How to enable a Filebeat module

Enabling a Filebeat module activates the packaged integration for a log source such as Nginx, Apache, or system logs so events are collected with the right parsers and field mappings instead of arriving as raw message lines.

Package-based Filebeat installs keep module definitions under /etc/filebeat/modules.d. The filebeat modules enable command switches a module into the active /etc/filebeat/modules.d/*.yml set, while disabled modules keep the .yml.disabled suffix, and each module file contains one or more filesets that control which log streams are harvested.

Enabling the module file is only part of the job. Current Filebeat module files still ship with their filesets disabled by default, so at least one fileset must be turned on before the module can harvest logs, and parsed fields also depend on the required ingest pipelines being present in Elasticsearch when the deployment sends events through Logstash.

Steps to enable a Filebeat module:

List the available module states to confirm the exact module name.

$ sudo filebeat modules list
Enabled:

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
##### snipped #####

Enable the module.
```
$ sudo filebeat modules enable nginx
Enabled nginx
```
The command switches the packaged module config from a .yml.disabled file to an active .yml file under /etc/filebeat/modules.d.
Edit the enabled module file so the required filesets are set to true and any non-default log paths are declared with var.paths.
```
$ sudoedit /etc/filebeat/modules.d/nginx.yml
```
```
- module: nginx
  access:
    enabled: true
    #var.paths: ["/var/log/nginx/access.log*"]
 
  error:
    enabled: true
    #var.paths: ["/var/log/nginx/error.log*"]
```
Module filesets remain disabled until their enabled value is changed, so enabling the module file alone does not start collection.
Test the Filebeat configuration syntax before restarting the service.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Run a separate output test when destination, authentication, or TLS settings changed.

Related: How to test a Filebeat configuration
Restart the Filebeat service to load the module configuration.
```
$ sudo systemctl restart filebeat
```
When the active output is Logstash, load the module ingest pipelines into Elasticsearch before expecting parsed fields from the new module.

Related: How to manage the Filebeat service with systemctl in Linux
Related: How to run Filebeat setup for templates and dashboards
Check that the Filebeat service returned to the active state.
```
$ sudo systemctl is-active filebeat
active
```
Related: How to manage the Filebeat service with systemctl in Linux

Verify that the module now appears under Enabled.

$ sudo filebeat modules list
Enabled:
nginx

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.