Configure the Elasticsearch output

edit

Running Elastic Agent in standalone mode is an advanced use case. The documentation is incomplete and not yet mature. When possible, we recommend using Fleet-managed agents instead of standalone mode.

The Elasticsearch output sends events directly to Elasticsearch by using the Elasticsearch HTTP API.

Compatibility: This output works with all compatible versions of Elasticsearch. See the Elastic Support Matrix.

This example configures an Elasticsearch output called default in the elastic-agent.yml file:

outputs:
  default:
    type: elasticsearch
    hosts: [127.0.0.1:9200]
    username: elastic
    password: changeme

Elasticsearch output configuration settings

edit

The elasticsearch output type supports the following settings, grouped by category. Many of these settings have sensible defaults that allow you to run Elastic Agent with minimal configuration.

Commonly used settings

edit
Setting Description

enabled

(boolean) Enables or disables the output. If set to false, the output is disabled.

Default: true

hosts

(list) The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a URL or IP:PORT. For example: http://192.15.3.2, https://es.found.io:9230 or 192.24.3.2:9300. If no port is specified, 9200 is used.

When a node is defined as an IP:PORT, the scheme and path are taken from the protocol and path settings.

outputs:
  default:
    type: elasticsearch
    hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] 
    protocol: https
    path: /elasticsearch

In this example, the Elasticsearch nodes are available at https://10.45.3.2:9220/elasticsearch and https://10.45.3.1:9230/elasticsearch.

protocol

(string) The name of the protocol Elasticsearch is reachable on. The options are: http or https. The default is http. However, if you specify a URL for hosts, the value of protocol is overridden by whatever scheme you specify in the URL.

proxy_disable

(boolean) If set to true, all proxy settings, including HTTP_PROXY and HTTPS_PROXY variables, are ignored.

Default: false

proxy_headers

(string) Additional headers to send to proxies during CONNECT requests.

proxy_url

(string) The URL of the proxy to use when connecting to the Elasticsearch servers. The value may be either a complete URL or a host[:port], in which case the http scheme is assumed. If a value is not specified through the configuration file then proxy environment variables are used. See the Go documentation for more information about the environment variables.

Authentication settings

edit

Settings for authenticating with Elasticsearch.

When sending data to a secured cluster through the elasticsearch output, Elastic Agent can use any of the following authentication methods:

Basic authentication credentials
edit
outputs:
  default:
    type: elasticsearch
    hosts: ["https://myEShost:9200"]
    username: "your-username"
    password: "your-password"
Setting Description

password

(string) The basic authentication password for connecting to Elasticsearch.

username

(string) The basic authentication username for connecting to Elasticsearch.

This user needs the privileges required to publish events to Elasticsearch.

Token-based (API key) authentication
edit
outputs:
  default:
    type: elasticsearch
    hosts: ["https://myEShost:9200"]
    api_key: "KnR6yE41RrSowb0kQ0HWoA"
Setting Description

api_key

(string) Instead of using a username and password, you can use API keys to secure communication with Elasticsearch. The value must be the ID of the API key and the API key joined by a colon: id:api_key.

Public Key Infrastructure (PKI) certificates
edit
outputs:
  default:
    type: elasticsearch
    hosts: ["https://myEShost:9200"]
    ssl.certificate: "/etc/pki/client/cert.pem"
    ssl.key: "/etc/pki/client/cert.key"

There are a number of SSL configuration settings available depending on whether you are configuring the client, server, or both. See the following tables for available settings:

For more information about using certificates, refer to Encrypt traffic in clusters with a self-managed Fleet Server.

Table 1. Common configuration options

Setting Description

ssl.ca_sha256

(string) This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.

The pin is a base64 encoded string of the SHA-256 of the certificate.

This check is not a replacement for the normal SSL validation, but it adds additional validation. If this setting is used with verification_mode set to none, the check will always fail because it will not receive any verified chains.

ssl.cipher_suites

(list) The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list.

