How to configure Filebeat inputs

Configuring Filebeat inputs decides which files, sockets, journals, or API endpoints become events, so it directly shapes both data quality and resource usage before anything reaches Elasticsearch or Logstash. A clean input layout keeps collection focused on the right sources and makes missing-data or duplicate-event troubleshooting much easier later.

Manual input definitions live in the filebeat.inputs YAML list inside /etc/filebeat/filebeat.yml unless the host already uses external input loading with filebeat.config.inputs. The most common manual file source is filestream, but Filebeat also supports journal, network, and HTTP-driven inputs that use different keys under the same basic structure.

Each input needs a unique, stable id. Current filestream behavior rejects duplicated IDs, and changing an existing ID can make saved state look new again and re-read data from the beginning. Keep file path globs from overlapping across inputs unless you are intentionally migrating or splitting ownership, and validate the configuration before any restart so a YAML mistake or misplaced input snippet does not stop log shipping.

Related: How to configure a filestream input in Filebeat
Related: How to configure a Filebeat journald input
Related: How to configure a Filebeat TCP input
Related: How to configure a Filebeat httpjson input
Related: How to enable Filebeat config reloading

Steps to configure Filebeat inputs:

  1. Create a backup copy of the current Filebeat configuration. 
    $ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
  2. Open the main Filebeat configuration file and locate the active input-loading section. 
    $ sudo nano /etc/filebeat/filebeat.yml

    Look for either a direct filebeat.inputs list in /etc/filebeat/filebeat.yml or an existing filebeat.config.inputs block that points at an external path such as /etc/filebeat/inputs.d/*.yml.

  3. Add a new input definition to the active input source. 
    filebeat.inputs:
  - type: filestream
    id: app-logs
    enabled: true
    paths:
      - /var/log/app/*.log

    If the host already uses filebeat.config.inputs.enabled: true, create a new file such as /etc/filebeat/inputs.d/app-logs.yml and start the file with - type: filestream instead of another filebeat.inputs key.

    Related: How to configure a filestream input in Filebeat
    Related: How to configure a Filebeat journald input
    Related: How to configure a Filebeat TCP input
    Related: How to configure a Filebeat syslog input
    Related: How to configure a Filebeat httpjson input

  4. Keep the input id stable and narrow the source match before saving the file.

    Each filestream input needs a unique id, and overlapping paths patterns across multiple inputs can duplicate collection or make ownership harder to reason about. Add exclusions instead of broader duplicate globs when you only need to skip specific files.

    Related: How to exclude paths from Filebeat inputs

  5. Test the Filebeat configuration before restarting the service. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  6. Export the resolved configuration and confirm the new input is present. 
    $ sudo filebeat export config -c /etc/filebeat/filebeat.yml | sed -n '1,20p'
filebeat:
  inputs:
  - enabled: true
    id: app-logs
    paths:
    - /var/log/app/*.log
    type: filestream
##### snipped #####

    This is especially useful when /etc/filebeat/filebeat.yml loads external input snippets and you need to confirm the expected input file is actually being read.

  7. Restart the Filebeat service to apply the updated input configuration. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  8. Check that the Filebeat service returned to the running state. 
    $ sudo systemctl status filebeat --no-pager --lines=20
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-04-02 11:54:19 UTC; 6s ago
   Main PID: 4821 (filebeat)
##### snipped #####

    Related: How to manage the Filebeat service with systemctl in Linux

  9. Review recent Filebeat logs for input startup messages or permission errors. 
    $ sudo journalctl --unit=filebeat --no-pager --lines=50
Apr 02 11:54:19 host filebeat[4821]: {"log.level":"info","@timestamp":"2026-04-02T11:54:19.441Z","log.logger":"crawler","message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
Apr 02 11:54:19 host filebeat[4821]: {"log.level":"info","@timestamp":"2026-04-02T11:54:19.442Z","log.logger":"input.filestream","message":"Input 'filestream' starting","service.name":"filebeat","id":"app-logs","ecs.version":"1.6.0"}
##### snipped #####

    The input-specific logger name changes with the input type, but repeated permission, path, or connection errors here usually mean the input still needs adjustment.