- Observability: other versions:
- Get started
- What is Elastic Observability?
- What’s new in 8.17
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Add data from Splunk
- Applications and services
- Application performance monitoring (APM)
- Get started
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Manage storage
- Configure APM Server
- Monitor APM Server
- APM APIs
- Troubleshooting
- Upgrade
- Release notes
- Known issues
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure projects
- Multi-factor Authentication
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Use Synthetics with traffic filters
- Migrate from the Elastic Synthetics integration
- Scale and architect a deployment
- Synthetics support matrix
- Synthetics Encryption and Security
- Troubleshooting
- Real user monitoring
- Uptime monitoring (deprecated)
- Tutorial: Monitor a Java application
- Application performance monitoring (APM)
- CI/CD
- Cloud
- Infrastructure and hosts
- Logs
- Troubleshooting
- Incident management
- Data set quality
- Observability AI Assistant
- Reference
APM agent authorization
editAPM agent authorization
editAgent authorization APM Server configuration options.
Example config file:
apm-server: host: "localhost:8200" rum: enabled: true output: elasticsearch: hosts: ElasticsearchAddress:9200 max_procs: 4
Configure and customize Fleet-managed APM settings directly in Kibana:
- In Kibana, find Fleet in the main menu or use the global search field.
- Under the Agent policies tab, select the policy you would like to configure.
- Find the Elastic APM integration and select Actions > Edit integration.
- Look for these settings under Agent authorization.
API key authentication options
editThese settings apply to API key communication between the APM Server and APM Agents.
These settings are different from the API key settings used for Elasticsearch output and monitoring.
API key for agent authentication
editEnable API key authorization by setting enabled
to true
.
By default, enabled
is set to false
, and API key support is disabled. (bool)
APM Server binary |
|
Fleet-managed |
|
Not using Elastic APM agents?
When enabled, third-party APM agents must include a valid API key in the following format:
Authorization: ApiKey <token>
. The key must be the base64 encoded representation of the API key’s id:name
.
API key limit
editEach unique API key triggers one request to Elasticsearch.
This setting restricts the number of unique API keys are allowed per minute.
The minimum value for this setting should be the number of API keys configured in your monitored services.
The default limit
is 100
. (int)
APM Server binary |
|
Fleet-managed |
|
Secret token
editAuthorization token for sending APM data. The same token must also be set in each APM agent. This token is not used for RUM endpoints. (text)
APM Server binary |
|
Fleet-managed |
|
auth.api_key.elasticsearch.*
configuration options
editelasticsearch.hosts
editAPI keys are fetched from Elasticsearch. This configuration needs to point to a secured Elasticsearch cluster that is able to serve API key requests.
elasticsearch.protocol
editThe name of the protocol Elasticsearch is reachable on.
The options are: http
or https
. The default is http
.
If nothing is configured, configuration settings from the output
section will be reused.
elasticsearch.path
editAn optional HTTP path prefix that is prepended to the HTTP API calls.
If nothing is configured, configuration settings from the output
section will be reused.
elasticsearch.proxy_url
editThe URL of the proxy to use when connecting to the Elasticsearch servers.
The value may be either a complete URL or a "host[:port]", in which case the "http"scheme is assumed.
If nothing is configured, configuration settings from the output
section will be reused.
elasticsearch.timeout
editThe HTTP request timeout in seconds for the Elasticsearch request.
If nothing is configured, configuration settings from the output
section will be reused.
auth.api_key.elasticsearch.ssl.*
configuration options
editSSL is off by default. Set elasticsearch.protocol
to https
if you want to enable https
.
elasticsearch.ssl.enabled
editEnable custom SSL settings. Set to false to ignore custom SSL settings for secure communication.
elasticsearch.ssl.verification_mode
editConfigure SSL verification mode.
If none
is configured, all server hosts and certificates will be accepted.
In this mode, SSL based connections are susceptible to man-in-the-middle attacks.
Use only for testing. Default is full
.
elasticsearch.ssl.supported_protocols
editList of supported/valid TLS versions. By default, all TLS versions from 1.0 to 1.2 are enabled.
elasticsearch.ssl.certificate_authorities
editList of root certificates for HTTPS server verifications.
elasticsearch.ssl.certificate
editThe path to the certificate for SSL client authentication.
elasticsearch.ssl.key
editThe client certificate key used for client authentication. This option is required if certificate is specified.
elasticsearch.ssl.key_passphrase
editAn optional passphrase used to decrypt an encrypted key stored in the configured key file.
elasticsearch.ssl.cipher_suites
editThe list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).
elasticsearch.ssl.curve_types
editThe list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
elasticsearch.ssl.renegotiation
editConfigure what types of renegotiation are supported.
Valid options are never
, once
, and freely
. Default is never
.
-
never
- Disables renegotiation. -
once
- Allows a remote server to request renegotiation once per connection. -
freely
- Allows a remote server to repeatedly request renegotiation.
On this page
- API key authentication options
- API key for agent authentication
- API key limit
- Secret token
auth.api_key.elasticsearch.*
configuration optionselasticsearch.hosts
elasticsearch.protocol
elasticsearch.path
elasticsearch.proxy_url
elasticsearch.timeout
auth.api_key.elasticsearch.ssl.*
configuration optionselasticsearch.ssl.enabled
elasticsearch.ssl.verification_mode
elasticsearch.ssl.supported_protocols
elasticsearch.ssl.certificate_authorities
elasticsearch.ssl.certificate
elasticsearch.ssl.key
elasticsearch.ssl.key_passphrase
elasticsearch.ssl.cipher_suites
elasticsearch.ssl.curve_types
elasticsearch.ssl.renegotiation
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now