- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Install Elastic Agent on Kubernetes using Helm
- Example: Install standalone Elastic Agent on Kubernetes using Helm
- Example: Install Fleet-managed Elastic Agent on Kubernetes using Helm
- Advanced Elastic Agent configuration managed by Fleet
- Configuring Kubernetes metadata enrichment on Elastic Agent
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Run Elastic Agent as an OTel Collector
- Run Elastic Agent without administrative privileges
- Install Elastic Agent from an MSI package
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Package signatures
- Add an integration to an Elastic Agent policy
- View integration policies
- Edit or delete an integration policy
- Install and uninstall integration assets
- View integration assets
- Set integration-level outputs
- Upgrade an integration
- Managed integrations content
- Best practices for integration assets
- Data streams
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Grant standalone Elastic Agents access to Elasticsearch
editGrant standalone Elastic Agents access to Elasticsearch
editYou can use either API keys or user credentials to grant standalone Elastic Agents access to Elasticsearch resources. The following minimal permissions are required to send logs, metrics, traces, and synthetics to Elasticsearch:
-
monitor
cluster privilege -
auto_configure
andcreate_doc
index privileges onlogs-*-*
,metrics-*-*
,traces-*-*
, andsynthetics-*-*
.
It’s recommended that you use API keys to avoid exposing usernames and passwords in configuration files.
If you’re using Fleet, refer to Fleet enrollment tokens.
Create API keys for standalone agents
editAPI keys are sent as plain-text, so they only provide security when used in combination with Transport Layer Security (TLS). Our hosted Elasticsearch Service on Elastic Cloud provides secure, encrypted connections out of the box! For self-managed Elasticsearch clusters, refer to Public Key Infrastructure (PKI) certificates.
You can set API keys to expire at a certain time, and you can explicitly
invalidate them. Any user with the manage_api_key
or manage_own_api_key
cluster privilege can create API keys.
For security reasons, we recommend using a unique API key per Elastic Agent. You can create as many API keys per user as necessary.
If you are using Elastic Cloud Serverless, API key authentication is required.
To create an API key for Elastic Agent:
-
In an Elastic Cloud or on premises environment, in Kibana navigate to Stack Management > API keys and click Create API key.
In a Serverless environment, in Kibana navigate to Project settings > Management > API keys and click Create API key.
- Enter a name for your API key and select Control security privileges.
-
In the role descriptors box, copy and paste the following JSON. This example creates an API key with privileges for ingesting logs, metrics, traces, and synthetics:
- To set an expiration date for the API key, select Expire after time and input the lifetime of the API key in days.
-
Click Create API key.
You’ll see a message indicating that the key was created, along with the encoded key. By default, the API key is Base64 encoded, but that won’t work for Elastic Agent.
-
Click the down arrow next to Base64 and select Beats.
- Copy the API key. You will need this for the next step, and you will not be able to view it again.
-
To use the API key, specify the
api_key
setting in theelastic-agent.yml
file. For example:
For more information about creating API keys in Kibana, see API Keys.
Create a standalone agent role
editAlthough it’s recommended that you use an API key instead of a username and
password to access Elasticsearch (and an API key is required in a Serverless environment), you can create a role with the required privileges,
assign it to a user, and specify the user’s credentials in the
elastic-agent.yml
file.
- In Kibana, go to Stack Management > Roles.
- Click Create role and enter a name for the role.
-
In Cluster privileges, enter
monitor
. -
In Index privileges, enter:
-
logs-*-*
,metrics-*-*
,traces-*-*
andsynthetics-*-*
in the Indices field.Adjust this list to match the data you want to collect. For example, if you aren’t using APM or synthetics, remove
traces-*-*
andsynthetics-*-*
from this list. -
auto_configure
andcreate_doc
in the Privileges field.
-
- Create the role and assign it to a user. For more information about creating roles, refer to Kibana role management.
-
To use these credentials, set the username and password in the
elastic-agent.yml
file: