How to list Filebeat modules

Listing Filebeat modules shows which prebuilt log parsers are available on a host and which module files are active. The module list is a quick audit before enabling a new service parser, checking why a module did not load, or confirming that a package upgrade still left the expected module files in place.

The filebeat modules list command reads the configured modules.d loader path and prints two sections: Enabled for active module files and Disabled for module files that remain available but inactive. On package-based Linux installs, that loader normally points at /etc/filebeat/modules.d/*.yml.

Standalone Filebeat deployments still use this modules.d layout. A module appearing under Enabled confirms that its module file is active, but the filesets inside that YAML file can still be disabled and output or pipeline problems can still prevent parsed events from reaching Elasticsearch.

Related: How to enable a Filebeat module
Related: How to disable a Filebeat module
Related: How to run Filebeat setup for templates and dashboards

Steps to list Filebeat modules:

  1. List the modules known to the active Filebeat configuration. 
    $ sudo filebeat modules list
Enabled:
system

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
cef
checkpoint
cisco
coredns
crowdstrike
##### snipped #####

    A blank Enabled section is normal on a new install until at least one module is enabled.

  2. Check the module filenames when the list does not match the expected state. 
    $ sudo ls -1 /etc/filebeat/modules.d
activemq.yml.disabled
apache.yml.disabled
auditd.yml.disabled
aws.yml.disabled
awsfargate.yml.disabled
azure.yml.disabled
cef.yml.disabled
checkpoint.yml.disabled
##### snipped #####
system.yml
threatintel.yml.disabled
traefik.yml.disabled
zeek.yml.disabled
zookeeper.yml.disabled
zoom.yml.disabled

    Files ending in .yml are loaded by the default glob. Files ending in .yml.disabled stay available on disk but appear under Disabled.

  3. Open the enabled module file when fileset state matters. 
    $ sudo cat /etc/filebeat/modules.d/system.yml
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/9.4/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: false
##### snipped #####

    filebeat modules list reports the module file state. A module can appear under Enabled while individual filesets inside that module still show enabled: false.

  4. Export the active configuration when Filebeat may be using a custom config path. 
    $ sudo filebeat export config -c /etc/filebeat/filebeat.yml
filebeat:
  config:
    modules:
      path: /etc/filebeat/modules.d/*.yml
      reload:
        enabled: false
##### snipped #####
path:
  config: /etc/filebeat
  data: /var/lib/filebeat
  home: /usr/share/filebeat
  logs: /var/log/filebeat
##### snipped #####

    The modules subcommands follow the active filebeat.config.modules.path setting. Use the same config file and service layout that the running Filebeat instance uses before trusting the list output.