Configure the Elasticsearch output
editConfigure the Elasticsearch output
editRunning Elastic Agent in standalone mode is an advanced use case. The documentation is incomplete and not yet mature. When possible, we recommend using Fleet-managed agents instead of standalone mode.
The Elasticsearch output sends events directly to Elasticsearch by using the Elasticsearch HTTP API.
Compatibility: This output works with all compatible versions of Elasticsearch. See the Elastic Support Matrix.
This example configures an Elasticsearch output called default
in the
elastic-agent.yml
file:
outputs: default: type: elasticsearch hosts: [127.0.0.1:9200] username: elastic password: changeme
Elasticsearch output configuration settings
editThe elasticsearch
output type supports the following settings, grouped by
category. Many of these settings have sensible defaults that allow you to run
Elastic Agent with minimal configuration.
Commonly used settings
editSetting | Description |
---|---|
(boolean) Enables or disables the output. If set to Default: |
|
(list) The list of Elasticsearch nodes to connect to. The events are distributed to
these nodes in round robin order. If one node becomes unreachable, the event is
automatically sent to another node. Each Elasticsearch node can be defined as a When a node is defined as an |
|
(string) The name of the protocol Elasticsearch is reachable on. The options are:
|
|
(boolean) If set to Default: |
|
(string) Additional headers to send to proxies during CONNECT requests. |
|
(string) The URL of the proxy to use when connecting to the Elasticsearch servers. The
value may be either a complete URL or a |
Authentication settings
editSettings for authenticating with Elasticsearch.
When sending data to a secured cluster through the elasticsearch
output, Elastic Agent can use any of the following authentication methods:
Basic authentication credentials
editoutputs: default: type: elasticsearch hosts: ["https://myEShost:9200"] username: "your-username" password: "your-password"
Token-based (API key) authentication
editoutputs: default: type: elasticsearch hosts: ["https://myEShost:9200"] api_key: "KnR6yE41RrSowb0kQ0HWoA"
Public Key Infrastructure (PKI) certificates
editoutputs: default: type: elasticsearch hosts: ["https://myEShost:9200"] ssl.certificate: "/etc/pki/client/cert.pem" ssl.key: "/etc/pki/client/cert.key"
There are a number of SSL configuration settings available depending on whether you are configuring the client, server, or both. See the following tables for available settings:
- Table 1, “Common configuration options”. These settings are valid in both client and server configurations.
- Table 2, “Client configuration options”
- Table 3, “Server configuration options”
For more information about using certificates, refer to Encrypt traffic in clusters with a self-managed Fleet Server.
Table 1. Common configuration options
Setting | Description |
---|---|
(string) This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain. The pin is a base64 encoded string of the SHA-256 of the certificate. This check is not a replacement for the normal SSL validation, but it adds
additional validation. If this setting is used with |
|
(list) The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list. The following cipher suites are available:
Here is a list of acronyms used in defining the cipher suites:
|
|
(list) The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange). The following elliptic curve types are available:
|
|
(boolean) Enables or disables the SSL configuration. Default: SSL settings are disabled if either |
|
(list) List of allowed SSL/TLS versions. If the SSL/TLS server supports none
of the specified versions, the connection will be dropped during or after the
handshake. The list of allowed protocol versions include: Default: |
Table 2. Client configuration options
Setting | Description |
---|---|
(string) The path to the certificate for SSL client authentication. This
setting is only required if Example: ssl.certificate: "/path/to/cert.pem" When this setting is configured, the Specify a path, or embed a certificate directly in the ssl.certificate: | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(list) The list of root certificates for verifications (required). If
Example: ssl.certificate_authorities: ["/path/to/root/ca.pem"] Specify a list of files that Elastic Agent will read, or embed a certificate directly
in the ssl.certificate_authorities: - | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(string) The client certificate key used for client authentication. Only
required if Example: ssl.key: "/path/to/cert.key" Specify a path, or embed the private key directly in the ssl.key: | -----BEGIN PRIVATE KEY----- KEY CONTENT APPEARS HERE -----END PRIVATE KEY----- |
|
(string) The passphrase used to decrypt an encrypted key stored in the
configured |
|
(string) Controls the verification of server certificates. Valid values are:
Default: |
|
(string) A HEX encoded SHA-256 of a CA certificate. If this certificate is
present in the chain during the handshake, it will be added to the
Example: ssl.ca_trusted_fingerprint: 3b24d33844d6553...826 |
Table 3. Server configuration options
Setting | Description |
---|---|
(string) The path to the certificate for SSL server authentication. If the certificate is not specified, startup will fail. Example: ssl.certificate: "/path/to/server/cert.pem" When this setting is configured, the Specify a path, or embed a certificate directly in the ssl.certificate: | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(list) The list of root certificates for client verifications is only required
