- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Install Elastic Agent on Kubernetes using Helm
- Example: Install standalone Elastic Agent on Kubernetes using Helm
- Example: Install Fleet-managed Elastic Agent on Kubernetes using Helm
- Advanced Elastic Agent configuration managed by Fleet
- Configuring Kubernetes metadata enrichment on Elastic Agent
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Run Elastic Agent as an OTel Collector
- Run Elastic Agent without administrative privileges
- Install Elastic Agent from an MSI package
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Package signatures
- Add an integration to an Elastic Agent policy
- View integration policies
- Edit or delete an integration policy
- Install and uninstall integration assets
- View integration assets
- Set integration-level outputs
- Upgrade an integration
- Managed integrations content
- Best practices for integration assets
- Data streams
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Scenario 1: Apply an ILM policy to all data streams generated from Fleet integrations across all namespaces
editScenario 1: Apply an ILM policy to all data streams generated from Fleet integrations across all namespaces
editThis tutorial uses a logs@custom and a metrics@custom component template which are available in versions 8.13 and later.
For versions later than 8.4 and earlier than 8.13, you instead need to use the <integration prefix>@custom component template and add the ILM policy to that template.
This needs to be done for every newly added integration.
Mappings and settings for data streams can be customized through the creation of *@custom component templates, which are referenced by the index templates created by each integration.
The easiest way to configure a custom index lifecycle policy per data stream is to edit this template.
This tutorial explains how to apply a custom index lifecycle policy to all of the data streams associated with the System integration, as an example.
Similar steps can be used for any other integration.
Setting a custom index lifecycle policy must be done separately for all logs and for all metrics, as described in the following steps.
Step 1: Create an index lifecycle policy
edit- To open Lifecycle Policies, find Stack Management in the main menu or use the global search field.
- Click Create policy.
Name your new policy.
For this tutorial, you can use my-ilm-policy.
Customize the policy to your liking, and when you’re done, click Save policy.
Step 2: Create a component template for the logs index templates
editThe Index Templates view in Kibana shows you all of the index templates available to automatically apply settings, mappings, and aliases to indices:
- To open Index Management, find Stack Management in the main menu or use the global search field.
- Select Index Templates.
-
Search for
systemto see all index templates associated with the System integration. -
Select any
logs-*index template to view the associated component templates. For example, you can select thelogs-system.applicationindex template.
-
Select
logs@customin the list to view the component template properties. - For a newly added integration, the component template won’t exist yet. Select Create component template to create it. If the component template already exists, click Manage to update it.
- On the Logistics page, keep all defaults and click Next.
-
On the Index settings page, in the Index settings field, specify the ILM policy that you created. For example:
{ "index": { "lifecycle": { "name": "my-ilm-policy" } } }
- Click Next.
- For both the Mappings and Aliases pages, keep all defaults and click Next.
-
Finally, on the Review page, review the summary and request. If everything looks good, select Create component template.
Step 3: Roll over the data streams (optional)
editTo confirm that the index template is using the logs@custom component template with your custom ILM policy:
- Reopen the Index Management page and open the Component Templates tab.
-
Search for
logs@and select thelogs@customcomponent template. - The Summary shows the list of all data streams that use the component template, and the Settings view shows your newly configured ILM policy.
New ILM policies only take effect when new indices are created, so you either must wait for a rollover to occur (usually after 30 days or when the index size reaches 50 GB), or force a rollover of each data stream using the https://www.elastic.co/guide/en/elasticsearch/reference/8.17/indices-rollover-index.html[Elasticsearch rollover API.
For example:
POST /logs-system.auth/_rollover/
Step 4: Repeat these steps for the metrics data streams
editYou’ve now applied a custom index lifecycle policy to all of the logs-* data streams in the System integration.
For the metrics data streams, you can repeat steps 2 and 3, using a metrics-* index template and the metrics@custom component template.
On this page