- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Advanced Elastic Agent configuration managed by Fleet
- Configuring Kubernetes metadata enrichment on Elastic Agent
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Kibana Fleet APIs
editKibana Fleet APIs
editYou can find details for all available Fleet API endpoints in our generated Fleet API docs. This documentation is experimental and may be incomplete or change later.
The main source of truth for the Fleet API can be found in the self-contained spec file that you can use to generate docs using Swagger or a similar tool. For more information, refer to the Fleet OpenAPI readme.
In this section, we provide examples of some commonly used Fleet APIs.
Using the Console
editYou can run Fleet API requests through the Kibana Console.
- Open the Kibana menu and go to Management → Dev Tools.
-
In your request, prepend your Fleet API endpoint with
kbn:
, for example:GET kbn:/api/fleet/agent_policies
For more detail about using the Kibana Console refer to Run API requests.
Authentication
editAuthentication is required to send Fleet API requests. For more information, refer to Authentication.
Create agent policy
editTo create a new agent policy in Fleet, call
POST /api/fleet/agent_policies
.
This cURL example creates an agent policy called Agent policy 1
in
the default namespace.
curl --request POST \ --url 'https://my-kibana-host:9243/api/fleet/agent_policies?sys_monitoring=true' \ --header 'Accept: */*' \ --header 'Authorization: ApiKey yourbase64encodedkey' \ --header 'Cache-Control: no-cache' \ --header 'Connection: keep-alive' \ --header 'Content-Type: application/json' \ --header 'kbn-xsrf: xxx' \ --data '{ "name": "Agent policy 1", "description": "", "namespace": "default", "monitoring_enabled": [ "logs", "metrics" ] }'
Example response:
{ "item": { "id": "2b820230-4b54-11ed-b107-4bfe66d759e4", "name": "Agent policy 1", "description": "", "namespace": "default", "monitoring_enabled": [ "logs", "metrics" ], "status": "active", "is_managed": false, "revision": 1, "updated_at": "2022-10-14T00:07:19.763Z", "updated_by": "1282607447", "schema_version": "1.0.0" } }
Create integration policy
editTo create an integration policy (also known as a package policy) and add it to an
existing agent policy, call POST /api/fleet/package_policies
.
You can use the Fleet API to Create and customize an Elastic Defend policy.
This cURL example creates an integration policy for Nginx and adds it to the agent policy created in the previous example:
curl --request POST \ --url 'https://my-kibana-host:9243/api/fleet/package_policies' \ --header 'Authorization: ApiKey yourbase64encodedkey' \ --header 'Content-Type: application/json' \ --header 'kbn-xsrf: xx' \ --data '{ "name": "nginx-demo-123", "policy_id": "2b820230-4b54-11ed-b107-4bfe66d759e4", "package": { "name": "nginx", "version": "1.5.0" }, "inputs": { "nginx-logfile": { "streams": { "nginx.access": { "vars": { "tags": [ "test" ] } }, "nginx.error": { "vars": { "tags": [ "test" ] } } } } } }'
Example response (truncated for readability):
{ "item" : { "created_at" : "2022-10-15T00:41:28.594Z", "created_by" : "1282607447", "enabled" : true, "id" : "92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd", "inputs" : [ { "enabled" : true, "policy_template" : "nginx", "streams" : [ { "compiled_stream" : { "exclude_files" : [ ".gz$" ], "ignore_older" : "72h", "paths" : [ "/var/log/nginx/access.log*" ], "processors" : [ { "add_locale" : null } ], "tags" : [ "test" ] }, "data_stream" : { "dataset" : "nginx.access", "type" : "logs" }, "enabled" : true, "id" : "logfile-nginx.access-92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd", "release" : "ga", "vars" : { "ignore_older" : { "type" : "text", "value" : "72h" }, "paths" : { "type" : "text", "value" : [ "/var/log/nginx/access.log*" ] }, "preserve_original_event" : { "type" : "bool", "value" : false }, "processors" : { "type" : "yaml" }, "tags" : { "type" : "text", "value" : [ "test" ] } } }, { "compiled_stream" : { "exclude_files" : [ ".gz$" ], "ignore_older" : "72h", "multiline" : { "match" : "after", "negate" : true, "pattern" : "^\\d{4}\\/\\d{2}\\/\\d{2} " }, "paths" : [ "/var/log/nginx/error.log*" ], "processors" : [ { "add_locale" : null } ], "tags" : [ "test" ] }, "data_stream" : { "dataset" : "nginx.error", "type" : "logs" }, "enabled" : true, "id" : "logfile-nginx.error-92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd", "release" : "ga", "vars" : { "ignore_older" : { "type" : "text", "value" : "72h" }, "paths" : { "type" : "text", "value" : [ "/var/log/nginx/error.log*" ] }, "preserve_original_event" : { "type" : "bool", "value" : false }, "processors" : { "type" : "yaml" }, "tags" : { "type" : "text", "value" : [ "test" ] } } } ], "type" : "logfile" }, ... { "enabled" : true, "policy_template" : "nginx", "streams" : [ { "compiled_stream" : { "hosts" : [ "http://127.0.0.1:80" ], "metricsets" : [ "stubstatus" ], "period" : "10s", "server_status_path" : "/nginx_status" }, "data_stream" : { "dataset" : "nginx.stubstatus", "type" : "metrics" }, "enabled" : true, "id" : "nginx/metrics-nginx.stubstatus-92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd", "release" : "ga", "vars" : { "period" : { "type" : "text", "value" : "10s" }, "server_status_path" : { "type" : "text", "value" : "/nginx_status" } } } ], "type" : "nginx/metrics", "vars" : { "hosts" : { "type" : "text", "value" : [ "http://127.0.0.1:80" ] } } } ], "name" : "nginx-demo-123", "namespace" : "default", "package" : { "name" : "nginx", "title" : "Nginx", "version" : "1.5.0" }, "policy_id" : "d625b2e0-4c21-11ed-9426-31f0877749b7", "revision" : 1, "updated_at" : "2022-10-15T00:41:28.594Z", "updated_by" : "1282607447", "version" : "WzI5OTAsMV0=" } }
Get enrollment tokens
editTo get a list of valid enrollment tokens from Fleet, call
GET /api/fleet/enrollment_api_keys
.
This cURL example returns a list of enrollment tokens.
curl --request GET \ --url 'https://my-kibana-host:9243/api/fleet/enrollment_api_keys' \ --header 'Authorization: ApiKey N2VLRDA0TUJIQ05MaGYydUZrN1Y6d2diMUdwSkRTWGFlSm1rSVZlc2JGQQ==' \ --header 'Content-Type: application/json' \ --header 'kbn-xsrf: xx'
Example response (formatted for readability):
{ "items" : [ { "active" : true, "api_key" : "QlN2UaA0TUJlMGFGbF8IVkhJaHM6eGJjdGtyejJUUFM0a0dGSwlVSzdpdw==", "api_key_id" : "BSvR04MBe0aFl_HVHIhs", "created_at" : "2022-10-14T00:07:21.420Z", "id" : "39703af4-5945-4232-90ae-3161214512fa", "name" : "Default (39703af4-5945-4232-90ae-3161214512fa)", "policy_id" : "2b820230-4b54-11ed-b107-4bfe66d759e4" }, { "active" : true, "api_key" : "Yi1MSTA2TUJIQ05MaGYydV9kZXQ5U2dNWFkyX19sWEdSemFQOUfzSDRLZw==", "api_key_id" : "b-LI04MBHCNLhf2u_det", "created_at" : "2022-10-13T23:58:29.266Z", "id" : "e4768bf2-55a6-433f-a540-51d4ca2d34be", "name" : "Default (e4768bf2-55a6-433f-a540-51d4ca2d34be)", "policy_id" : "ee37a8e0-4b52-11ed-b107-4bfe66d759e4" }, { "active" : true, "api_key" : "b3VLbjA0TUJIQ04MaGYydUk1Z3Q6VzhMTTBITFRTmnktRU9IWDaXWnpMUQ==", "api_key_id" : "luKn04MBHCNLhf2uI5d4", "created_at" : "2022-10-13T23:21:30.707Z", "id" : "d18d2918-bb10-44f2-9f98-df5543e21724", "name" : "Default (d18d2918-bb10-44f2-9f98-df5543e21724)", "policy_id" : "c3e31e80-4b4d-11ed-b107-4bfe66d759e4" }, { "active" : true, "api_key" : "V3VLRTa0TUJIQ05MaGYydVMx4S06WjU5dsZ3YzVRSmFUc5xjSThImi1ydw==", "api_key_id" : "WuKE04MBHCNLhf2uS1E-", "created_at" : "2022-10-13T22:43:27.139Z", "id" : "aad31121-df89-4f57-af84-7c43f72640ee", "name" : "Default (aad31121-df89-4f57-af84-7c43f72640ee)", "policy_id" : "72fcc4d0-4b48-11ed-b107-4bfe66d759e4" }, ], "page" : 1, "perPage" : 20, "total" : 4 }
On this page