How to configure Filebeat processors

Filebeat processors normalize and enrich events at the source, reducing noisy fields and adding context before logs are shipped to Elasticsearch, Logstash, or another output.

Processors are executed in the order listed for each event and can add metadata, rename or drop fields, decode JSON payloads, and drop entire events when conditions match.

Processor rules live in /etc/filebeat/filebeat.yml at the top level or under an input/module section, and changes take effect only after Filebeat is restarted with a valid YAML configuration.

Steps to configure Filebeat processors:

Open the Filebeat configuration file.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Define processors in the global configuration.
```
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - drop_fields:
      fields: ["log.offset"]
      ignore_missing: true
```
Incorrect YAML indentation can cause Filebeat to fail the config test or refuse to start.

drop_fields removes only the listed fields while keeping the event; use drop_event to discard full events, and place processors under an input to target a single log source.
Test the configuration syntax.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart Filebeat to load the processors.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Inspect the resolved configuration for the processors block.

$ sudo filebeat export config -c /etc/filebeat/filebeat.yml | grep -nE "^(processors:|- add_host_metadata:|- add_cloud_metadata:|- drop_fields:)"
##### snipped #####
16:processors:
17:- add_host_metadata: null
18:- add_cloud_metadata: null
19:- drop_fields:
##### snipped #####

Verify the Filebeat service is running after the restart.

$ sudo systemctl status filebeat --no-pager -n 20
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/filebeat.service.d
             └─env.conf
     Active: active (running) since Tue 2026-01-06 22:29:06 UTC; 4s ago
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.