Capture environment variables
editCapture environment variables
editYou can configure an Elastic Agent policy to capture up to five environment variables (env vars
).
- Env var names must be no more than 63 characters, and env var values must be no more than 1023 characters. Values outside these limits are silently ignored.
- Env var names are case sensitive.
To set up environment variable capture for an Elastic Agent policy:
- Find Policies in the navigation menu or use the global search field.
- Select an Elastic Agent policy.
- Click Show advanced settings.
-
Scroll down or search for
linux.advanced.capture_env_vars
, ormac.advanced.capture_env_vars
. -
Enter the names of env vars you want to capture, separated by commas. For example:
PATH,USER
- Click Save.
Find captured environment variables
editCaptured environment variables are associated with process events, and appear in each event’s process.env_vars
field.
To view environment variables in the Events table:
- Click the Events tab on the Hosts, Network, or Users pages, then click Fields in the Events table.
-
Search for the
process.env_vars
field, select it, and click Close. A new column appears containing captured environment variable data.