How to manage the Filebeat service with systemctl in Linux

Managing the Filebeat service controls when log shipping starts and stops, applies configuration changes, and surfaces runtime failures before they create gaps in downstream searches and alerts.

On Linux systems using systemd, Filebeat runs as the filebeat.service unit and is supervised by systemctl for start, stop, and restart actions. The daemon reads /etc/filebeat/filebeat.yml (and optional module snippets in /etc/filebeat/modules.d), maintains offset state under /var/lib/filebeat, and writes operational logs to the systemd journal.

Stopping or restarting Filebeat causes a temporary delivery pause; events usually resume from the saved registry state, but log rotation or truncation while the service is down can permanently skip older lines. Validate configuration before restarts and confirm service health with status and journal output after changes.

Steps to manage the Filebeat service with systemctl in Linux:

Check the Filebeat service status.

$ sudo systemctl status filebeat --no-pager
● filebeat.service - Filebeat sends log files to Logstash or Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 20:58:03 UTC; 4s ago
       Docs: https://www.elastic.co/beats/filebeat
   Main PID: 2541 (filebeat)
      Tasks: 9 (limit: 28486)
     Memory: 40.4M (peak: 41.7M)
        CPU: 100ms
     CGroup: /system.slice/filebeat.service
             └─2541 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
##### snipped #####

Append --lines=0 to hide the log excerpt when only the unit state matters.

Start the Filebeat service.
```
$ sudo systemctl start filebeat
```
No output indicates the request was accepted, but a failed start still requires checking status and logs.
Stop the Filebeat service.
```
$ sudo systemctl stop filebeat
```
Stopping Filebeat pauses event delivery until it is started again, and rotated or truncated log lines can be missed while the service is down.
Validate the Filebeat configuration before restarting the service.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Fix configuration errors before a restart, or filebeat.service can enter a failed state and stop shipping logs.
Restart the Filebeat service to apply configuration changes.
```
$ sudo systemctl restart filebeat
```
A restart briefly interrupts shipping, so confirm the service returns to an active state after the command completes.

Enable Filebeat to start on boot.

$ sudo systemctl enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.

Use --now to enable and start the service in a single command when bringing a new host online.

Disable Filebeat from starting on boot.
```
$ sudo systemctl disable filebeat
Removed "/etc/systemd/system/multi-user.target.wants/filebeat.service".
```
Disabling affects boot behavior only and does not stop an already running service.

Review recent Filebeat service logs in the systemd journal.

$ sudo journalctl --unit=filebeat --since "30 min ago" --no-pager --lines=120
Jan 06 21:03:52 d21b43fc26fd filebeat[5099]: {"log.level":"info","@timestamp":"2026-01-06T21:03:52.929Z","log.logger":"crawler","message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
Jan 06 21:04:02 d21b43fc26fd filebeat[5099]: {"log.level":"info","@timestamp":"2026-01-06T21:04:02.933Z","log.logger":"publisher_pipeline_output","message":"Connection to backoff(async(tcp://localhost:5044)) established","service.name":"filebeat","ecs.version":"1.6.0"}
##### snipped #####

Append --follow to stream logs while troubleshooting.

Confirm the service is running and the boot-enable state is correct.

$ systemctl is-active filebeat
active
$ systemctl is-enabled filebeat
enabled

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.