How to install Filebeat on Ubuntu

Installing Filebeat on Ubuntu adds a lightweight log shipper that can forward host events to Elasticsearch or Logstash for search, alerting, and retention. Package-based installation keeps upgrades manageable through APT and makes it easier to align the Beat version with the rest of the Elastic Stack.

The DEB package places the Filebeat binaries under /usr/share/filebeat, keeps the main configuration in /etc/filebeat/filebeat.yml, stores registry state in /var/lib/filebeat, and defines the systemd unit with those paths. Current package-based service runs write startup and runtime logs to the systemd journal, while the service unit still reserves /var/log/filebeat as the default path.logs location.

Current repository-based installs use the Elastic 9.x APT branch, and the shipped /etc/filebeat/filebeat.yml still points output.elasticsearch at localhost:9200 with the sample filestream input disabled. Installation can be verified immediately, but meaningful log shipping starts only after configuring a reachable output and enabling at least one input or module.

Related: How to configure Filebeat inputs
Related: How to ship logs from Filebeat to Elasticsearch
Related: How to configure Filebeat output to Logstash

Steps to install Filebeat on Ubuntu:

  1. Import the Elastic signing key into a dedicated APT keyring. 
    $ curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor --yes -o /usr/share/keyrings/elasticsearch-keyring.gpg

    Install curl and gnupg with APT first if either command is missing on a minimal Ubuntu image.

  2. Save the Elastic APT repository definition for the current major branch. 
    $ echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-9.x.list
deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main

    The 9.x repository controls the major version that APT installs and upgrades.

    Use the direct echo method for this repository file instead of add-apt-repository so APT does not add an unsupported deb-src entry.

  3. Refresh the local APT package index. 
    $ sudo apt-get update
Get:1 https://artifacts.elastic.co/packages/9.x/apt stable InRelease [3249 B]
Get:2 https://artifacts.elastic.co/packages/9.x/apt stable/main arm64 Packages [153 kB]
##### snipped #####
Reading package lists... Done

    The architecture label in the package list line reflects the local host, such as amd64 or arm64.

  4. Check the candidate Filebeat package version from the Elastic repository. 
    $ apt-cache policy filebeat
filebeat:
  Installed: (none)
  Candidate: 9.3.2
  Version table:
     9.3.2 500
        500 https://artifacts.elastic.co/packages/9.x/apt stable/main arm64 Packages
##### snipped #####
  5. Install the Filebeat package. 
    $ sudo apt-get install -y filebeat
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  filebeat
##### snipped #####
Setting up filebeat (9.3.2) ...
  6. Validate the packaged Filebeat configuration before starting the service. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Package installs keep /etc/filebeat/filebeat.yml owned by root with strict permissions by default, so preserve that ownership model when editing the file later.

    Related: How to test a Filebeat configuration

  7. Start the Filebeat service. 
    $ sudo systemctl start filebeat

    The default configuration targets localhost:9200 and leaves the sample filestream input disabled, so the journal can show connection retries and no harvested events until a real output and at least one input or module are configured.

    On standard package installs, Filebeat is already configured to start at boot; use sudo systemctl enable filebeat only when local policy has disabled auto-start.

    Related: How to manage the Filebeat service with systemctl in Linux

  8. Confirm the Filebeat service reached the running state. 
    $ sudo systemctl status filebeat --no-pager
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled)
     Active: active (running)
##### snipped #####

    systemd keeps package-based service logs in the journal, so sudo journalctl -u filebeat.service --no-pager --lines=30 is the fastest follow-up when the unit does not stay active.

    Related: How to manage the Filebeat service with systemctl in Linux

  9. Confirm the installed Filebeat version. 
    $ filebeat version
filebeat version 9.3.2 (arm64), libbeat 9.3.2 [45ad74566fce5c8c6f1df8a6b90cfa76310cfcfb built 2026-03-16 11:24:41 +0000 UTC] (FIPS-distribution: false)

    The architecture tag in the version output changes with the local package, so amd64 hosts report amd64 instead of arm64.