How to configure a Filebeat TCP input

Receiving logs over TCP enables centralized collection from applications and devices that can only ship events over a raw socket. A Filebeat TCP listener provides a lightweight ingest endpoint for line-delimited text and newline-delimited JSON without maintaining a custom collector.

The tcp input opens a listening socket on the configured host and reads incoming connections as framed messages that become events. Those events flow through the normal Filebeat pipeline and are forwarded to the configured output, where parsing and routing can happen downstream.

Binding a listener to 0.0.0.0 exposes it on all interfaces, so network filtering and TLS should protect any receiver reachable from untrusted networks. Senders must terminate each event according to the configured framing (newline-delimited by default), and payloads larger than max_message_size are rejected.

Steps to configure a Filebeat TCP input:

Open the Filebeat configuration file for editing.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Add a tcp input under filebeat.inputs with the desired listening address and port.
```
filebeat.inputs:
  - type: tcp
    host: "0.0.0.0:9001"
    max_message_size: 10MiB
```
Keep filebeat.inputs: defined once in /etc/filebeat/filebeat.yml, since duplicate YAML keys can override earlier input blocks.

Senders should transmit one event per line (append \n), including newline-delimited JSON for structured payloads.

Binding to 0.0.0.0 exposes the port on all interfaces. Prefer 127.0.0.1 for local-only senders or restrict access with firewall rules and TLS.
Test the configuration file for syntax errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service to apply the new input configuration.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux
Confirm the Filebeat service is running after the restart.
```
$ sudo systemctl is-active filebeat
active
```
Related: How to manage the Filebeat service with systemctl in Linux

Verify the TCP listener is active on the configured port.

$ sudo ss -lntp | grep -F ':9001'
LISTEN 0      4096                    *:9001             *:*    users:(("filebeat",pid=7866,fd=8))

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.