How to configure a Filebeat Redis output

Sending Filebeat events straight to the indexing tier can stall when downstream systems are overloaded, restarted, or temporarily unreachable. Publishing events to Redis adds a lightweight buffer so log collection continues during short outages and bursts. A Redis-backed queue also makes it easier to decouple log shippers from consumers that parse and index the data.

Filebeat enables Redis publishing through the output.redis section in /etc/filebeat/filebeat.yml, writing each event to a Redis list or channel. With datatype: list, Filebeat appends events using Redis RPUSH so a consumer can drain the queue reliably. With datatype: channel, events are broadcast using PUBLISH for pub/sub style streaming without queue semantics.

Only one output can be active in Filebeat, so other output blocks must remain commented or disabled when output.redis is enabled. Using datatype: channel does not buffer events, so messages can be lost when no subscriber is connected, making list the safer default for queueing. Redis authentication, TLS (rediss scheme or ssl settings), persistence, and eviction policies determine how durable the buffer is during extended outages.

Steps to configure a Filebeat Redis output:

Open the Filebeat configuration file at /etc/filebeat/filebeat.yml.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Configure the output.redis section for the target Redis server.
```
#output.elasticsearch:
#  hosts: ["http://localhost:9200"]

output.redis:
  hosts: ["localhost:6379"]
  # hosts: ["rediss://localhost:6379"]
  # password: "filebeat-redis-password"
  key: "filebeat"
  db: 0
  datatype: list
  timeout: 5
```
Incorrect YAML indentation prevents Filebeat from starting.

datatype: list buffers events in a Redis list, while datatype: channel uses pub/sub and does not queue messages for later delivery.

Related: How to configure Filebeat for TLS
Test the configuration for errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration

Test the Redis output connection.

$ sudo filebeat test output -c /etc/filebeat/filebeat.yml
redis output doesn't support testing

Restart the Filebeat service.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Verify the Filebeat service is running.

$ sudo systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/filebeat.service.d
             └─env.conf
     Active: active (running) since Tue 2026-01-06 22:58:59 UTC; 4s ago
##### snipped #####

Verify Redis is receiving queued events under the configured key.
```
$ redis-cli -h localhost -p 6379 LLEN filebeat
1
```
A steadily increasing length indicates downstream consumers are not keeping up, while a value near 0 can indicate consumers are draining the list.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.