Filebeat system module "no filesets enabled" with custom path

Elastic Stack Beats
1

Hello.
I'm failing to ship my syslog (located in a custom path) to elasticsearch using filebeat's system module.
My system.yml file:

# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/mnt/drive/linux-logs/syslog"]

    # Use journald to collect system logs
    #var.use_journald: false

  # Authorization logs
  auth:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

    # Use journald to collect auth logs
    #var.use_journald: false

Running sudo filebeat setup --pipelines --modules system
resutls in Exiting: module system is configured but has no enabled filesets

Thanks for your help in advance and my apologies if this is an inappropriate question.

2

Hi @mateodi Welcome to the community

What version? (always include in questions

Do you have a copy of the file system.yml in modules.d or any other .yml in that directory because they all get concatenated... so if you have another one and it is disabled, that can cause this error.

did you use the following command?

filebeat modules enable system

And BTW I recommend running

filebeat setup -e so all the proper components get loaded

Also why are you running with sudo you should not need to

3

Thank you for the response.
My filebeat version is filebeat version 8.17.0 (arm64), libbeat 8.17.0 [092f0eae4d0d343cc3a142f671c2a0428df67840 built 2024-12-11 11:10:39 +0000 UTC].
The system module is enabled in my system.
I also have the suricata module enabled (and its .yml file is in the directory) but its structure is standard and the module is working properly.
I did run the filebeat setup -e command and have found {"log.level":"info","@timestamp":"2025-02-18T08:39:17.616+0200","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":136},"message":"Enabled modules/filesets: system (syslog), system (auth)","service.name":"filebeat","ecs.version":"1.6.0"}.
All my indices in elasticsearch are formatted as logstash-year.month.day (even though I'm not using logstash) and appear to not include any references to syslog.

4

I get the same message... I am not sure why.

But if I run

./filebeat setup -e

All the pipelines get loaded...

So perhaps do that... not sure if it is a bug or not you could open an issues.

I always recommend running the following anyway to make sure all the assets get loaded.

./filebeat setup -e

You could open an issue.

5

I have actually discovered that the logs are in fact being shipped but under a different index .ds-filebeat-8.17.0-timestamp. I will not be opening an issue on this matter as this was an error on my side. Thank you for the assistance.

6

@mateodi

Found the issues it is subtle you need to run the command

./filebeat setup --pipelines --modules system --force-enable-module-filesets

See here