if Example: ssl.certificate_authorities: ["/path/to/root/ca.pem"] Specify a list of files that Elastic Agent will read, or embed a certificate directly
in the ssl.certificate_authorities: - | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(string) Configures client authentication. The valid options are:
Default: |
|
(string) The server certificate key used for authentication (required). Example: ssl.key: "/path/to/server/cert.key" Specify a path, or embed the private key directly in the ssl.key: | -----BEGIN PRIVATE KEY----- KEY CONTENT APPEARS HERE -----END PRIVATE KEY----- |
|
(string) The passphrase used to decrypt an encrypted key stored in the
configured |
|
(string) Configures the type of TLS renegotiation to support. The valid options are:
Default: |
|
(string) Controls the verification of client certificates. Valid values are:
Default: |
Kerberos
editThe following encryption types are supported:
- aes128-cts-hmac-sha1-96
- aes128-cts-hmac-sha256-128
- aes256-cts-hmac-sha1-96
- aes256-cts-hmac-sha384-192
- des3-cbc-sha1-kd
- rc4-hmac
Example output config with Kerberos password-based authentication:
outputs: default: type: elasticsearch hosts: ["http://my-elasticsearch.elastic.co:9200"] kerberos.auth_type: password kerberos.username: "elastic" kerberos.password: "changeme" kerberos.config_path: "/etc/krb5.conf" kerberos.realm: "ELASTIC.CO"
The service principal name for the Elasticsearch instance is constructed from these options. Based on this configuration, the name would be:
HTTP/my-elasticsearch.elastic.co@ELASTIC.CO
Setting | Description |
---|---|
(string) The type of authentication to use with Kerberos KDC:
Default: |
|
(string) Path to the |
|
(boolean) Enables or disables the Kerberos configuration. Kerberos settings are disabled if either |
|
(boolean) If Default: |
|
(string) If |
|
(string) If |
|
(string) Name of the realm where the output resides. |
|
(string) Name of the principal used to connect to the output. |
Data parsing, filtering, and manipulation settings
editSettings used to parse, filter, and transform data.
Setting | Description |
---|---|
(boolean) Configures escaping of HTML in strings. Set to Default: |
|
(string) A format string value that specifies the ingest pipeline to write events to. outputs: default: type: elasticsearchoutput.elasticsearch: hosts: ["http://localhost:9200"] pipeline: my_pipeline_id You can set the ingest pipeline dynamically by using a format string to
access any event field. For example, this configuration uses a custom field,
outputs: default: type: elasticsearch hosts: ["http://localhost:9200"] pipeline: "%{[fields.log_type]}_pipeline" With this configuration, all events with To learn how to add custom fields to events, see the See the |
|
An array of pipeline selector rules. Each rule specifies the ingest pipeline
to use for events that match the rule. During publishing, Elastic Agent uses the first
matching rule in the array. Rules can contain conditionals, format string-based
fields, and name mappings. If the Rule settings:
All the conditions supported by processors are also supported here. The following example sends events to a specific pipeline based on whether the
outputs: default: type: elasticsearch hosts: ["http://localhost:9200"] pipelines: - pipeline: "warning_pipeline" when.contains: message: "WARN" - pipeline: "error_pipeline" when.contains: message: "ERR" The following example sets the pipeline by taking the name returned by the
outputs: default: type: elasticsearch hosts: ["http://localhost:9200"] pipelines: - pipeline: "%{[fields.log_type]}" mappings: critical: "sev1_pipeline" normal: "sev2_pipeline" default: "sev3_pipeline" With this configuration, all events with |
HTTP settings
editSettings that modify the HTTP requests sent to Elasticsearch.
Setting | Description |
---|---|
Custom HTTP headers to add to each request created by the Elasticsearch output. Example: outputs: default: type: elasticsearch headers: X-My-Header: Header contents Specify multiple header values for the same header name by separating them with a comma. |
|
Dictionary of HTTP parameters to pass within the url with index operations. |
|
(string) An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix. |
Performance tuning settings
editSettings that may affect performance.
Setting | Description |
---|---|
(string) The number of seconds to wait before trying to reconnect to Elasticsearch
after a network error. After waiting Default: |
|
(string) The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. Default: |
|
(int) The maximum number of events to bulk in a single Elasticsearch bulk API index request. Events can be collected into batches. Elastic Agent will split batches larger than
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput. Setting Default: |
|
(int) The gzip compression level. Set this value to Increasing the compression level reduces network usage but increases CPU usage. Default: |
|
(int) The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped. Set Default: |
|
(string) The HTTP request timeout in seconds for the Elasticsearch request. Default: |
|
(int) The number of workers per configured host publishing events to {output-type}. This is best used with load balancing mode enabled. Example: If you have two hosts and three workers, in total six workers are started (three for each host). Default: |