Please comment this part and start the filebeat service again.

@ibra_013 Thank you

This is the status when i comment and restart host: "34.205.74.243:5601"

 filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2022-05-19 08:50:17 UTC; 3s ago
     Docs: https://www.elastic.co/beats/filebeat
  Process: 21699 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
 Main PID: 21699 (code=exited, status=1/FAILURE)

May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service holdoff time over, scheduling restart.
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: start request repeated too quickly for filebeat.service
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 19 08:50:17 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.

There is no change in status

Hi @Rajesh119

Could you please share the logs under the path /var/log/filebeat/

Hi @ibra_013

i have multiple files

filebeat-20220518-1.ndjson  filebeat-20220518-3.ndjson  filebeat-20220518-5.ndjson  filebeat-20220518.ndjson
filebeat-20220518-2.ndjson  filebeat-20220518-4.ndjson  filebeat-20220518-6.ndjson  filebeat-20220519.ndjson

Which one you want

Hi @Rajesh119

The last one

filebeat-20220519.ndjson

@ibra_013

[root@ip-172-31-81-78 filebeat]# cat filebeat-20220519.ndjson
{"log.level":"info","@timestamp":"2022-05-19T05:05:44.222Z","log.origin":{"file.name":"instance/beat.go","file.line":685},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T05:05:44.222Z","log.origin":{"file.name":"instance/beat.go","file.line":693},"message":"Beat ID: 44bcf59f-fe35-4549-ada1-4d10648a8615","service.name":"filebeat","ecs.version":"1.6.0"}
[root@ip-172-31-80-78 filebeat]# tail -f filebeat-20220519.ndjson
{"log.level":"info","@timestamp":"2022-05-19T05:05:44.222Z","log.origin":{"file.name":"instance/beat.go","file.line":685},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T05:05:44.222Z","log.origin":{"file.name":"instance/beat.go","file.line":693},"message":"Beat ID: 44bcf59f-fe35-4549-ada1-4d10648a8615","service.name":"filebeat","ecs.version":"1.6.0"}

Hi @Rajesh119

Sorry if you don't specify the logging output on the yaml file the logs will be on journal,

please share the output of :

journalctl -u filebeat.service

Hi @ibra_013

This is the output

journalctl -u filebeat.service

[root@ip-172-31-80-78 filebeat]# journalctl -u filebeat.service
-- Logs begin at Fri 2022-02-04 10:14:26 UTC, end at Thu 2022-05-19 09:12:26 UTC. --
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.518Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.518Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.523Z","log.logger":"seccomp","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.523Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"add_cloud_metadata","lo
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.525Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.525Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.525Z","log.logger":"esclientleg","log.origi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.526Z","log.logger":"publisher","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.526Z","log.logger":"modules","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.526Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.529Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.531Z","log.origin":{"file.name":"memlog/sto
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.531Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.531Z","log.logger":"crawler","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.532Z","log.logger":"crawler","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.532Z","log.logger":"crawler","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"modules","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.origin":{"file.name":"beater/cra
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.origin":{"file.name":"beater/cra
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.origin":{"file.name":"beater/cra
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.535Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.535Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.535Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.536Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"error","@timestamp":"2022-05-18T16:39:48.536Z","log.origin":{"file.name":"instance/
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: Exiting: Failed to start crawler: creating module reloader failed: could not create module regist
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service holdoff time over, scheduling restart.
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
lines 1-41

Hi @Rajesh119

let's try filebeat -e

Hi @ibra_013

This is the output:

