How to configure Filebeat for TLS

Configuring Filebeat for TLS makes the Elasticsearch output publish events over HTTPS and reject a node whose certificate cannot be trusted. Use it when Filebeat sends logs directly to a secured self-managed cluster or to a proxy that terminates Elasticsearch HTTP TLS.

The active settings live in the output.elasticsearch block in /etc/filebeat/filebeat.yml. Filebeat trusts public certificates through the host trust store by default, while many self-managed clusters need ssl.certificate_authorities pointed at the HTTP CA that signed the Elasticsearch certificate.

Use a copied CA file when several Filebeat hosts should share the same trust chain. The CA fingerprint method can work for generated cluster CAs, but the saved YAML is not proof by itself; filebeat test output should show certificate-chain verification, a successful handshake, and the Elasticsearch version before the service is restarted.

Related: How to ingest logs from Filebeat into Elasticsearch
Related: How to configure Elasticsearch HTTP TLS
Related: How to use an Elasticsearch API key with Filebeat output

Steps to configure Filebeat for TLS:

  1. Create a directory for the trusted CA and any optional client certificate files. 
    $ sudo install -d -m 750 /etc/filebeat/certs
  2. Install the Elasticsearch HTTP CA certificate on the Filebeat host. 
    $ sudo install -o root -g root -m 644 /tmp/http-ca.crt /etc/filebeat/certs/http-ca.crt

    Package-based Elasticsearch installs commonly create the generated HTTP CA as /etc/elasticsearch/certs/http_ca.crt on the Elasticsearch node. Copy the CA file, not the node private key or server certificate.
    Related: How to configure Elasticsearch HTTP TLS

  3. Back up the active Filebeat configuration. 
    $ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.pre-tls
  4. Open /etc/filebeat/filebeat.yml in a text editor. 
    $ sudo vi /etc/filebeat/filebeat.yml
  5. Configure the Elasticsearch output to use HTTPS and trust the copied CA.
    /etc/filebeat/filebeat.yml
    output.elasticsearch:
  hosts: ["https://node-01-secure:9200"]
  username: "filebeat_writer"
  password: "replace-with-filebeat-writer-password"
  ssl.certificate_authorities: ["/etc/filebeat/certs/http-ca.crt"]

    Keep only one output.* block enabled, or Filebeat fails to start with conflicting publisher settings. The host in hosts must match a DNS name or IP address in the Elasticsearch HTTP certificate subjectAltName extension.

    Store the password or API key in the Filebeat keystore on long-lived hosts. Add ssl.certificate and ssl.key under this block only when the endpoint requires mutual TLS. Filebeat defaults to ssl.verification_mode: full, which verifies both the issuer and the host name.
    Related: How to create a Filebeat keystore
    Related: How to add a secret to a Filebeat keystore
    Related: How to use an Elasticsearch API key with Filebeat output

  6. Test the Filebeat configuration for syntax and permission problems before touching the running service. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  7. Test the saved output settings before restarting the service. 
    $ sudo filebeat test output -c /etc/filebeat/filebeat.yml
elasticsearch: https://node-01-secure:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.0.2.44
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 9.4.2

    filebeat test output uses the saved output host, CA file, and credentials without publishing an event. Unknown CA failures usually mention certificate signed by unknown authority, while host-name failures usually mention the requested name not appearing in the certificate.
    Related: How to test Filebeat output connectivity
    Tool: TLS Handshake Trace

  8. Restart the Filebeat service to apply the TLS settings. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  9. Confirm the running Filebeat service establishes the HTTPS publisher connection after the restart. 
    $ sudo journalctl -u filebeat.service --since "5 min ago" --no-pager --lines=20
Jun 18 13:24:41 filebeat-host filebeat[2481]: {"log.level":"info","@timestamp":"2026-06-18T13:24:41.512Z","log.logger":"publisher_pipeline_output","message":"Connection to backoff(elasticsearch(https://node-01-secure:9200)) established","service.name":"filebeat","ecs.version":"1.6.0"}

    The journal line confirms the package service reconnected to the HTTPS output after the restart. If the journal shows 401 or 403, certificate trust succeeded and the remaining problem is credentials or privileges.
    Related: How to manage the Filebeat service with systemctl in Linux