How to enable a Filebeat module

Enabling a Filebeat module turns on a packaged log collection path for a known source such as Nginx, Apache, or system logs. The module provides the default input settings, ingest pipeline, fields, and dashboard assets that let those logs arrive as parsed events instead of unstructured message lines.

On package-based Linux installs, Filebeat keeps module snippets under /etc/filebeat/modules.d. The filebeat modules enable command changes the selected module from <module>.yml.disabled to <module>.yml, and filebeat.config.modules.path must still point at the modules.d glob for that command to manage module state.

Standalone Filebeat modules are separate from Elastic Agent integrations managed through Fleet. A module file can be active while its filesets still remain disabled, so enable at least one fileset, test the full configuration, and restart filebeat.service unless module config reloading is already enabled. Deployments that send module events through Logstash also need the matching ingest pipelines loaded into Elasticsearch before parsed fields appear.

Steps to enable a Filebeat module:

List the available modules on the Filebeat host.
```
$ sudo filebeat modules list
Enabled:

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
##### snipped #####
```
The name under Disabled is the value to pass to filebeat modules enable.

Related: How to list Filebeat modules
Enable the target module.
```
$ sudo filebeat modules enable nginx
Enabled nginx
```
Replace nginx with the module name from your own module list.
Confirm the module file is now in the active modules.d glob.
```
$ sudo ls -1 /etc/filebeat/modules.d/nginx*
/etc/filebeat/modules.d/nginx.yml
```
Filebeat ignores the disabled copy because files ending in .yml.disabled do not match /etc/filebeat/modules.d/*.yml.
Edit the module file and enable the filesets that should harvest logs.
```
$ sudoedit /etc/filebeat/modules.d/nginx.yml
```
```
- module: nginx
  access:
    enabled: true
    var.paths: ["/var/log/nginx/access.log*"]
 
  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log*"]
```
Filebeat module filesets are disabled by default. Leave a fileset at enabled: false when that log stream should not be collected.

Keep the module file as valid YAML and keep the var.paths list aligned with the real log location on the host.
Tool: YAML Validator
Test the Filebeat configuration before touching the service.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart Filebeat to load the enabled module.
```
$ sudo systemctl restart filebeat
```
If filebeat.config.modules.reload.enabled is true, the running service can pick up module file changes during its reload scan.
Related: How to enable Filebeat config reloading
Related: How to manage the Filebeat service with systemctl in Linux

When Filebeat publishes through Logstash, load the module ingest pipelines into Elasticsearch before expecting parsed fields.
Related: How to run Filebeat setup for templates and dashboards
Check that filebeat.service is running after the restart.
```
$ sudo systemctl is-active filebeat
active
```
Related: How to manage the Filebeat service with systemctl in Linux

Verify the module appears under Enabled.

$ sudo filebeat modules list
Enabled:
nginx

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.