filebeat -e

[root@ip-172-31-80-78 ~]# filebeat -e
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.727Z","log.origin":{"file.name":"instance/beat.go","file.line":685},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.727Z","log.origin":{"file.name":"instance/beat.go","file.line":693},"message":"Beat ID: 44bcf59f-fe35-4549-ada1-4d10648a8615","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.731Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.731Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1063},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"44bcf59f-fe35-4549-ada1-4d10648a8615"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.731Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1072},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"045da3a1bb89944373c33332c18ca99ef6192df2","libbeat":"8.2.0","time":"2022-04-19T23:31:06.000Z","version":"8.2.0"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.731Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1075},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.8"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.732Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1079},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-05-18T16:28:28Z","containerized":false,"name":"ip-172-31-80-78.ec2.internal","ip":["127.0.0.1/8","::1/128","172.31.80.78/20","fe80::10c6:9bff:feaa:d27d/64"],"kernel_version":"4.14.262-200.489.amzn2.x86_64","mac":["12:c6:9b:aa:d2:7d"],"os":{"type":"linux","family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2","major":2,"minor":0,"patch":0,"codename":"Karoo"},"timezone":"UTC","timezone_offset_sec":0,"id":"ec23b9becf9298eeb55a900003a72217"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.732Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1108},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null},"cwd":"/root","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":11133,"ppid":24525,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2022-05-19T09:30:16.510Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.732Z","log.origin":{"file.name":"instance/beat.go","file.line":325},"message":"Setup Beat: filebeat; Version: 8.2.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.732Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":105},"message":"add_cloud_metadata: hosting provider type detected as aws, metadata={\"cloud\":{\"account\":{\"id\":\"366914328259\"},\"availability_zone\":\"us-east-1d\",\"image\":{\"id\":\"ami-01893222c83843146\"},\"instance\":{\"id\":\"i-0d68f1032f0dda931\"},\"machine\":{\"type\":\"t2.medium\"},\"provider\":\"aws\",\"region\":\"us-east-1\",\"service\":{\"name\":\"EC2\"}}}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.733Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: http://34.205.74.243:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.733Z","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: ip-172-31-80-78.ec2.internal","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.734Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":108},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.734Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.734Z","log.origin":{"file.name":"instance/beat.go","file.line":505},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.742Z","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=652","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.742Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.742Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.742Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.742Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":121},"message":"input disabled, skipping it","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.742Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":108},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.743Z","log.origin":{"file.name":"beater/crawler.go","file.line":155},"message":"Stopping Crawler","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.743Z","log.origin":{"file.name":"beater/crawler.go","file.line":165},"message":"Stopping 0 inputs","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.743Z","log.origin":{"file.name":"beater/crawler.go","file.line":185},"message":"Crawler stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.743Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":132},"message":"Stopping Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.743Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":166},"message":"Ending Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.743Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":137},"message":"Registrar stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.746Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":192},"message":"Total metrics","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":40}},"total":{"ticks":160,"time":{"ms":160},"value":0},"user":{"ticks":120,"time":{"ms":120}}},"handles":{"limit":{"hard":65535,"soft":65535},"open":9},"info":{"ephemeral_id":"011aa83a-d7a8-45ef-8aa8-2d97784f22cd","uptime":{"ms":80},"version":"8.2.0"},"memstats":{"gc_next":19365664,"memory_alloc":12240624,"memory_sys":33113096,"memory_total":53570568,"rss":125194240},"runtime":{"goroutines":15}},"filebeat":{"events":{"active":0,"added":0,"done":0},"harvester":{"closed":0,"open_files":0,"running":0,"skipped":0,"started":0},"input":{"log":{"files":{"renamed":0,"truncated":0}},"netflow":{"flows":0,"packets":{"dropped":0,"received":0}}}},"libbeat":{"config":{"module":{"running":0,"starts":0,"stops":0},"reloads":0,"scans":0},"output":{"events":{"acked":0,"active":0,"batches":0,"dropped":0,"duplicates":0,"failed":0,"toomany":0,"total":0},"read":{"bytes":0,"errors":0},"type":"elasticsearch","write":{"bytes":0,"errors":0}},"pipeline":{"clients":0,"events":{"active":0,"dropped":0,"failed":0,"filtered":0,"published":0,"retry":0,"total":0},"queue":{"acked":0,"max_events":4096}}},"registrar":{"states":{"cleanup":0,"current":0,"update":0},"writes":{"fail":0,"success":0,"total":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.746Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":193},"message":"Uptime: 82.043812ms","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.746Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":160},"message":"Stopping metrics logging.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:30:16.746Z","log.origin":{"file.name":"instance/beat.go","file.line":510},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-05-19T09:30:16.746Z","log.origin":{"file.name":"instance/beat.go","file.line":1038},"message":"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets

