How to run Filebeat setup for templates and dashboards

Running Filebeat setup prepares the Elasticsearch and Kibana assets that make incoming events immediately usable, so fields map correctly, rollover policy is ready, and the packaged dashboards have a matching data view to query. It is the one-time preparation step that prevents blank dashboards and mismatched field types after a new deployment, a major upgrade, or a configuration change that affects index assets.

The filebeat setup command does not start log shipping. Instead, it loads setup assets such as the filebeat-<version> index template, the default ILM policy and data stream, plus the packaged Kibana saved objects when setup.kibana is configured. Current Filebeat releases still document filebeat setup -e as the primary full setup command, while the optional flags such as --index-management, --dashboards, and --pipelines narrow the run to specific asset groups.

Setup still depends on a valid Filebeat configuration, reachable Elasticsearch and Kibana endpoints, and a credential that is allowed to install templates, ILM assets, and Kibana saved objects. In current packaged releases, the config also needs at least one enabled input or module before setup will start cleanly, otherwise Filebeat can exit with no modules or inputs enabled and configuration reloading disabled before any assets are loaded.

Related: How to load Filebeat dashboards into Kibana
Related: How to ship logs from Filebeat to Elasticsearch

Steps to run Filebeat setup for templates and dashboards:

  1. Confirm /etc/filebeat/filebeat.yml includes at least one enabled input or module, a reachable Elasticsearch output, and the Kibana endpoint for dashboard loading. 
    filebeat.inputs:
  - type: filestream
    id: syslog
    enabled: true
    paths:
      - /var/log/syslog

output.elasticsearch:
  hosts: ["https://es.example.net:9200"]
  username: "filebeat_setup"
  password: "${ES_SETUP_PASSWORD}"
  ssl.certificate_authorities: ["/etc/filebeat/certs/http-ca.crt"]

setup.kibana:
  host: "https://kibana.example.net:5601"
  username: "filebeat_setup"
  password: "${KIBANA_SETUP_PASSWORD}"
  space.id: "default"
  ssl.certificate_authorities: ["/etc/filebeat/certs/http-ca.crt"]

    Any enabled module under /etc/filebeat/modules.d also satisfies the input requirement for setup. Keep setup credentials in the Filebeat keystore or environment expansion instead of cleartext YAML when the host is not a throwaway lab system.

    Related: How to add a secret to a Filebeat keystore
    Related: How to enable a Filebeat module

  2. Test the Filebeat configuration before loading any assets. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    If this fails with no modules or inputs enabled and configuration reloading disabled, enable at least one input or module before retrying the setup run.

    Related: How to test a Filebeat configuration
    Related: How to enable a Filebeat module

  3. Test connectivity to the configured Elasticsearch output so setup does not fail on a bad endpoint, certificate, or credential. 
    $ sudo filebeat test output -c /etc/filebeat/filebeat.yml
elasticsearch: https://es.example.net:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.20
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 9.3.2

    The decisive success line is talk to server… OK followed by the detected cluster version.

    Related: How to test Filebeat output connectivity

  4. Run the one-time Filebeat setup command to load index-management assets and Kibana dashboards. 
    $ sudo filebeat setup -e -c /etc/filebeat/filebeat.yml
Overwriting lifecycle policy is disabled. Set `setup.ilm.overwrite: true` to overwrite.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Loaded Ingest pipelines

    With -e enabled, current releases also print structured JSON log lines around these status messages. The shorter lines above are the decisive success markers from a verified 9.3.2 setup run.

    Re-running setup can replace Kibana saved objects with the same IDs, and intentionally enabling overwrite settings can replace existing template or ILM assets. Use setup.ilm.overwrite: true only when you mean to update the installed lifecycle policy.

    If Filebeat normally publishes through Logstash or another non-Elasticsearch output, temporarily disable that output with -E overrides for this one-time run. Use filebeat setup --pipelines --modules system,nginx when you need to preload module ingest pipelines, because current docs still reserve --pipelines for configured filesets.

    Related: How to enable a Filebeat module

  5. Verify the Elasticsearch template and data stream were created for the current Filebeat version. 
    $ curl --silent --show-error --user "filebeat_setup:${ES_SETUP_PASSWORD}" --cacert /etc/filebeat/certs/http-ca.crt "https://es.example.net:9200/_index_template/filebeat-*?filter_path=index_templates.name,index_templates.index_template.index_patterns"
{"index_templates":[{"name":"filebeat-9.3.2","index_template":{"index_patterns":["filebeat-9.3.2"]}}]}
$ curl --silent --show-error --user "filebeat_setup:${ES_SETUP_PASSWORD}" --cacert /etc/filebeat/certs/http-ca.crt "https://es.example.net:9200/_data_stream/filebeat-*?filter_path=data_streams.name"
{"data_streams":[{"name":"filebeat-9.3.2"}]}

    A matching template plus the filebeat-<version> data stream confirms the index-management portion of setup finished cleanly.

  6. Confirm the packaged dashboards and the filebeat-* data view were imported into Kibana. 
    $ curl --silent --show-error --user "filebeat_setup:${KIBANA_SETUP_PASSWORD}" --cacert /etc/filebeat/certs/http-ca.crt -H 'kbn-xsrf: true' "https://kibana.example.net:5601/api/saved_objects/_find?type=dashboard&search_fields=title&search=filebeat&per_page=1" | jq '.total'
76
$ curl --silent --show-error --user "filebeat_setup:${KIBANA_SETUP_PASSWORD}" --cacert /etc/filebeat/certs/http-ca.crt -H 'kbn-xsrf: true' "https://kibana.example.net:5601/api/saved_objects/_find?type=index-pattern&search_fields=title&search=filebeat&per_page=1" | jq -r '.saved_objects[0].attributes.title'
filebeat-*

    Prefix the Saved Objects API path with /s/<space_id> when setup.kibana.space.id targets a non-default space. The API still uses index-pattern for data views, and the imported dashboards should also appear under Analytics → Dashboards after searching for filebeat.