How to manage the Filebeat service with systemctl in Linux

Managing the Filebeat service controls when log collection runs, when configuration changes take effect, and whether event shipping starts after a reboot. On systemd-based Linux hosts, systemctl provides the service controls for starting, stopping, restarting, enabling, disabling, and inspecting the packaged Filebeat unit.

The Filebeat DEB and RPM packages install a systemd unit named filebeat.service. The unit starts the packaged binary in systemd mode, applies the package's home, config, data, and log path options, and sends service output to journald by default.

Service control changes can pause harvesting or activate a configuration that fails at startup, so check the current state before changing it and run the Filebeat config test before a restart. The packaged unit also sets UMask=0027, which means files created by the service cannot be more permissive than 0640 unless the unit itself is changed.

1. Check the current Filebeat service state.

   $ sudo systemctl status filebeat --no-pager --lines=0
   ● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
        Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; preset: enabled)
        Active: active (running) since Thu 2026-06-18 12:55:46 UTC; 4s ago
          Docs: https://www.elastic.co/beats/filebeat
      Main PID: 154 (filebeat)
   ##### snipped #####

   The Loaded line reports the boot-start setting separately from the vendor preset, so disabled; preset: enabled still means Filebeat is not enabled for the next boot.

2. Start the Filebeat service.

   $ sudo systemctl start filebeat

   No output means systemd accepted the request. Check the runtime state next because a bad config or missing dependency can still move the unit to failed.

3. Confirm that Filebeat is active.

   $ systemctl is-active filebeat
   active

4. Stop the Filebeat service.

   $ sudo systemctl stop filebeat

   Stopping Filebeat pauses event harvesting until the service starts again. Log rotation or truncation during the downtime can leave older lines uncollected.

5. Confirm that Filebeat is inactive after a planned stop.

   $ systemctl is-active filebeat
   inactive

6. Test the Filebeat configuration before applying a restart.

   $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
   Config OK

   Fix validation errors before restarting, or filebeat.service can enter a failed state and stop shipping events.

   Related: How to test a Filebeat configuration

7. Restart Filebeat after a configuration change.

   $ sudo systemctl restart filebeat

   If a drop-in under /etc/systemd/system/filebeat.service.d changed, run sudo systemctl daemon-reload before restarting so systemd reads the updated unit definition.

8. Enable Filebeat at boot.

   $ sudo systemctl enable filebeat
   Created symlink '/etc/systemd/system/multi-user.target.wants/filebeat.service' -> '/usr/lib/systemd/system/filebeat.service'.

   Use sudo systemctl enable --now filebeat when the service should be enabled and started in one command.

9. Confirm the boot-enable state.

   $ systemctl is-enabled filebeat
   enabled

10. Disable Filebeat at boot.

    $ sudo systemctl disable filebeat
    Removed '/etc/systemd/system/multi-user.target.wants/filebeat.service'.

    Disabling changes the next-boot behavior only. It does not stop an already running Filebeat process.

11. Read recent Filebeat service logs from journald.

    $ sudo journalctl -u filebeat.service --since "10 min ago" --no-pager
    Jun 18 12:55:46 host systemd[1]: Started filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch..
    Jun 18 12:55:46 host filebeat[154]: {"log.level":"info","message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat"}
    Jun 18 12:55:46 host filebeat[154]: {"log.level":"info","message":"elasticsearch url: http://localhost:9200","service.name":"filebeat"}
    Jun 18 12:55:46 host filebeat[154]: {"log.level":"info","message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat"}
    ##### snipped #####

    A fresh package can still log localhost:9200 and Enabled inputs: 0 until the output and at least one input or module are configured.

12. Confirm the runtime state after service changes.

    $ systemctl is-active filebeat
    active

13. Confirm the boot state after enable or disable changes.

    $ systemctl is-enabled filebeat
    disabled

    The result returns enabled after the enable step and disabled after the disable step.