Hi @Rajesh119

This the error why filebeat servics is failing

"log.level":"error","@timestamp":"2022-05-19T09:30:16.746Z","log.origin":{"file.name":"instance/beat.go","file.line":1038},"message":"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets

please to change false to true

Hi @ibra_013 Thank you for your quick response
i changed false to true and restart server but no use

sudo service filebeat restart

sudo service filebeat status
output:

ā— filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2022-05-19 09:46:11 UTC; 4s ago
     Docs: https://www.elastic.co/beats/filebeat
  Process: 19980 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILURE)
 Main PID: 19980 (code=exited, status=1/FAILURE)

May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service holdoff time over, scheduling restart.
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: start request repeated too quickly for filebeat.service
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 19 09:46:11 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.

journalctl -u filebeat.service

-- Logs begin at Fri 2022-02-04 10:14:26 UTC, end at Thu 2022-05-19 09:49:37 UTC. --
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.518Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.518Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.523Z","log.logger":"seccomp","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.523Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"add_cloud_metadata","lo
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.524Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.525Z","log.logger":"beat","log.origin":{"fi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.525Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.525Z","log.logger":"esclientleg","log.origi
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.526Z","log.logger":"publisher","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.526Z","log.logger":"modules","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.526Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.529Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.531Z","log.origin":{"file.name":"memlog/sto
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.531Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.531Z","log.logger":"crawler","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.532Z","log.logger":"crawler","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.532Z","log.logger":"crawler","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"modules","log.origin":{
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.origin":{"file.name":"beater/cra
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.origin":{"file.name":"beater/cra
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.origin":{"file.name":"beater/cra
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.533Z","log.logger":"registrar","log.origin"
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Unit filebeat.service entered failed state.
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.535Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.535Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.535Z","log.logger":"monitoring","log.origin
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service failed.
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"info","@timestamp":"2022-05-18T16:39:48.536Z","log.origin":{"file.name":"instance/b
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: {"log.level":"error","@timestamp":"2022-05-18T16:39:48.536Z","log.origin":{"file.name":"instance/
May 18 16:39:48 ip-172-31-80-78.ec2.internal filebeat[10101]: Exiting: Failed to start crawler: creating module reloader failed: could not create module regist
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: filebeat.service holdoff time over, scheduling restart.
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
May 18 16:39:48 ip-172-31-80-78.ec2.internal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
lines 1-41