The following cipher suites are available:

  • ECDHE-ECDSA-AES-128-CBC-SHA
  • ECDHE-ECDSA-AES-128-CBC-SHA256: TLS 1.2 only. Disabled by default.
  • ECDHE-ECDSA-AES-128-GCM-SHA256: TLS 1.2 only.
  • ECDHE-ECDSA-AES-256-CBC-SHA
  • ECDHE-ECDSA-AES-256-GCM-SHA384: TLS 1.2 only.
  • ECDHE-ECDSA-CHACHA20-POLY1305: TLS 1.2 only.
  • ECDHE-ECDSA-RC4-128-SHA: Disabled by default. RC4 not recommended.
  • ECDHE-RSA-3DES-CBC3-SHA
  • ECDHE-RSA-AES-128-CBC-SHA
  • ECDHE-RSA-AES-128-CBC-SHA256: TLS 1.2 only. Disabled by default.
  • ECDHE-RSA-AES-128-GCM-SHA256: TLS 1.2 only.
  • ECDHE-RSA-AES-256-CBC-SHA
  • ECDHE-RSA-AES-256-GCM-SHA384: TLS 1.2 only.
  • ECDHE-RSA-CHACHA20-POLY1205: TLS 1.2 only.
  • ECDHE-RSA-RC4-128-SHA: Disabled by default. RC4 not recommended.
  • RSA-3DES-CBC3-SHA
  • RSA-AES-128-CBC-SHA
  • RSA-AES-128-CBC-SHA256: TLS 1.2 only. Disabled by default.
  • RSA-AES-128-GCM-SHA256: TLS 1.2 only.
  • RSA-AES-256-CBC-SHA
  • RSA-AES-256-GCM-SHA384: TLS 1.2 only.
  • RSA-RC4-128-SHA: Disabled by default. RC4 not recommended.

Here is a list of acronyms used in defining the cipher suites:

  • 3DES: Cipher suites using triple DES
  • AES-128/256: Cipher suites using AES with 128/256-bit keys.
  • CBC: Cipher using Cipher Block Chaining as block cipher mode.
  • ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
  • ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
  • GCM: Galois/Counter mode is used for symmetric key cryptography.
  • RC4: Cipher suites using RC4.
  • RSA: Cipher suites using RSA.
  • SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.

ssl.curve_types

(list) The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).

The following elliptic curve types are available:

  • P-256
  • P-384
  • P-521
  • X25519

ssl.enabled

(boolean) Enables or disables the SSL configuration.

Default: true

SSL settings are disabled if either enabled is set to false or the ssl section is missing.

ssl.supported_protocols

(list) List of allowed SSL/TLS versions. If the SSL/TLS server supports none of the specified versions, the connection will be dropped during or after the handshake. The list of allowed protocol versions include: SSLv3, TLSv1 for TLS version 1.0, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

Default: [TLSv1.1, TLSv1.2, TLSv1.3]

Table 2. Client configuration options

Setting Description

ssl.certificate

(string) The path to the certificate for SSL client authentication. This setting is only required if client_authentication is specified. If certificate is not specified, client authentication is not available, and the connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.

Example:

ssl.certificate: "/path/to/cert.pem"

When this setting is configured, the ssl.key setting is also required.

Specify a path, or embed a certificate directly in the YAML configuration:

ssl.certificate: |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.certificate _authorities

(list) The list of root certificates for verifications (required). If certificate_authorities is empty or not set, the system keystore is used. If certificate_authorities is self-signed, the host system needs to trust that CA cert as well.

Example:

ssl.certificate_authorities: ["/path/to/root/ca.pem"]

Specify a list of files that Elastic Agent will read, or embed a certificate directly in the YAML configuration:

ssl.certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.key

(string) The client certificate key used for client authentication. Only required if client_authentication is configured.

Example:

ssl.key: "/path/to/cert.key"

Specify a path, or embed the private key directly in the YAML configuration:

ssl.key: |
    -----BEGIN PRIVATE KEY-----
    KEY CONTENT APPEARS HERE
    -----END PRIVATE KEY-----

ssl.key_passphrase

(string) The passphrase used to decrypt an encrypted key stored in the configured key file.

ssl.verification _mode

(string) Controls the verification of server certificates. Valid values are:

full
Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
strict
Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
certificate
Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
none
Performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.

