Filebeat command reference
editFilebeat command reference
editFilebeat provides a command-line interface for starting Filebeat and performing common tasks, like testing configuration files and loading dashboards.
The command-line also supports global flags for controlling global behaviors.
Use sudo
to run the following commands if:
-
the config file is owned by
root
, or -
Filebeat is configured to capture data that requires
root
access
Commands | |
---|---|
Exports the configuration, index template or a dashboard to stdout. |
|
Shows help for any command. |
|
Manages the secrets keystore. |
|
Manages configured modules. |
|
Runs Filebeat. This command is used by default if you start Filebeat without specifying a command. |
|
Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available). |
|
Tests the configuration. |
|
Shows information about the current version. |
Also see Global flags.
export
command
editExports the configuration, index template or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template or export a dashboard from Kibana.
SYNOPSIS
filebeat export SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
config
-
Exports the current configuration to stdout. If you use the
-c
flag, this command exports the configuration that’s defined in the specified file. -
dashboard
-
Exporting a dashboard allows to store a dashboard on disk in a module and load it automatically. The following command can be used:
filebeat export dashboard --id="dashboard-id" > dashboard.json
The
dashboard-id
can be found in the Kibana URL. By defaultexport dashboard
will write the dashboard to stdout. Above it’s written intodashboard.json
so it can later imported again. The file contains the dashboard with all visualizations and searches. The index pattern is removed as it is expected to be loaded separately for Filebeat.The generated
dashboard.json
file can be copied into thekibana/6/dashboard
directory of filebeat and next timefilebeat setup dashboards
is run the dashboard will be imported.In case Kibana is not running on
localhost:5061
the Filebeat configuration undersetup.kibana
must be adjusted.
-
template
-
Exports the index template to stdout. You can specify the
--es.version
and--index
flags to further define what gets exported.
FLAGS
-
--es.version VERSION
-
When specified along with
template
, exports an index template that is compatible with the specified version. -
-h, --help
-
Shows help for the
export
command. -
--index BASE_NAME
-
When specified along with
template
, sets the base name to use for the index template. If this flag is not specified, the default base name isfilebeat
.
Also see Global flags.
EXAMPLES
filebeat export config filebeat export template --es.version 6.4.3 --index myindexname
help
command
editShows help for any command. If no command is specified, shows help for the
run
command.
SYNOPSIS
filebeat help COMMAND_NAME [FLAGS]
-
COMMAND_NAME
- Specifies the name of the command to show help for.
FLAGS
-
-h, --help
-
Shows help for the
help
command.
Also see Global flags.
EXAMPLE
filebeat help export
keystore
command
editManages the secrets keystore.
SYNOPSIS
filebeat keystore SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
add KEY
-
Adds the specified key to the keystore. Use the
--force
flag to overwrite an existing key. Use the--stdin
flag to pass the value throughstdin
. -
create
-
Creates a keystore to hold secrets. Use the
--force
flag to overwrite the existing keystore. -
list
- Lists the keys in the keystore.
-
remove KEY
- Removes the specified key from the keystore.
FLAGS
-
--force
-
Valid with the
add
andcreate
subcommands. When used withadd
, overwrites the specified key. When used withcreate
, overwrites the keystore. -
--stdin
-
When used with
add
, uses the stdin as the source of the key’s value. -
-h, --help
-
Shows help for the
keystore
command.
Also see Global flags.
EXAMPLES
filebeat keystore create filebeat keystore add ES_PWD filebeat keystore remove ES_PWD filebeat keystore list
see Secrets keystore for more examples.
modules
command
editManages configured modules. You can use this command to enable and disable
specific module configurations defined in the modules.d
directory. The
changes you make with this command are persisted and used for subsequent
runs of Filebeat.
To see which modules are enabled and disabled, run the list
subcommand.
SYNOPSIS
filebeat modules SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
disable MODULE_LIST
- Disables the modules specified in the space-separated list.
-
enable MODULE_LIST
- Enables the modules specified in the space-separated list.
-
list
- Lists the modules that are currently enabled and disabled.
FLAGS
-
-h, --help
-
Shows help for the
export
command.
Also see Global flags.
EXAMPLES
filebeat modules list filebeat modules enable apache2 auditd mysql
run
command
editRuns Filebeat. This command is used by default if you start Filebeat without specifying a command.
SYNOPSIS
filebeat run [FLAGS]
Or:
filebeat [FLAGS]
FLAGS
-
-N, --N
- Disables the publishing of events to the defined output. This option is useful only for testing Filebeat.
-
--cpuprofile FILE
- Writes CPU profile data to the specified file. This option is useful for troubleshooting Filebeat.
