- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents (advanced users)
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Advanced Elastic Agent configuration managed by Fleet
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Fleet Server Secrets
editFleet Server Secrets
editFleet Server configuration can contain secret values. You may specify these values directly in the configuration or through secret files. You can use command line arguments to pass the values or file paths when you are running under Elastic Agent, or you can use environment variables if Elastic Agent is running in a container.
For examples of how to deploy secret files, refer to our Secret files guide.
Stand-alone Fleet Server is under active development.
Secret values
editThe following secret values may be used when configuring Fleet Server.
Note that the configuration fragments shown below are specified either in the UI as part of the output specification or as part of the Fleet Server integration settings.
-
service_token
-
The
service_token
is used to communicate with Elasticsearch.It may be specified in the configuration directly as:
output.elasticsearch.service_token: my-service-token
Or by a file with:
output.elasticsearch.service_token_path: /path/to/token-file
When you are running Fleet Server under Elastic Agent, you can specify it with either the
--fleet-server-service-token
or the--fleet-server-service-token-path
flag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variables
FLEET_SERVER_SERVICE_TOKEN
orFLEET_SERVER_SERVICE_TOKEN_PATH
. - TLS private key
-
Use the TLS private key to encrypt communications between Fleet Server and Elastic Agent. See Configure SSL/TLS for self-managed Fleet Servers for more details.
Although it is not recommended, you may specify the private key directly in the configuration as:
inputs: - type: fleet-server ssl.key: | ----BEGIN CERTIFICATE---- .... ----END CERTIFICATE----
Alternatively, you can provide the path to the private key with the same attribute:
inputs: - type: fleet-server ssl.key: /path/to/cert.key
When you are running Fleet Server under Elastic Agent, you can provide the private key path using with the
--fleet-server-cert-key
flag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable
FLEET_SERVER_CERT_KEY
to specify the private key path. - TLS private key passphrase
-
The private key passphrase is used to decrypt an encrypted private key file.
You can specify the passphrase as a secret file in the configuration with:
inputs: - type: fleet-server ssl.key_passphrase_path: /path/to/passphrase
When you are running Fleet Server under Elastic Agent, you can provide the passphrase path using the
--fleet-server-cert-key-passphrase-path
flag. See Elastic Agent command reference for more details.If you are running Fleet Server under Elastic Agent in a container, you can use the environment variable
FLEET_SERVER_CERT_KEY_PASSPHRASE
to specify the file path. - APM API Key
-
The APM API Key may be used to gather APM data from Fleet Server.
You can specify it directly in the instrumentation segment of the configuration:
inputs: - type: fleet-server instrumentation.api_key: my-apm-api-key
Or by a file with:
inputs: - type: fleet-server instrumentation.api_key_file: /path/to/apmAPIKey
You may specify the API key by value using the environment variable
ELASTIC_APM_API_KEY
. - APM secret token
-
The APM secret token may be used to gather APM data from Fleet Server.
You can specify the secret token directly in the instrumentation segment of the configuration:
inputs: - type: fleet-server instrumentation.secret_token: my-apm-secret-token
Or by a file with:
inputs: - type: fleet-server instrumentation.secret_token_file: /path/to/apmSecretToken
You may also specify the token by value using the environment variable
ELASTIC_APM_SECRET_TOKEN
.
On this page