How to list Filebeat modules

Listing Filebeat modules shows which prebuilt integrations are available on the host and which module definitions are currently active. That makes it easier to audit log collection coverage before enabling a new module, disabling an old one, or troubleshooting why a service is still shipping only raw logs.

The filebeat modules list command reads module definitions from the current modules.d loader path and groups them into Enabled and Disabled sections. On package-based Linux installs, the active configuration still points at /etc/filebeat/modules.d/*.yml, while archive installs keep the same modules.d layout under the selected path.config directory.

This page applies to standalone Filebeat deployments that still use the modules.d layout. A module appearing under Enabled only means its module file is active; the filesets inside that module can still remain disabled, and output, permission, or missing pipeline issues can still stop that module from parsing or publishing data successfully.

Related: How to enable a Filebeat module
Related: How to disable a Filebeat module
Related: How to run Filebeat setup for templates and dashboards

Steps to list Filebeat modules:

  1. Run the module list command on the host where Filebeat is installed. 
    $ sudo filebeat modules list
Enabled:
system

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
cef
checkpoint
##### snipped #####

    Modules appear under Enabled when a matching <module>.yml file exists in /etc/filebeat/modules.d. A new package install can legitimately show a blank Enabled section until you enable a module.

  2. Inspect the module definition directory when you need to confirm why a module appears enabled or disabled. 
    $ sudo ls -1 /etc/filebeat/modules.d | sort | sed -n '1,12p'
activemq.yml.disabled
apache.yml.disabled
auditd.yml.disabled
aws.yml.disabled
awsfargate.yml.disabled
azure.yml.disabled
cef.yml.disabled
checkpoint.yml.disabled
cisco.yml.disabled
coredns.yml.disabled
crowdstrike.yml.disabled
system.yml

    Only files matching the default /etc/filebeat/modules.d/*.yml glob are loaded, so system.yml appears under Enabled while files ending in .yml.disabled stay available but inactive.

  3. Open the specific module file when you need to verify which filesets and variables are actually turned on. 
    $ sudo sed -n '1,20p' /etc/filebeat/modules.d/system.yml
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/9.3/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: false
##### snipped #####

    filebeat modules list reports module-file state, not per-fileset readiness. A module can appear under Enabled while its internal filesets still remain enabled: false until you change them in the YAML.

  4. Export the active configuration when the module list does not match the directory you expect. 
    $ sudo filebeat export config -c /etc/filebeat/filebeat.yml | sed -n '1,12p'
filebeat:
  config:
    modules:
      path: /etc/filebeat/modules.d/*.yml
      reload:
        enabled: false
##### snipped #####

    The modules subcommands follow the active filebeat.config.modules.path setting. On archive or custom service layouts, confirm that this path points at the module directory you intend to audit before trusting the list output.