{ls} output settings

Specify these settings to send data over a secure connection to {ls}. You must also configure a {ls} pipeline that reads encrypted data from {agent}s and sends the data to {es}. Follow the in-product steps to configure the {ls} pipeline.

In the {fleet} Output settings, make sure that the {ls} output type is selected.

Before using the {ls} output, you need to make sure that for any integrations that have been added to your {agent} policy, the integration assets have been installed on the destination cluster. Refer to Install and uninstall {agent} integration assets for the steps to add integration assets.

To learn how to generate certificates, refer to [secure-logstash-connections].

To receive the events in {ls}, you also need to create a {ls} configuration pipeline. The {ls} configuration pipeline listens for incoming {agent} connections, processes received events, and then sends the events to {es}.

The following example configures a {ls} pipeline that listens on port 5044 for incoming {agent} connections and routes received events to {es}.

The {ls} pipeline definition below is an example. Please refer to the Additional Logstash configuration required steps when creating the {ls} output in the Fleet outputs page.

input {
  elastic_agent {
    port => 5044
    enrich => none # don't modify the events' schema at all
    ssl => true
    ssl_certificate_authorities => ["<ca_path>"]
    ssl_certificate => "<server_cert_path>"
    ssl_key => "<server_cert_key_in_pkcs8>"
    ssl_verify_mode => "force_peer"
  }
}
output {
  elasticsearch {
    hosts => ["http://localhost:9200"] (1)
    # cloud_id => "..."
    data_stream => "true"
    api_key => "<api_key>" (2)
    data_stream => true
    ssl => true
    # cacert => "<elasticsearch_ca_path>"
  }
}

The {es} server and the port (9200) where {es} is running.
The API Key obtained from the {ls} output creation steps in Fleet.

{ls} hosts	The addresses your {agent}s will use to connect to {ls}. Use the format `host:port`. Click add row to specify additional {ls} addresses. Examples: `192.0.2.0:5044` `mylogstashhost:5044` Refer to the {fleet-server} documentation for default ports and other configuration details.
Server SSL certificate authorities	The CA certificate to use to connect to {ls}. This is the CA used to generate the certificate and key for {ls}. Copy and paste in the full contents for the CA certificate. This setting is optional.
Client SSL certificate	The certificate generated for the client. Copy and paste in the full contents of the certificate. This is the certificate that all the agents will use to connect to {ls}. In cases where each client has a unique certificate, the local path to that certificate can be placed here. The agents will pick the certificate in that location when establishing a connection to {ls}.
Client SSL certificate key	The private key generated for the client. This must be in PKCS 8 key. Copy and paste in the full contents of the certificate key. This is the certificate key that all the agents will use to connect to {ls}. In cases where each client has a unique certificate key, the local path to that certificate key can be placed here. The agents will pick the certificate key in that location when establishing a connection to {ls}. To prevent unauthorized access the certificate key is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the key as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher. Note that this setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more.
Proxy	Select a proxy URL for {agent} to connect to {ls}. To learn about proxy configuration, refer to [fleet-agent-proxy-support].
Advanced YAML configuration	YAML settings that will be added to the {ls} output section of each policy that uses this output. Make sure you specify valid YAML. The UI does not currently provide validation. See Advanced YAML configuration for descriptions of the available settings.
Make this output the default for agent integrations	When this setting is on, {agent}s use this output to send data if no other output is set in the agent policy. Output to {ls} is not supported for agent integrations in a policy used by {fleet-server} or APM.
Make this output the default for agent monitoring	When this setting is on, {agent}s use this output to send agent monitoring data if no other output is set in the agent policy. Output to {ls} is not supported for agent monitoring in a policy used by {fleet-server} or APM.