Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Filebeat By James Joyner IV · · 7 min read

Filebeat Error: 'config file ... can only be writable by the owner' — Cause, Fix, and Troubleshooting Guide

Quick answer

Fix Filebeat 'config file ... can only be writable by the owner but the permissions are': set 0600/0644 ownership so Filebeat loads its config.

  • #filebeat
  • #logging
  • #troubleshooting
  • #errors
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

Filebeat enforces strict permissions on its configuration file: it must not be writable by group or others, and it must be owned by the user running Filebeat (or root). If the permissions are too loose, Filebeat refuses to start:

Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") can only be writable by the owner but the permissions are "-rw-rw-r--" (to fix the permissions use: 'chmod go-w /etc/filebeat/filebeat.yml')

This is a security guard: a world- or group-writable config could be tampered with to redirect logs or leak credentials. The check applies to filebeat.yml, module files, and anything loaded via filebeat.config.*. Filebeat exits immediately and prints the exact chmod to run. On some setups you also see an ownership variant (config file must be owned by the user running the beat).

Symptoms

  • config file ... can only be writable by the owner but the permissions are "..." at startup.
  • The message includes the exact chmod go-w fix.
  • Or config file ("...") must be owned by the user running the beat (ownership variant).
  • Started after an editor, deploy tool, or umask left the file group/other-writable.

Common Root Causes

  • Group/other-writable file — e.g. 0664/0666 from a permissive umask or config-management run.
  • Wrong owner — file owned by a user other than the one running Filebeat.
  • Copied config that inherited loose permissions from another location.
  • Mounted config in containers with world-writable bind-mount defaults.

How to diagnose

Check the current mode and owner:

ls -l /etc/filebeat/filebeat.yml
stat -c '%A %U:%G' /etc/filebeat/filebeat.yml

Check module and dynamically-loaded configs too:

ls -l /etc/filebeat/modules.d/*.yml /etc/filebeat/inputs.d/*.yml 2>/dev/null

Fixes

Remove group/other write and set correct ownership:

chmod go-w /etc/filebeat/filebeat.yml       # exact fix Filebeat suggests
chmod 0600 /etc/filebeat/filebeat.yml        # or 0644 if only owner-writable is needed
chown root:root /etc/filebeat/filebeat.yml
systemctl restart filebeat

Apply the same to module and included configs:

chmod go-w /etc/filebeat/modules.d/*.yml

In containers, bake correct permissions into the image or fix the mount, or disable the check only if you understand the risk:

# Last resort in locked-down container envs (reduces safety):
filebeat -e --strict.perms=false

What to watch out for

  • The check covers all loaded configs, not just filebeat.yml — fix modules.d/ too.
  • --strict.perms=false disables a real security guard; prefer fixing permissions.
  • A permissive umask in your deploy tooling will keep re-introducing this — fix the source.
  • The ownership variant needs chown, not just chmod.
Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.