How to configure Filebeat output to Logstash

Routing Filebeat events through Logstash moves parsing, enrichment, and routing decisions off individual hosts and into a central pipeline. That keeps shipper configuration lean and makes downstream processing changes easier without touching every Filebeat node.

The output.logstash section in /etc/filebeat/filebeat.yml tells Filebeat where to open its Beats protocol connection, usually on TCP port 5044. The hosts list can point to one or more Logstash endpoints, and the same block also carries TLS settings when the beats input is encrypted.

Only one Filebeat output can be active at a time, so the Elasticsearch output must be disabled before Logstash becomes the publisher. Elastic also documents separate setup work when Logstash is the active output because index templates and dashboards are loaded through direct Elasticsearch and Kibana access rather than through Logstash itself.

Related: How to run Filebeat setup for templates and dashboards
Related: How to load Filebeat dashboards into Kibana

Steps to configure Filebeat output to Logstash:

  1. Open the main Filebeat configuration file. 
    $ sudo nano /etc/filebeat/filebeat.yml

    Package installs normally keep the active configuration in /etc/filebeat/filebeat.yml.

  2. Disable the Elasticsearch output and enable the Logstash output block. 
    #output.elasticsearch:
#  hosts: ["https://es.example.net:9200"]

output.logstash:
  hosts: ["logstash-1.example.net:5044"]

    Only one output.* block can be enabled, or Filebeat fails to start with conflicting output settings.

    Add ssl.certificate_authorities and other ssl.* keys under output.logstash when the Logstash beats input uses TLS.

    Related: How to configure Filebeat for TLS
    Related: How to enable Filebeat load balancing for Logstash output

  3. Test the configuration syntax before applying the output change. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  4. Test the Logstash connection with the current output settings. 
    $ sudo filebeat test output -c /etc/filebeat/filebeat.yml
logstash: logstash-1.example.net:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.0.2.25
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK

    The filebeat test output subcommand checks the active output with the same host, port, and certificate settings that normal publishing uses.

    If TLS is enabled, this section shows certificate verification and handshake details instead of the secure connection disabled warning.

    Related: How to test Filebeat output connectivity

  5. Restart the Filebeat service to publish to Logstash. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  6. Review recent Filebeat logs for a successful Logstash connection after the restart. 
    $ sudo journalctl --unit=filebeat --since "5 min ago" --no-pager --lines=30
Apr 02 12:21:18 host filebeat[2147]: {"log.level":"info","@timestamp":"2026-04-02T12:21:18.197Z","log.logger":"publisher_pipeline_output","message":"Connecting to backoff(async(tcp://logstash-1.example.net:5044))","service.name":"filebeat","ecs.version":"1.6.0"}
Apr 02 12:21:18 host filebeat[2147]: {"log.level":"info","@timestamp":"2026-04-02T12:21:18.316Z","log.logger":"publisher_pipeline_output","message":"Connection to backoff(async(tcp://logstash-1.example.net:5044)) established","service.name":"filebeat","ecs.version":"1.6.0"}

    The Connection … established message confirms that Filebeat switched to the configured Logstash output.