Filebeat commands

edit

Filebeat provides a command-line interface for running the Beat and performing common tasks, like testing configuration files and loading dashboards. The command-line also supports global flags for controlling global behaviors.

Use sudo to run the following commands if:

  • the config file is owned by root, or
  • Filebeat is configured to capture data that requires root access

export

Exports the configuration or index template to stdout.

help

Shows help for any command.

modules

Manages configured modules.

run

Runs Filebeat. This command is used by default if you start Filebeat without specifying a command.

setup

Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available).

test

Tests the configuration.

version

Shows information about the current version.

Also see Global flags.

export command

edit

Exports the configuration or index template to stdout. You can use this command to quickly view your configuration or the contents of the index template.

SYNOPSIS

filebeat export SUBCOMMAND [FLAGS]

SUBCOMMANDS

config
Exports the current configuration to stdout. If you use the -c flag, this command exports the configuration that’s defined in the specified file.
template
Exports the index template to stdout. You can specify the --es.version and --index flags to further define what gets exported.

FLAGS

--es.version VERSION
When specified along with template, exports an index template that is compatible with the specified version.
-h, --help
Shows help for the export command.
--index BASE_NAME
When specified along with template, sets the base name to use for the index template. If this flag is not specified, the default base name is filebeat.

Also see Global flags.

EXAMPLES

filebeat export config
filebeat export template --es.version 6.1.4 --index myindexname

help command

edit

Shows help for any command. If no command is specified, shows help for the run command.

SYNOPSIS

filebeat help COMMAND_NAME [FLAGS]
COMMAND_NAME
Specifies the name of the command to show help for.

FLAGS

-h, --help
Shows help for the help command.

Also see Global flags.

EXAMPLE

filebeat help export

modules command

edit

Manages configured modules. You can use this command to enable and disable specific module configurations defined in the modules.d directory. The changes you make with this command are persisted and used for subsequent runs of Filebeat.

To see which modules are enabled and disabled, run the list subcommand.

SYNOPSIS

filebeat modules SUBCOMMAND [FLAGS]

SUBCOMMANDS

disable MODULE_LIST
Disables the modules specified in the space-separated list.
enable MODULE_LIST
Enables the modules specified in the space-separated list.
list
Lists the modules that are currently enabled and disabled.

FLAGS

-h, --help
Shows help for the export command.

Also see Global flags.

EXAMPLES

filebeat modules list
filebeat modules enable apache2 auditd mysql

run command

edit

Runs Filebeat. This command is used by default if you start Filebeat without specifying a command.

SYNOPSIS

filebeat run [FLAGS]

Or:

filebeat [FLAGS]

FLAGS

-N, --N
Disables the publishing of events to the defined output. This option is useful only for testing Filebeat.
--cpuprofile FILE
Writes CPU profile data to the specified file. This option is useful for troubleshooting Filebeat.
-h, --help
Shows help for the run command.
--httpprof [HOST]:PORT
Starts an http server for profiling. This option is useful for troubleshooting and profiling Filebeat.
--memprofile FILE
Writes memory profile data to the specified output file. This option is useful for troubleshooting Filebeat.
--modules MODULE_LIST

Specifies a comma-separated list of modules to run. For example:

filebeat run --modules nginx,mysql,system

Rather than specifying the list of modules every time you run Filebeat, you can use the modules command to enable and disable specific modules. Then when you run Filebeat, it will run any modules that are enabled.

--once
When the --once flag is used, Filebeat starts all configured harvesters and prospectors, and runs each prospector until the harvesters are closed. If you set the --once flag, you should also set close_eof so the harvester is closed when the end of the file is reached. By default harvesters are closed after close_inactive is reached.
--setup
Loads the sample Kibana dashboards. If you want to load the dashboards without running Filebeat, use the setup command instead.

Also see Global flags.

EXAMPLE

filebeat run -e --setup

Or:

filebeat -e --setup

setup command

edit

Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available).

  • The index template ensures that fields are mapped correctly in Elasticsearch.
  • The Kibana dashboards make it easier for you to visualize Filebeat data in Kibana.
  • The machine learning jobs contain the configuration information and metadata necessary to analyze data for anomalies.

Use this command instead of run --setup when you want to set up the environment without actually running Filebeat and ingesting data.

SYNOPSIS

filebeat setup [FLAGS]

FLAGS

--dashboards
Sets up the Kibana dashboards only.
-h, --help
Shows help for the setup command.
--machine-learning
Sets up machine learning job configurations only.
--modules MODULE_LIST
Specifies a comma-separated list of modules. Use this flag to avoid errors when there are no modules defined in the filebeat.yml file.
--template
Sets up the index template only.

Also see Global flags.

EXAMPLE

filebeat setup --dashboards

test command

edit

Tests the configuration.

SYNOPSIS

filebeat test SUBCOMMAND [FLAGS]

SUBCOMMANDS

config
Tests the configuration settings.
output
Tests that Filebeat can connect to the output by using the current settings.

FLAGS

-h, --help
Shows help for the test command.

Also see Global flags.

EXAMPLE

filebeat test config

version command

edit

Shows information about the current version.

SYNOPSIS

filebeat version [FLAGS]

FLAGS

-h, --help
Shows help for the version command.

Also see Global flags.

EXAMPLE

filebeat version

Global flags

edit

These global flags are available whenever you run Filebeat.

-E, --E "SETTING_NAME=VALUE"

Overrides a specific configuration setting. You can specify multiple overrides. For example:

filebeat -E "name=mybeat" -E "output.elasticsearch.hosts=["http://myhost:9200"]"

This setting is applied to the currently running Filebeat process. The Filebeat configuration file is not changed.

-M, --M "VAR_NAME=VALUE"

Overrides the default configuration for a Filebeat module. You can specify multiple variable overrides. For example:

filebeat -modules=nginx -M "nginx.access.var.paths=[/var/log/nginx/access.log*]" -M "nginx.access.var.pipeline=no_plugins"
-c, --c FILE
Specifies the configuration file to use for Filebeat. The file you specify here is relative to path.config. If the -c flag is not specified, the default config file, filebeat.yml, is used.
-d, --d SELECTORS
Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use -d "*" to enable debugging for all components. For example, -d "publish" displays all the "publish" related messages.
-e, --e
Logs to stderr and disables syslog/file output.
--path.config
Sets the path for configuration files. See the Directory layout section for details.
--path.data
Sets the path for data files. See the Directory layout section for details.
--path.home
Sets the path for miscellaneous files. See the Directory layout section for details.
--path.logs
Sets the path for log files. See the Directory layout section for details.
--strict.perms
Sets strict permission checking on configuration files. The default is -strict.perms=true. See Config file ownership and permissions in the Beats Platform Reference for more information.
-v, --v
Logs INFO-level messages.