This is a fresh installation of filebeat. I copied the configuration file filebeat.yml from an existing server.
filebeat version : 6.8.5
When the service is started with sudo systemctl start filebeat, following error is thrown when viewed the status of the service through sudo systemctl status filebeat
filebeat.service: main process exited, code=exited, status=1/FAILURE
Unit filebeat.service entered failed state.
filebeat.service failed.
filebeat.service holdoff time over, scheduling restart.
Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
start request repeated too quickly for filebeat.service
Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
Unit filebeat.service entered failed state.
filebeat.service failed.
What is the reason for failure?
filebeat has an awesome feature called test. You can check whether config file and output server configurations are correctly configured. for more information about the test tool, use help.
/usr/share/filebeat/bin/filebeat test --help
Check for config file correctness
/usr/share/filebeat/bin/filebeat test config --path.config /etc/filebeat
Check for output server configurations
/usr/share/filebeat/bin/filebeat test output --path.config /etc/filebeat
In my case, I got both config and output wrong.
$ /usr/share/filebeat/bin/filebeat test config --path.config /etc/filebeat
Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") can only be writable by the owner but the permissions are "-rwxrwxrwx" (to fix the permissions use: 'chmod go-w /etc/filebeat/filebeat.yml')
Changing the filebeat.yml file permissions resolved the issue
chmod go-w /etc/filebeat/filebeat.yml
# /usr/share/filebeat/bin/filebeat test output --path.config /etc/filebeat
logstash: 10.3.22.31:043...
connection...
parse host... OK
dns lookup... OK
addresses: 10.5.86.21
dial up... ERROR dial tcp 10.5.86.21:43: connect: connection refused
I hadn't set the port (043) correct. Correcting port number resolved the issue.