How to test a Filebeat configuration

Testing a Filebeat configuration catches YAML syntax mistakes, unsupported settings, and unsafe POSIX file permissions before a restart puts log shipping at risk. The Filebeat parser can reject a changed file without starting the service, so administrators can catch failures before service restarts, module changes, or output edits.

The filebeat test config subcommand reads the selected file through the same Beats configuration loader used during normal startup. Packaged Linux installs normally use /etc/filebeat/filebeat.yml, and the -c flag selects another file relative to path.config when staging or environment-specific copies need a separate check.

Config OK means Filebeat accepted the configuration text and the config file passed strict ownership checks. It does not prove that Elasticsearch, Logstash, Kafka, Redis, or another output is reachable, so test output connectivity separately when destination, TLS, or credential settings changed.

Steps to test a Filebeat configuration:

  1. Run the config test against the packaged Filebeat file. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Replace the path after -c when you need to validate a non-default config file.

  2. Review the parser error when YAML loading fails. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Exiting: error loading config file: yaml: line 4: did not find expected ',' or ']'

    Fix malformed indentation, missing brackets, unclosed quotes, or unfinished lists before restarting Filebeat.
    Tool: YAML Validator

  3. Open the reported config file and correct the first failing line. 
    $ sudoedit /etc/filebeat/filebeat.yml
  4. Check strict permission failures when Filebeat rejects the file before parsing settings. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") can only be writable by the owner but the permissions are "-rw-rw-rw-" (to fix the permissions use: 'chmod go-w /etc/filebeat/filebeat.yml')

    Filebeat checks POSIX config ownership and write permissions by default. Files under /etc/filebeat/modules.d must pass the same rule.

  5. Remove group and other write access from the config file. 
    $ sudo chmod go-w /etc/filebeat/filebeat.yml

    If the error reports the wrong owner, use sudo chown root /etc/filebeat/filebeat.yml for packaged installs or assign the user that runs Filebeat in a non-root foreground deployment.

  6. Repeat the configuration test until it returns Config OK. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
  7. Export the resolved config when path overrides or module snippets make the active settings unclear. 
    $ sudo filebeat export config -c /etc/filebeat/filebeat.yml
filebeat:
  inputs:
  - id: app-logs
    paths:
    - /var/log/app.log
    type: filestream
output:
  elasticsearch:
    hosts:
    - https://es-node-01.example.net:9200
path:
  config: /etc/filebeat
  data: /var/lib/filebeat
  home: /usr/share/filebeat
  logs: /var/log/filebeat

    The exported config can reveal inline credentials or internal endpoints when they are stored directly in YAML. Keep exported output local unless it has been reviewed and sanitized.

  8. Restart Filebeat only after the config test passes. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  9. Run a separate output test when destination, authentication, or TLS settings changed. 
    $ sudo filebeat test output -c /etc/filebeat/filebeat.yml

    Related: How to test Filebeat output connectivity