Installing Filebeat on Ubuntu provides a lightweight agent for forwarding host logs into Elasticsearch or Logstash for centralized search, alerting, and retention. Central collection reduces log loss on short-lived hosts and keeps troubleshooting data available even after rotation.

The Filebeat APT package installs the filebeat binary, a default YAML configuration at /etc/filebeat/filebeat.yml, and module definitions under /etc/filebeat/modules.d. A systemd unit manages the daemon, while registry state is stored under /var/lib/filebeat and service logs are written under /var/log/filebeat.

Elastic APT repositories are versioned by major branch (for example 8.x), so keeping the repository branch aligned with the rest of the Elastic Stack prevents unintended major upgrades. Starting the service is useful for installation verification, but connection errors will appear until /etc/filebeat/filebeat.yml points to a reachable Elasticsearch or Logstash endpoint.

Steps to install Filebeat on Ubuntu:

  1. Open a terminal session with sudo privileges. 
    $ whoami
user
  2. Import the Elastic repository signing key into the APT keyring. 
    $ curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor --yes -o /usr/share/keyrings/elastic.gpg

    Missing curl or gpg requires installing curl and gnupg with APT.

  3. Add the Elastic APT repository for Filebeat packages. 
    $ echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main

    The 8.x branch controls the major version installed and upgraded by APT.

  4. Refresh the APT package index. 
    $ sudo apt update

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Hit:1 https://artifacts.elastic.co/packages/8.x/apt stable InRelease
Hit:2 http://ports.ubuntu.com/ubuntu-ports noble InRelease
Get:3 http://ports.ubuntu.com/ubuntu-ports noble-updates InRelease [126 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports noble-backports InRelease [126 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports noble-security InRelease [126 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports noble-security/main arm64 Packages [1866 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports noble-security/universe arm64 Packages [1180 kB]
Fetched 3425 kB in 3s (1012 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
  5. Check the candidate Filebeat package version from the Elastic repository. 
    $ apt-cache policy filebeat
filebeat:
  Installed: 8.19.9
  Candidate: 8.19.9
  Version table:
 *** 8.19.9 500
        500 https://artifacts.elastic.co/packages/8.x/apt stable/main arm64 Packages
        100 /var/lib/dpkg/status
     8.19.8 500
        500 https://artifacts.elastic.co/packages/8.x/apt stable/main arm64 Packages
##### snipped #####
  6. Install the Filebeat package. 
    $ sudo apt install --assume-yes filebeat
 
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
filebeat is already the newest version (8.19.9).
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
  7. Enable the Filebeat service with immediate start. 
    $ sudo systemctl enable --now filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.

    Unconfigured outputs cause repeated connection errors in /var/log/filebeat/filebeat until a reachable endpoint is set in /etc/filebeat/filebeat.yml.

    Related: How to manage the Filebeat service with systemctl in Linux

  8. Confirm the Filebeat service is running. 
    $ sudo systemctl status filebeat --no-pager
● filebeat.service - Filebeat sends log files to Logstash or Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 20:58:03 UTC; 4s ago
##### snipped #####
  9. Confirm the installed Filebeat version. 
    $ filebeat version
filebeat version 8.19.9 (arm64), libbeat 8.19.9 [044579ba343a33f2594ab0af5d8778f23d813c7b built 2025-12-16 19:01:52 +0000 UTC] (FIPS-distribution: false)