Remote Elasticsearch output

edit

Beginning in version 8.12.0, you can send Elastic Agent data to a remote Elasticsearch cluster. This is especially useful for data that you want to keep separate and independent from the deployment where you use Fleet to manage the agents.

A remote Elasticsearch cluster supports the same output settings as your main Elasticsearch cluster.

A bug has been found that causes Elastic Defend response actions to stop working when a remote Elasticsearch output is configured for an agent. This bug is currently being investigated and is expected to be resolved in an upcoming release.

Using a remote Elasticsearch output with a target cluster that has traffic filters enabled is not currently supported.

To configure a remote Elasticsearch cluster for your Elastic Agent data:

  1. In Fleet, open the Settings tab.
  2. In the Outputs section, select Add output.
  3. In the Add new output flyout, provide a name for the output and select Remote Elasticsearch as the output type.
  4. In the Hosts field, add the URL that agents should use to access the remote Elasticsearch cluster.

    1. To find the remote host address, in the remote cluster open Kibana and go to Management → Fleet → Settings.
    2. Copy the Hosts value for the default output.
    3. Back in your main cluster, paste the value you copied into the output Hosts field.
  5. Create a service token to access the remote cluster.

    1. Below the Service Token field, copy the API request.
    2. In the remote cluster, open the Kibana menu and go to Management → Dev Tools.
    3. Run the API request.
    4. Copy the value for the generated token.
    5. Back in your main cluster, paste the value you copied into the output Service Token field.

      To prevent unauthorized access the Elasticsearch Service Token is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the password as plain text in the agent policy definition. Secret storage requires Fleet Server version 8.12 or higher. This setting can also be stored as a secret value or as plain text for preconfigured outputs. See Preconfiguration settings in the Kibana Guide to learn more.

  6. Choose whether or not the remote output should be the default for agent integrations or for agent monitoring data. When set, Elastic Agents use this output to send data if no other output is set in the agent policy.
  7. Select which performance tuning settings you’d prefer in order to optimize Elastic Agent for throughput, scale, or latency, or leave the default balanced setting.
  8. Add any advanced YAML configuration settings that you’d like for the output.
  9. Click Save and apply settings.

After the output is created, you can update an Elastic Agent policy to use the new remote Elasticsearch cluster:

  1. In Fleet, open the Agent policies tab.
  2. Click the agent policy to edit it, then click Settings.
  3. To send integrations data, set the Output for integrations option to use the output that you configured in the previous steps.
  4. To send Elastic Agent monitoring data, set the Output for agent monitoring option to use the output that you configured in the previous steps.
  5. Click Save changes.

The remote Elasticsearch cluster is now configured.

As a final step before using the remote Elasticsearch output, you need to make sure that for any integrations that have been added to your Elastic Agent policy, the integration assets have been installed on the remote Elasticsearch cluster. Refer to Install and uninstall Elastic Agent integration assets for the steps.