How to configure a Filebeat TCP input

Receiving logs over TCP makes it possible to centralize events from applications, devices, and custom services that can only push data to a socket. A Filebeat TCP listener keeps collection and forwarding in the same service, which avoids adding a separate relay before events move to the configured output.

The tcp input opens a listening socket on the configured host and turns each framed record into one event. With the default delimiter framing, Filebeat splits events on a newline, stores plain text in the message field, and keeps newline-delimited JSON as raw message text unless a processor or downstream ingest pipeline decodes it later.

Binding a listener to 0.0.0.0 exposes it on all interfaces, so firewall rules and TLS should protect any receiver reachable from untrusted networks. The current tcp input also supports tcp4 or tcp6 binding, rfc6587 framing for octet-counted senders, and a default max_message_size of 20MiB, so explicit listener settings are safer than depending on defaults.

Steps to configure a Filebeat TCP input:

  1. Open the Filebeat configuration file for editing. 
    $ sudo nano /etc/filebeat/filebeat.yml
  2. Add a tcp input under filebeat.inputs with the desired listening address and port. 
    filebeat.inputs:
  - type: tcp
    host: "0.0.0.0:9001"
    max_message_size: 10MiB

    Keep filebeat.inputs: defined once in /etc/filebeat/filebeat.yml, because duplicate YAML keys can override earlier input blocks.

    The default framing expects one event per line and uses \n as the delimiter. Add framing: rfc6587 when the sender uses octet counting or non-transparent RFC6587 framing. Newline-delimited JSON is still published as the raw message unless a processor or downstream pipeline decodes it. Related: How to configure Filebeat processors

    Binding to 0.0.0.0 exposes the port on all interfaces. Prefer 127.0.0.1 for local-only senders, or restrict access with firewall rules and TLS. Related: How to configure Filebeat for TLS

  3. Test the configuration file for syntax errors. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  4. Restart the Filebeat service to apply the new input configuration. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  5. Confirm the Filebeat service is running after the restart. 
    $ sudo systemctl is-active filebeat
active

    Related: How to manage the Filebeat service with systemctl in Linux

  6. Verify the TCP listener is active on the configured port. 
    $ sudo ss -lntp | grep -F ':9001'
LISTEN 0      4096               0.0.0.0:9001        0.0.0.0:*    users:(("filebeat",pid=7866,fd=8))

    When the Filebeat HTTP endpoint is enabled, the /inputs metrics also expose counters such as received_events_total and published_events_total for the tcp listener. Related: How to enable the Filebeat HTTP endpoint