filebeat -e

{"log.level":"info","@timestamp":"2022-05-19T09:50:13.916Z","log.origin":{"file.name":"instance/beat.go","file.line":685},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.916Z","log.origin":{"file.name":"instance/beat.go","file.line":693},"message":"Beat ID: 44bcf59f-fe35-4549-ada1-4d10648a8615","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.920Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.920Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1063},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"44bcf59f-fe35-4549-ada1-4d10648a8615"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.920Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1072},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"045da3a1bb89944373c33332c18ca99ef6192df2","libbeat":"8.2.0","time":"2022-04-19T23:31:06.000Z","version":"8.2.0"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.920Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1075},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.8"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.920Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1079},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-05-18T16:28:28Z","containerized":false,"name":"ip-172-31-80-78.ec2.internal","ip":["127.0.0.1/8","::1/128","172.31.80.78/20","fe80::10c6:9bff:feaa:d27d/64"],"kernel_version":"4.14.262-200.489.amzn2.x86_64","mac":["12:c6:9b:aa:d2:7d"],"os":{"type":"linux","family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2","major":2,"minor":0,"patch":0,"codename":"Karoo"},"timezone":"UTC","timezone_offset_sec":0,"id":"ec23b9becf9298eeb55a900003a72217"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.920Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1108},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null},"cwd":"/root","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":22180,"ppid":24525,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2022-05-19T09:50:13.710Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.921Z","log.origin":{"file.name":"instance/beat.go","file.line":325},"message":"Setup Beat: filebeat; Version: 8.2.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.921Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: http://34.205.74.243:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.922Z","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: ip-172-31-80-78.ec2.internal","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.922Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":108},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.922Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.922Z","log.origin":{"file.name":"instance/beat.go","file.line":505},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.924Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":105},"message":"add_cloud_metadata: hosting provider type detected as aws, metadata={\"cloud\":{\"account\":{\"id\":\"366914328259\"},\"availability_zone\":\"us-east-1d\",\"image\":{\"id\":\"ami-01893222c83843146\"},\"instance\":{\"id\":\"i-0d68f1032f0dda931\"},\"machine\":{\"type\":\"t2.medium\"},\"provider\":\"aws\",\"region\":\"us-east-1\",\"service\":{\"name\":\"EC2\"}}}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.931Z","log.origin":{"file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=713","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.931Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 4","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.931Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.931Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":117},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":148},"message":"Starting input (ID: 11337388005444501392)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"input.filestream","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input filestream starting","service.name":"filebeat","id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"file_watcher","log.origin":{"file.name":"filestream/fswatch.go","file.line":138},"message":"Start next scan","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":108},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.origin":{"file.name":"beater/crawler.go","file.line":155},"message":"Stopping Crawler","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.origin":{"file.name":"beater/crawler.go","file.line":165},"message":"Stopping 1 inputs","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":170},"message":"Stopping input: 11337388005444501392","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"input.filestream","log.origin":{"file.name":"compat/compat.go","file.line":132},"message":"Input 'filestream' stopped","service.name":"filebeat","id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.origin":{"file.name":"beater/crawler.go","file.line":185},"message":"Crawler stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":132},"message":"Stopping Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":166},"message":"Ending Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.932Z","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":137},"message":"Registrar stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.933Z","log.logger":"input.filestream","log.origin":{"file.name":"compat/compat.go","file.line":124},"message":"Input 'filestream' stopped","service.name":"filebeat","id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.936Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":192},"message":"Total metrics","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":40,"time":{"ms":40}},"total":{"ticks":140,"time":{"ms":140},"value":0},"user":{"ticks":100,"time":{"ms":100}}},"handles":{"limit":{"hard":65535,"soft":65535},"open":9},"info":{"ephemeral_id":"ea39724a-7375-4489-a243-33ec1c994d7e","uptime":{"ms":75},"version":"8.2.0"},"memstats":{"gc_next":25430352,"memory_alloc":19195160,"memory_sys":33113096,"memory_total":53712640,"rss":125943808},"runtime":{"goroutines":15}},"filebeat":{"events":{"active":0,"added":0,"done":0},"harvester":{"closed":0,"open_files":0,"running":0,"skipped":0,"started":0},"input":{"log":{"files":{"renamed":0,"truncated":0}},"netflow":{"flows":0,"packets":{"dropped":0,"received":0}}}},"libbeat":{"config":{"module":{"running":0,"starts":0,"stops":0},"reloads":0,"scans":0},"output":{"events":{"acked":0,"active":0,"batches":0,"dropped":0,"duplicates":0,"failed":0,"toomany":0,"total":0},"read":{"bytes":0,"errors":0},"type":"elasticsearch","write":{"bytes":0,"errors":0}},"pipeline":{"clients":0,"events":{"active":0,"dropped":0,"failed":0,"filtered":0,"published":0,"retry":0,"total":0},"queue":{"acked":0,"max_events":4096}}},"registrar":{"states":{"cleanup":0,"current":0,"update":0},"writes":{"fail":0,"success":0,"total":0}},"system":{"cpu":{"cores":2},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.936Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":193},"message":"Uptime: 77.227184ms","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.936Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":160},"message":"Stopping metrics logging.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-19T09:50:13.936Z","log.origin":{"file.name":"instance/beat.go","file.line":510},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-05-19T09:50:13.936Z","log.origin":{"file.name":"instance/beat.go","file.line":1038},"message":"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets

Hi,

Now we have a new error log :wink: ,

please share

filebeat modules list  | head

and

cat /etc/filebeat/modules.d/system.yml

Hi @ibra_013

These are the outputs:

filebeat modules list | head

Enabled:
system

Disabled:
activemq
apache
auditd
aws
awsfargate
azure

cat /etc/filebeat/modules.d/system.yml

# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.2/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Hi @Rajesh119

Please change false to true as it is well known issue

@ibra_013 Thank you sooo much my problem is solved. I struggled from last one week And now i get logs in elk.

I have a few doubts, Please clarify the doubts

  1. I want to monitor tomcat logs in elk for that what is the processor
  2. in tomcat i want catalina.out logs only so can i give file path like this in .yml file

/var/log/catlina.out

Thanks&Regards