-
-h, --help
-
Shows help for the
run
command. -
--httpprof [HOST]:PORT
- Starts an http server for profiling. This option is useful for troubleshooting and profiling Filebeat.
-
--memprofile FILE
- Writes memory profile data to the specified output file. This option is useful for troubleshooting Filebeat.
-
--modules MODULE_LIST
-
Specifies a comma-separated list of modules to run. For example:
filebeat run --modules nginx,mysql,system
Rather than specifying the list of modules every time you run Filebeat, you can use the
modules
command to enable and disable specific modules. Then when you run Filebeat, it will run any modules that are enabled. -
--once
-
When the
--once
flag is used, Filebeat starts all configured harvesters and inputs, and runs each input until the harvesters are closed. If you set the--once
flag, you should also setclose_eof
so the harvester is closed when the end of the file is reached. By default harvesters are closed afterclose_inactive
is reached. -
--setup
-
Loads the initial setup, including Elasticsearch template, Kibana index pattern, Kibana dashboards and Machine learning jobs. If you want to use the command without running Filebeat, use the
setup
command instead.
Also see Global flags.
EXAMPLE
filebeat run -e --setup
Or:
filebeat -e --setup
setup
command
editSets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available)
- The index template ensures that fields are mapped correctly in Elasticsearch.
- The Kibana dashboards make it easier for you to visualize Filebeat data in Kibana.
- The machine learning jobs contain the configuration information and metadata necessary to analyze data for anomalies.
Use this command instead of run --setup
when you want to set up the
environment without actually running Filebeat and ingesting data.
SYNOPSIS
filebeat setup [FLAGS]
FLAGS
-
--dashboards
- Sets up the Kibana dashboards only. This option loads the dashboards from the Filebeat package. For more options, such as loading customized dashboards, see Importing Existing Beat Dashboards in the Beats Developer Guide.
-
-h, --help
-
Shows help for the
setup
command. -
--machine-learning
- Sets up machine learning job configurations only.
-
--modules MODULE_LIST
-
Specifies a comma-separated list of modules. Use this flag to avoid errors when
there are no modules defined in the
filebeat.yml
file. -
--pipelines
- Sets up ingest pipelines for configured filesets.
-
--template
- Sets up the index template only.
Also see Global flags.
EXAMPLE
filebeat setup --dashboards
test
command
editTests the configuration.
SYNOPSIS
filebeat test SUBCOMMAND [FLAGS]
SUBCOMMANDS
-
config
- Tests the configuration settings.
-
output
- Tests that Filebeat can connect to the output by using the current settings.
FLAGS
-
-h, --help
-
Shows help for the
test
command.
Also see Global flags.
EXAMPLE
filebeat test config
version
command
editShows information about the current version.
SYNOPSIS
filebeat version [FLAGS]
FLAGS
-
-h, --help
-
Shows help for the
version
command.
Also see Global flags.
EXAMPLE
filebeat version
Global flags
editThese global flags are available whenever you run Filebeat.
-
-E, --E "SETTING_NAME=VALUE"
-
Overrides a specific configuration setting. You can specify multiple overrides. For example:
filebeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']"
This setting is applied to the currently running Filebeat process. The Filebeat configuration file is not changed.
-
-M, --M "VAR_NAME=VALUE"
-
Overrides the default configuration for a Filebeat module. You can specify multiple variable overrides. For example:
filebeat -modules=nginx -M "nginx.access.var.paths=['/var/log/nginx/access.log*']" -M "nginx.access.var.pipeline=no_plugins"
-
-c, --c FILE
-
Specifies the configuration file to use for Filebeat. The file you specify
here is relative to
path.config
. If the-c
flag is not specified, the default config file,filebeat.yml
, is used. -
-d, --d SELECTORS
-
Enables debugging for the specified selectors. For the selectors, you can
specify a comma-separated
list of components, or you can use
-d "*"
to enable debugging for all components. For example,-d "publish"
displays all the "publish" related messages. -
-e, --e
- Logs to stderr and disables syslog/file output.
-
--path.config
- Sets the path for configuration files. See the Directory layout section for details.
-
--path.data
- Sets the path for data files. See the Directory layout section for details.
-
--path.home
- Sets the path for miscellaneous files. See the Directory layout section for details.
-
--path.logs
- Sets the path for log files. See the Directory layout section for details.
-
--strict.perms
-
Sets strict permission checking on configuration files. The default is
-strict.perms=true
. See Config file ownership and permissions in the Beats Platform Reference for more information. -
-v, --v
- Logs INFO-level messages.