Thank you for including all those details and formatting them correctly, that should make it quite easy and pleasant for me to hopefully help you very quickly.
The unit file included in the packages sets the
-e flag by default. This flag makes Filebeat log to stderr and disables other log outputs. Systemd stores all output sent to stderr in journald.
The systemd service unit file includes environment variables that you can override to change the default options.
To override these variables, create a drop-in unit file in the
To use [the logging] settings from the Filebeat file, empty the environment variable. For example:
To apply your changes, reload the systemd configuration and restart the service:
systemctl restart filebeat
It is recommended that you use a configuration management tool to include drop-in unit files. If you need to add a drop-in manually, use
systemctl edit filebeat.service .
Reference for the command line of filebeat to understand what the unit file does and what it can do:
To see the default filebeat unit file that came with the installation do:
systemctl status filebeat
and check the content of the unit file. (The path to the unit file is in the output of the above command.)
If you think this is confusing a bit because the settings you put in the config files are ignored, you now know why; "-e".
I would tend to agree this is confusing but the reasons for doing it from the POV of Elastic are valid.
- On systems with systemd, the Beats log is now written to journald by default rather than file. To revert this behaviour override BEAT_LOG_OPTS with an empty value. 8942.
I do think they missed an opportunity to link to:
with a warning/note that logging configurations from the config file will be completely overridden by the unit file on systemd systems and clearly inviting users to go read the "running with systemd" documentation page.
If you want to open an issue on github to suggest that documentation improvement that would be a good thing.
Let me know if this helps.