Default: full

ssl.ca_trusted _fingerprint

(string) A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the certificate_authorities list and the handshake will continue normally.

Example:

ssl.ca_trusted_fingerprint: 3b24d33844d6553...826

Table 3. Server configuration options

Setting Description

ssl.certificate

(string) The path to the certificate for SSL server authentication. If the certificate is not specified, startup will fail.

Example:

ssl.certificate: "/path/to/server/cert.pem"

When this setting is configured, the key setting is also required.

Specify a path, or embed a certificate directly in the YAML configuration:

ssl.certificate: |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.certificate _authorities

(list) The list of root certificates for client verifications is only required if client_authentication is configured. If certificate_authorities is empty or not set, and client_authentication is configured, the system keystore is used. If certificate_authorities is self-signed, the host system needs to trust that CA cert too.

Example:

ssl.certificate_authorities: ["/path/to/root/ca.pem"]

Specify a list of files that Elastic Agent will read, or embed a certificate directly in the YAML configuration:

ssl.certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.client_ authentication

(string) Configures client authentication. The valid options are:

none
Disables client authentication.
optional
When a client certificate is supplied, the server will verify it.
required
Requires clients to provide a valid certificate.

Default: required (if certificate_authorities is set); otherwise, none

ssl.key

(string) The server certificate key used for authentication (required).

Example:

ssl.key: "/path/to/server/cert.key"

Specify a path, or embed the private key directly in the YAML configuration:

ssl.key: |
    -----BEGIN PRIVATE KEY-----
    KEY CONTENT APPEARS HERE
    -----END PRIVATE KEY-----

ssl.key_passphrase

(string) The passphrase used to decrypt an encrypted key stored in the configured key file.

ssl.renegotiation

(string) Configures the type of TLS renegotiation to support. The valid options are:

never
Disables renegotiation.
once
Allows a remote server to request renegotiation once per connection.
freely
Allows a remote server to request renegotiation repeatedly.

Default: never

ssl.verification _mode

(string) Controls the verification of client certificates. Valid values are:

full
Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.
strict
Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.
certificate
Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.
none
Performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.

Default: full

Kerberos
edit

The following encryption types are supported:

  • aes128-cts-hmac-sha1-96
  • aes128-cts-hmac-sha256-128
  • aes256-cts-hmac-sha1-96
  • aes256-cts-hmac-sha384-192
  • des3-cbc-sha1-kd
  • rc4-hmac

Example output config with Kerberos password-based authentication:

outputs:
  default:
    type: elasticsearch
    hosts: ["http://my-elasticsearch.elastic.co:9200"]
    kerberos.auth_type: password
    kerberos.username: "elastic"
    kerberos.password: "changeme"
    kerberos.config_path: "/etc/krb5.conf"
    kerberos.realm: "ELASTIC.CO"

The service principal name for the Elasticsearch instance is constructed from these options. Based on this configuration, the name would be:

HTTP/[email protected]

Setting Description

kerberos.auth_type

(string) The type of authentication to use with Kerberos KDC:

password
When specified, also set kerberos.username and kerberos.password.
keytab
When specified, also set kerberos.username and kerberos.keytab. The keytab must contain the keys of the selected principal, or authentication fails.

Default: password

kerberos.config_path

(string) Path to the krb5.conf. Elastic Agent uses this setting to find the Kerberos KDC to retrieve a ticket.

kerberos.enabled

(boolean) Enables or disables the Kerberos configuration.

Kerberos settings are disabled if either enabled is set to false or the kerberos section is missing.

kerberos.enable_krb5_fast

(boolean) If true, enables Kerberos FAST authentication. This may conflict with some Active Directory installations.

Default: false

kerberos.keytab

(string) If kerberos.auth_type is keytab, provide the path to the keytab of the selected principal.

kerberos.password

(string) If kerberos.auth_type is password, provide a password for the selected principal.

kerberos.realm

(string) Name of the realm where the output resides.

kerberos.username

(string) Name of the principal used to connect to the output.

