Elasticsearch output settings

edit

Specify these settings to send data over a secure connection to Elasticsearch. In the Fleet Output settings, make sure that Elasticsearch output type is selected.

Elasticsearch output must match only the cluster with which Fleet Server is associated. It’s not possible to reference URLs belonging to other Elasticsearch clusters.

Hosts

The Elasticsearch URLs where Elastic Agents will send data. By default, Elasticsearch is exposed on the following ports:

9200
Default Elasticsearch port for self-managed clusters
443
Default Elasticsearch port for Elastic Cloud

Examples:

  • https://192.0.2.0:9200
  • https://1d7a52f5eb344de18ea04411fe09e564.fleet.eu-west-1.aws.qa.cld.elstc.co:443
  • https://[2001:db8::1]:9200

Refer to the Fleet Server documentation for default ports and other configuration details.

Elasticsearch CA trusted fingerprint

HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the certificate_authorities list and the handshake will continue normally. To learn more about trusted fingerprints, refer to the Elasticsearch security documentation.

Proxy

Select a proxy URL for Elastic Agent to connect to Elasticsearch. To learn about proxy configuration, refer to Using a proxy server with Elastic Agent and Fleet.

Advanced YAML configuration

YAML settings that will be added to the Elasticsearch output section of each policy that uses this output. Make sure you specify valid YAML. The UI does not currently provide validation.

See Advanced YAML configuration for descriptions of the available settings.

Make this output the default for agent integrations

When this setting is on, Elastic Agents use this output to send data if no other output is set in the agent policy.

Make this output the default for agent monitoring

When this setting is on, Elastic Agents use this output to send agent monitoring data if no other output is set in the agent policy.

Sending monitoring data to a remote Elasticsearch cluster is currently not supported.

Advanced YAML configuration

edit
Setting Description

backoff.init

(string) The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting backoff.init seconds, Elastic Agent tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to backoff.max. After a successful connection, the backoff timer is reset.

Default: 1s

backoff.max

(string) The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error.

Default: 60s

bulk_max_size

(int) The maximum number of events to bulk in a single Elasticsearch bulk API index request.

Events can be collected into batches. Elastic Agent will split batches larger than bulk_max_size into multiple batches.

Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.

Setting bulk_max_size to values less than or equal to 0 turns off the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.

Default: 50

max_retries

(int) The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.

Set max_retries to a value less than 0 to retry until all events are published.

Default: 3

timeout

(string) The HTTP request timeout in seconds for the Elasticsearch request.

Default: 90s

worker

(int) The number of workers per configured host publishing events. This is best used with load balancing mode enabled. Example: If you have two hosts and three workers, in total six workers are started (three for each host).

Default: 1