How to enable a Filebeat module

Enabling a Filebeat module turns on prebuilt log collection plus parsing for a specific service, so events arrive with structured fields instead of raw message lines. Modules reduce setup time for common sources such as web servers, databases, and system logs.

Modules live as YAML definitions under /etc/filebeat/modules.d and usually include one or more filesets with default variables (for example var.paths for log locations). The filebeat modules enable command switches a module from disabled to enabled by activating the corresponding YAML file in that directory.

Log paths and variables often need adjustment to match the host layout, otherwise the module starts successfully but ships no events. Modules that rely on Elasticsearch ingest pipelines require those assets to exist in the cluster; missing pipelines are typically resolved by running filebeat setup --pipelines --modules <module> before starting the service. Restarting the filebeat service applies module changes, so validating the configuration first avoids a failed service start.

Steps to enable a Filebeat module:

Enable the module.
```
$ sudo filebeat modules enable nginx
Enabled nginx
```
List available modules with filebeat modules list, and enable multiple modules by listing them after enable (for example filebeat modules enable nginx system).

Edit the module settings to match service log paths and variables.

$ sudo nano /etc/filebeat/modules.d/nginx.yml

- module: nginx
  access:
    enabled: true
    var.paths: ["/var/log/nginx/access.log*"]
  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log*"]

Invalid YAML or incorrect indentation can prevent Filebeat from starting after a restart.

Test the Filebeat configuration syntax.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
No output or Config OK indicates the configuration loaded successfully.

Related: How to test a Filebeat configuration
Restart the Filebeat service to load the enabled module.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Check the Filebeat service status for an active state.

$ sudo systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 20:58:03 UTC; 4s ago
##### snipped #####

Confirm the module is enabled.

$ sudo filebeat modules list
Enabled:
nginx
system

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.