How to test a Filebeat configuration

Testing a Filebeat configuration before restarting the service catches YAML mistakes, invalid settings, and permission problems before they interrupt log shipping. A quick validation pass is the safest way to confirm changes to /etc/filebeat/filebeat.yml are at least runnable.

The filebeat test config subcommand validates the selected configuration file with Filebeat's current settings. On package installs the default file is usually /etc/filebeat/filebeat.yml, and the -c flag lets you test another file when you keep staging or environment-specific copies.

A successful config test only confirms that Filebeat accepts the configuration settings. It does not prove the configured output is reachable, and POSIX ownership or permission failures can still block the command when config files are writable by anyone other than the owner.

Related: How to manage the Filebeat service with systemctl in Linux

Steps to test a Filebeat configuration:

  1. Run the configuration test against the active Filebeat config file. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Replace the path after -c when you need to validate a non-default config file.

  2. Review the exact error when the test fails. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Exiting: error loading config file: yaml: line 7: did not find expected ',' or ']'

    Line numbers usually point to malformed indentation, an unfinished list, or another YAML syntax problem that must be fixed before Filebeat can start.

  3. Open the reported config file and correct the YAML or invalid setting. 
    $ sudoedit /etc/filebeat/filebeat.yml
  4. Correct ownership or permission failures before testing again. 
    $ sudo chmod go-w /etc/filebeat/filebeat.yml

    On POSIX systems, Filebeat requires config files to be owned by root or the user running Filebeat and not writable by group or others. If the error reports the wrong owner, change it with sudo chown root /etc/filebeat/filebeat.yml on package installs or assign the actual Beat user for a non-root foreground run. The same rule also applies to files under /etc/filebeat/modules.d.

  5. Repeat the configuration test until it returns Config OK. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
  6. Export the resolved configuration to inspect the active settings that Filebeat will use. 
    $ sudo filebeat export config -c /etc/filebeat/filebeat.yml | sed -n '1,20p'
filebeat:
  config:
    modules:
      path: /etc/filebeat/modules.d/*.yml
      reload:
        enabled: false
##### snipped #####
output:
  elasticsearch:
    hosts:
    - localhost:9200
##### snipped #####

    Use this when you need to confirm which input, module, processor, or output settings are active after editing the main config file.

  7. Run a separate output connectivity test when destination, authentication, or TLS settings changed. 
    $ sudo filebeat test output -c /etc/filebeat/filebeat.yml

    Related: How to test Filebeat output connectivity