Data parsing, filtering, and manipulation settings
edit

Settings used to parse, filter, and transform data.

Setting Description

escape_html

(boolean) Configures escaping of HTML in strings. Set to true to enable escaping.

Default: false

pipeline

(string) A format string value that specifies the ingest pipeline to write events to.

outputs:
  default:
    type: elasticsearchoutput.elasticsearch:
    hosts: ["http://localhost:9200"]
    pipeline: my_pipeline_id

You can set the ingest pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, fields.log_type, to set the pipeline for each event:

outputs:
  default:
    type: elasticsearch  hosts: ["http://localhost:9200"]
    pipeline: "%{[fields.log_type]}_pipeline"

With this configuration, all events with log_type: normal are sent to a pipeline named normal_pipeline, and all events with log_type: critical are sent to a pipeline named critical_pipeline.

To learn how to add custom fields to events, see the fields option.

See the pipelines setting for other ways to set the ingest pipeline dynamically.

pipelines

An array of pipeline selector rules. Each rule specifies the ingest pipeline to use for events that match the rule. During publishing, Elastic Agent uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the pipelines setting is missing or no rule matches, the pipeline setting is used.

Rule settings:

pipeline
The pipeline format string to use. If this string contains field references, such as %{[fields.name]}, the fields must exist, or the rule fails.
mappings
A dictionary that takes the value returned by pipeline and maps it to a new name.
default
The default string value to use if mappings does not find a match.
when
A condition that must succeed in order to execute the current rule.

All the conditions supported by processors are also supported here.

The following example sends events to a specific pipeline based on whether the message field contains the specified string:

outputs:
  default:
    type: elasticsearch  hosts: ["http://localhost:9200"]
    pipelines:
      - pipeline: "warning_pipeline"
        when.contains:
          message: "WARN"
      - pipeline: "error_pipeline"
        when.contains:
          message: "ERR"

The following example sets the pipeline by taking the name returned by the pipeline format string and mapping it to a new name that’s used for the pipeline:

outputs:
  default:
    type: elasticsearch
    hosts: ["http://localhost:9200"]
    pipelines:
      - pipeline: "%{[fields.log_type]}"
        mappings:
          critical: "sev1_pipeline"
          normal: "sev2_pipeline"
        default: "sev3_pipeline"

With this configuration, all events with log_type: critical are sent to sev1_pipeline, all events with log_type: normal are sent to a sev2_pipeline, and all other events are sent to sev3_pipeline.

HTTP settings

edit

Settings that modify the HTTP requests sent to Elasticsearch.

Setting Description

headers

Custom HTTP headers to add to each request created by the Elasticsearch output.

Example:

outputs:
  default:
    type: elasticsearch
    headers:
      X-My-Header: Header contents

Specify multiple header values for the same header name by separating them with a comma.

parameters

Dictionary of HTTP parameters to pass within the url with index operations.

path

(string) An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.

Performance tuning settings

edit

Settings that may affect performance.

Setting Description

backoff.init

(string) The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting backoff.init seconds, Elastic Agent tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to backoff.max. After a successful connection, the backoff timer is reset.

Default: 1s

backoff.max

(string) The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error.

Default: 60s

bulk_max_size

(int) The maximum number of events to bulk in a single Elasticsearch bulk API index request.

Events can be collected into batches. Elastic Agent will split batches larger than bulk_max_size into multiple batches.

Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.

Setting bulk_max_size to values less than or equal to 0 turns off the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.

Default: 50

compression_level

(int) The gzip compression level. Set this value to 0 to disable compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).

Increasing the compression level reduces network usage but increases CPU usage.

Default: 0

max_retries

(int) The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.

Set max_retries to a value less than 0 to retry until all events are published.

Default: 3

timeout

(string) The HTTP request timeout in seconds for the Elasticsearch request.

Default: 90s

worker

(int) The number of workers per configured host publishing events to {output-type}. This is best used with load balancing mode enabled. Example: If you have two hosts and three workers, in total six workers are started (three for each host).

Default: 1