Skip to content

Latest commit

 

History

History
66 lines (35 loc) · 3.83 KB

fleet-settings-remote-elasticsearch.asciidoc

File metadata and controls

66 lines (35 loc) · 3.83 KB

Remote {es} output

Beginning in version 8.12.0, you can send {agent} data to a remote {es} cluster. This is especially useful for data that you want to keep separate and independent from the deployment where you use {fleet} to manage the agents.

A remote {es} cluster supports the same output settings as your main {es} cluster.

Warning
 A bug has been found that causes {elastic-defend} response actions to stop working when a remote {es} output is configured for an agent. This bug is currently being investigated and is expected to be resolved in an upcoming release.
Note
 Using a remote {es} output with a target cluster that has {cloud}/ec-traffic-filtering-deployment-configuration.html[traffic filters] enabled is not currently supported.

To configure a remote {es} cluster for your {agent} data:

  1. In {fleet}, open the Settings tab.

  2. In the Outputs section, select Add output.

  3. In the Add new output flyout, provide a name for the output and select Remote Elasticsearch as the output type.

  4. In the Hosts field, add the URL that agents should use to access the remote {es} cluster.

    1. To find the remote host address, in the remote cluster open {kib} and go to Management → {fleet} → Settings.

    2. Copy the Hosts value for the default output.

    3. Back in your main cluster, paste the value you copied into the output Hosts field.

  5. Create a service token to access the remote cluster.

    1. Below the Service Token field, copy the API request.

    2. In the remote cluster, open the {kib} menu and go to Management → Dev Tools.

    3. Run the API request.

    4. Copy the value for the generated token.

    5. Back in your main cluster, paste the value you copied into the output Service Token field.

      Note
      		 To prevent unauthorized access the {es} Service Token is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the password as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher. This setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more.

  6. Choose whether or not the remote output should be the default for agent integrations or for agent monitoring data. When set, {agent}s use this output to send data if no other output is set in the agent policy.

  7. Select which performance tuning settings you’d prefer in order to optimize {agent} for throughput, scale, or latency, or leave the default balanced setting.

  8. Add any advanced YAML configuration settings that you’d like for the output.

  9. Click Save and apply settings.

After the output is created, you can update an {agent} policy to use the new remote {es} cluster:

  1. In {fleet}, open the Agent policies tab.

  2. Click the agent policy to edit it, then click Settings.

  3. To send integrations data, set the Output for integrations option to use the output that you configured in the previous steps.

  4. To send {agent} monitoring data, set the Output for agent monitoring option to use the output that you configured in the previous steps.

  5. Click Save changes.

The remote {es} cluster is now configured.

As a final step before using the remote {es} output, you need to make sure that for any integrations that have been added to your {agent} policy, the integration assets have been installed on the remote {es} cluster. Refer to Install and uninstall {agent} integration assets for the steps.