How to configure a Logstash Beats input

A Beats input in Logstash provides a dedicated ingestion endpoint for Filebeat, Metricbeat, and other Beats, making it possible to centralize parsing, enrichment, and routing before events reach Elasticsearch or another datastore.

Logstash builds an event pipeline from configuration files, typically loaded from /etc/logstash/conf.d on packaged Linux installs. The beats input listens on a TCP port (commonly 5044) and accepts the Beats protocol, then optional filters transform events before outputs forward them to downstream systems; when path.config points to a directory, pipeline fragments are loaded in lexical order.

Network reachability and transport security determine whether Beats can deliver reliably and safely. Restrict access to the listener port, prefer TLS for production traffic, and validate pipeline syntax before restarting Logstash to avoid failed startups; the built-in HTTP monitoring endpoint used for verification may be bound to localhost and configured via /etc/logstash/logstash.yml.

Steps to configure a Beats input in Logstash:

Create a pipeline configuration file at /etc/logstash/conf.d/10-main.conf.
```
input {
  beats {
    port => 5044
  }
}

filter {
  mutate {
    add_field => { "ingest_source" => "beats" }
  }
}

output {
  elasticsearch {
    hosts => ["http://elasticsearch.example.net:9200"]
    index => "beats-%{+YYYY.MM.dd}"
  }
}
```
Numeric prefixes keep file load order predictable when multiple pipeline fragments exist in /etc/logstash/conf.d.

Exposing port 5044 to untrusted networks allows unauthorized event injection and can exhaust Logstash resources; restrict access and enable TLS when crossing untrusted networks.

Test the pipeline configuration.

$ sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash --config.test_and_exit
##### snipped #####
Configuration OK

Restart the Logstash service to load the pipeline.
```
$ sudo systemctl restart logstash
```
Related: How to manage the Logstash service with systemctl in Linux

Check the Logstash service status for a running state.

$ sudo systemctl status logstash
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Wed 2026-01-07 04:55:20 UTC; 15s ago
##### snipped #####

Confirm the Beats listener port is active.

$ sudo ss -ltnp | grep ':5044'
LISTEN 0      4096                    *:5044             *:*    users:(("java",pid=16992,fd=252))

Change 5044 only if the Filebeat (or other Beat) output is updated to match.

Confirm the pipeline is running via the HTTP monitoring API.

$ curl -s http://localhost:9600/_node/pipelines?pretty
{
  "host" : "host",
  "version" : "8.19.9",
  "http_address" : "127.0.0.1:9600",
  "id" : "3723b694-8264-4225-a32b-a201e0fcb5dc",
  "name" : "host",
  "ephemeral_id" : "6211427e-bcdf-4278-891d-109525fddce7",
  "snapshot" : false,
  "status" : "green",
  "pipeline" : {
    "workers" : 10,
    "batch_size" : 125,
    "batch_delay" : 50
  },
  "pipelines" : {
    "main" : {
      "ephemeral_id" : "3ab1b44c-5de8-403f-8ffe-0940107aca16",
      "hash" : "72bcdf31c2a48ef99d2c15dfd15ca568a7691b4ab80b56cad8554692de41f757",
      "workers" : 10,
      "batch_size" : 125,
      "batch_delay" : 50,
      "config_reload_automatic" : false,
      "config_reload_interval" : 3000000000,
      "dead_letter_queue_enabled" : false
    }
  }
}

If the API is bound to a different address or port, check /etc/logstash/logstash.yml for http.host and http.port.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.