How to create a Filebeat keystore

Storing passwords and API keys directly in the main Filebeat YAML configuration (such as /etc/filebeat/filebeat.yml) increases the chance of secrets leaking through backups, support bundles, or version control. A Filebeat keystore keeps those values out of the YAML while still allowing authenticated outputs and processors.

The keystore is an encrypted on-disk store managed by the filebeat keystore subcommands. When a configuration value contains a ${KEY} placeholder, Filebeat resolves it at runtime from the keystore entry matching that key name.

The keystore is local to one Filebeat instance and must be created and populated on every host that needs the secret. Key names remain visible and only the values are protected, so file permissions on filebeat.keystore still matter. Filebeat reads the keystore on startup, so changes require restarting the filebeat service.

Steps to create a Filebeat keystore:

Create the Filebeat keystore file.
```
$ sudo filebeat keystore create
Created filebeat keystore
```
Keystore file is created at ${path.data}/filebeat.keystore (commonly /var/lib/filebeat/filebeat.keystore on Linux packages). Recreating with --force replaces the existing keystore and removes stored keys.
Add a secret value to the keystore.
```
$ printf 'strong-password' | sudo filebeat keystore add ES_PWD --stdin
Successfully updated the keystore
```
Use --stdin for automation pipelines and --force to overwrite an existing key value.
Reference the secret in the output configuration.
```
output.elasticsearch:
  hosts: ["https://es.example.net:9200"]
  username: "filebeat_writer"
  password: "${ES_PWD}"
```
The placeholder name must match the keystore key exactly, including case.
Test the Filebeat configuration for syntax errors.
```
$ sudo filebeat test config
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service to load the updated keystore.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Check the Filebeat service status for a running state.

$ sudo systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 20:58:03 UTC; 4s ago
##### snipped #####

List keystore keys to confirm the secret exists.
```
$ sudo filebeat keystore list
ES_PWD
```
filebeat keystore list prints key names only and never displays secret values.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.