How to manage the Filebeat service with systemctl in Linux

Managing the Filebeat service controls when log collection starts, when configuration changes take effect, and how quickly a failed shipper is noticed before missing events become gaps in Elasticsearch searches, dashboards, or alerts.

On systemd-based Linux systems, the current Filebeat DEB and RPM packages install a unit named filebeat.service. The service starts the packaged binary with /etc/filebeat/filebeat.yml as the default config, keeps registry state under /var/lib/filebeat, reserves /var/log/filebeat as the log path, and sends service output to journald by default through the unit's systemd execution mode.

Starting, stopping, and restarting Filebeat directly affects event collection, and the packaged unit also applies UMask=0027 so files created by the service cannot become more permissive than 0640. Test configuration changes before a restart, and read the unit's current Loaded and Active state instead of assuming boot-start is already enabled on every package install.

Steps to manage the Filebeat service with systemctl in Linux:

Check the Filebeat service status.

$ sudo systemctl status filebeat --no-pager --lines=0
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; preset: enabled)
     Active: active (running) since Thu 2026-04-02 12:28:02 UTC; 4s ago
       Docs: https://www.elastic.co/beats/filebeat
   Main PID: 4436 (filebeat)
##### snipped #####

The Loaded line shows the current boot-enable state separately from the vendor preset, so disabled; preset: enabled still means the service is not enabled for the next boot.

Start the Filebeat service.
```
$ sudo systemctl start filebeat
```
No output indicates the request was accepted, but a failed start still requires checking status and logs.
Stop the Filebeat service.
```
$ sudo systemctl stop filebeat
```
Stopping Filebeat pauses event shipping until the service starts again, and log rotation or truncation during the downtime can prevent older lines from being harvested later.
Validate the Filebeat configuration before restarting the service.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Fix validation errors before a restart or filebeat.service can move into a failed state and stop shipping logs.

Related: How to test a Filebeat configuration
Restart the Filebeat service to apply configuration changes.
```
$ sudo systemctl restart filebeat
```
If a drop-in under /etc/systemd/system/filebeat.service.d changed, run sudo systemctl daemon-reload before the restart so systemd reads the updated unit definition.

Enable Filebeat to start on boot.

$ sudo systemctl enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.

Use sudo systemctl enable --now filebeat when the service should be enabled and started in one command.

Disable Filebeat from starting on boot.
```
$ sudo systemctl disable filebeat
Removed "/etc/systemd/system/multi-user.target.wants/filebeat.service".
```
Disabling affects boot behavior only and does not stop an already running service.

Review recent Filebeat service logs in the systemd journal.

$ sudo journalctl -u filebeat.service --since "10 min ago" --no-pager --lines=40
Apr 02 12:28:02 host systemd[1]: Started filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch..
Apr 02 12:28:02 host filebeat[4436]: {"log.level":"info","@timestamp":"2026-04-02T12:28:02.848Z","message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
Apr 02 12:28:02 host filebeat[4436]: {"log.level":"info","@timestamp":"2026-04-02T12:28:02.858Z","log.logger":"elasticsearch.esclientleg","message":"elasticsearch url: http://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
Apr 02 12:28:02 host filebeat[4436]: {"log.level":"info","@timestamp":"2026-04-02T12:28:02.862Z","log.logger":"crawler","message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
##### snipped #####

Current package defaults can still log localhost:9200 and Enabled inputs: 0 until a real output and at least one input or module are configured.

Confirm the service is running and the boot-enable state is correct.
```
$ systemctl is-active filebeat
active
$ systemctl is-enabled filebeat
disabled
```
The second command returns enabled after the boot-start step and disabled after the disable step.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.