- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Install Elastic Agent on Kubernetes using Helm
- Example: Install standalone Elastic Agent on Kubernetes using Helm
- Example: Install Fleet-managed Elastic Agent on Kubernetes using Helm
- Advanced Elastic Agent configuration managed by Fleet
- Configuring Kubernetes metadata enrichment on Elastic Agent
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Run Elastic Agent as an OTel Collector
- Run Elastic Agent without administrative privileges
- Install Elastic Agent from an MSI package
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Package signatures
- Add an integration to an Elastic Agent policy
- View integration policies
- Edit or delete an integration policy
- Install and uninstall integration assets
- View integration assets
- Set integration-level outputs
- Upgrade an integration
- Managed integrations content
- Best practices for integrations assets
- Data streams
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Elasticsearch output settings
editElasticsearch output settings
editSpecify these settings to send data over a secure connection to Elasticsearch. In the Fleet Output settings, make sure that Elasticsearch output type is selected.
The Elasticsearch URLs where Elastic Agents will send data. By default, Elasticsearch is exposed on the following ports:
Examples:
Refer to the Fleet Server documentation for default ports and other configuration details. |
|
HEX encoded SHA-256 of a CA certificate. If this certificate is
present in the chain during the handshake, it will be added to the
|
|
Select a proxy URL for Elastic Agent to connect to Elasticsearch. To learn about proxy configuration, refer to Using a proxy server with Elastic Agent and Fleet. |
|
YAML settings that will be added to the Elasticsearch output section of each policy that uses this output. Make sure you specify valid YAML. The UI does not currently provide validation. See Advanced YAML configuration for descriptions of the available settings. |
|
When this setting is on, Elastic Agents use this output to send data if no other output is set in the agent policy. |
|
When this setting is on, Elastic Agents use this output to send agent monitoring data if no other output is set in the agent policy. |
|
Choose one of the menu options to tune your Elastic Agent performance when sending data to an Elasticsearch output. You can optimize for throughput, scale, latency, or you can choose a balanced (the default) set of performance specifications. Refer to Performance tuning settings for details about the setting values and their potential impact on performance. You can also use the Advanced YAML configuration field to set custom values. Note that if you adjust any of the performance settings described in the following Advanced YAML configuration section, the Performance tuning option automatically changes to Performance tuning preset values take precedence over any settings that may be defined separately. If you want to change any setting, you need to use the For example, if you would like to use the balanced preset values except that you prefer a higher compression level, you can do so as follows:
When you create an Elastic Agent policy using this output, the output will use the balanced preset options except with the higher compression level, as specified. |
Advanced YAML configuration
editSetting | Description |
---|---|
Allow Elastic Agent to connect and send output to an Elasticsearch instance that is running an earlier version than the agent version. Note that this setting does not affect Elastic Agent’s ability to connect to Fleet Server. Fleet Server will not accept a connection from an agent at a later major or minor version. It will accept a connection from an agent at a later patch version. For example, an Elastic Agent at version 8.14.3 can connect to a Fleet Server on version 8.14.0, but an agent at version 8.15.0 or later is not able to connect. Default: |
|
(string) The number of seconds to wait before trying to reconnect to Elasticsearch
after a network error. After waiting Default: |
|
(string) The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. Default: |
|
(int) The maximum number of events to bulk in a single Elasticsearch bulk API index request. Events can be collected into batches. Elastic Agent will split batches larger than
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput. Setting Default: |
|
(int) The gzip compression level. Set this value to Increasing the compression level reduces network usage but increases CPU usage. |
|
(int) The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped. Set Default: |
|
The number of events the queue can store. This value should be evenly divisible by the smaller of Default: |
|
Default: |
|
(int) The maximum wait time for Default: |
|
(string) The HTTP request timeout in seconds for the Elasticsearch request. Default: |
|
(int) The number of workers per configured host publishing events. Example: If you have two hosts and three workers, in total six workers are started (three for each host). Default: |
Performance tuning settings
editTable 4. Performance tuning preset values
Configuration | Balanced | Optimized for Throughput | Optimized for Scale | Optimized for Latency |
---|---|---|---|---|
|
1600 |
1600 |
1600 |
50 |
|
1 |
4 |
1 |
1 |
|
3200 |
12800 |
3200 |
4100 |
|
1600 |
1600 |
1600 |
2050 |
|
10 |
5 |
20 |
1 |
|
1 |
1 |
1 |
1 |
|
3 |
15 |
1 |
60 |
For descriptions of each setting, refer to Advanced YAML configuration. For the queue.mem.events
, queue.mem.flush.min_events
and queue.mem.flush.timeout
settings, refer to the internal queue configuration settings in the Filebeat documentation.
Balanced
represents the new default setting (out of the box behaviour). Relative to Balanced
, Optimized for throughput
setting will improve EPS by 4 times, Optimized for Scale
will perform on par and Optimized for Latency
will show a 20% degredation in EPS (Events Per Second). These relative performance numbers were calculated from a performance testbed which operates in a controlled setting ingesting a large log file.
As mentioned, the custom
preset allows you to input your own set of parameters for a finer tuning of performance. The following table
is a summary of a few data points and how the resulting EPS compares to the Balanced
setting mentioned above.
These presets apply only to agents on version 8.12.0 or later.
Table 5. Performance tuning: EPS data
worker | bulk_max_size | queue.mem_events | queue.mem.flush.min_events | queue.mem.flush.timeout | idle_connection_timeout | Relative EPS |
---|---|---|---|---|---|---|
1 |
1600 |
3200 |
1600 |
5 |
15 |
1x |
1 |
2048 |
4096 |
2048 |
5 |
15 |
1x |
1 |
4096 |
8192 |
4096 |
5 |
15 |
1x |
2 |
1600 |
6400 |
1600 |
5 |
15 |
2x |
2 |
2048 |
8192 |
2048 |
5 |
15 |
2x |
2 |
4096 |
16384 |
4096 |
5 |
15 |
2x |
4 |
1600 |
12800 |
1600 |
5 |
15 |
3.6x |
4 |
2048 |
16384 |
2048 |
5 |
15 |
3.6x |
4 |
4096 |
32768 |
4096 |
5 |
15 |
3.6x |
8 |
1600 |
25600 |
1600 |
5 |
15 |
5.3x |
8 |
2048 |
32768 |
2048 |
5 |
15 |
5.1x |
8 |
4096 |
65536 |
4096 |
5 |
15 |
5.2x |
16 |
1600 |
51200 |
1600 |
5 |
15 |
5.3x |
16 |
2048 |
65536 |
2048 |
5 |
15 |
5.2x |
16 |
4096 |
131072 |
4096 |
5 |
15 |
5.3x |