---
title: Remote Elasticsearch output
description: Remote ES output allows you to send agent data to a remote cluster, keeping data separate and independent from the deployment where you use Fleet.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/remote-elasticsearch-output
products:
  - Elastic Agent
  - Fleet
applies_to:
  - Elastic Cloud Serverless: Unavailable
  - Elastic Stack: Generally available
---

# Remote Elasticsearch output
Remote Elasticsearch outputs allow you to send Elastic Agent data to a remote Elasticsearch cluster. This is especially useful for data that you want to keep separate and independent from the deployment where you use Fleet to manage the Elastic Agents.
A remote Elasticsearch cluster supports the same [output settings](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/es-output-settings) as your management Elasticsearch cluster.

## Limitations

These limitations apply to remote Elasticsearch output:
- All Fleet Server hosts that are configured for the remote output must be able to reach the remote Elasticsearch cluster with a service token to generate API keys for the Elastic Agents that use the remote output for data ingestion.
- Using a remote Elasticsearch output with a target cluster that has [network security](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/security/network-security) enabled is not currently supported.
- Using Elastic Defend when a remote Elasticsearch output is configured for an Elastic Agent is not currently supported.


## Configure the remote output

To configure a remote Elasticsearch cluster for your Elastic Agent data:
<stepper>
  <step title="Create a new remote output">
    1. In your management Elasticsearch cluster, open Kibana, and search for **Fleet settings** in the search bar. Select **Fleet/Settings** in the results.
    2. In the **Outputs** section, select **Add output**.
    3. In the **Add new output** flyout, provide a name for the output.
    4. Select **Remote Elasticsearch** as the output type.
  </step>

  <step title="Add remote cluster host URL">
    In the **Hosts** field, add the URL that Elastic Agents should use to access the remote Elasticsearch cluster.
    <dropdown title="Find the remote host address of the remote cluster">
      1. In the remote cluster, open Kibana, and search for **Fleet settings** in the search bar. Select **Fleet/Settings** in the results.
      2. In the **Outputs** section, copy the `Hosts` value of the default Elasticsearch output. If the value isn't fully visible, edit the default Elasticsearch output to display the full value.
      3. In your management cluster, paste the value you copied into the **Hosts** field of the remote output configuration.
    </dropdown>
  </step>

  <step title="Configure service token authentication">
    In the **Service Token** field, add a service token to access the remote cluster.
    <dropdown title="Create a service token to access the remote cluster">
      1. Copy the API request located below the **Service Token** field.
      2. In the remote cluster, open the Kibana menu, then go to **Management** → **Dev Tools** in self-managed deployments, or to **Developer tools** in Elastic Cloud deployments.
      3. Paste the API request in the console, then run it.
      4. Copy the value for the generated service token.
      5. In the management cluster, paste the value you copied into the **Service Token** field of the remote output configuration.
    </dropdown>

    <note>
      To prevent unauthorized access, the Elasticsearch service token is stored as a secret value. While secret storage is recommended, you can override this setting and store the password as plain text in the agent policy definition. Secret storage requires Fleet Server version 8.12 or later. This setting can also be stored as a secret value or as plain text for preconfigured outputs. To learn more about this option, check [Preconfiguration settings](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/kibana/configuration-reference/fleet-settings#_preconfiguration_settings_for_advanced_use_cases).
    </note>
  </step>

  <step title="Configure SSL certificate authorities (optional)">
    Configure SSL certificate authorities if the remote Elasticsearch cluster uses certificates that are not publicly trusted. The certificate authority (CA) is used to sign the remote Elasticsearch cluster's SSL certificate. This allows Fleet Server to validate the remote cluster's certificate.
    <applies-switch>
      <applies-item title="stack: ga 9.1" applies-to="Elastic Stack: Generally available since 9.1">
        Expand the **Authentication** section, and in the **Server SSL certificate authorities** field, enter the path to the CA certificate or paste the certificate content directly.
      </applies-item>

      <applies-item title="stack: ga =9.0" applies-to="Elastic Stack: Generally available in 9.0">
        Add the SSL certificate authorities in the **Advanced YAML configuration** section. For example:
        ```yaml
        ssl:
          certificate_authorities: ["/path/to/ca.pem"]
        ```
        Alternatively, you can embed the CA certificate directly in the YAML configuration:
        ```yaml
        ssl:
          certificate_authorities:
          - |
            -----BEGIN CERTIFICATE-----
            MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
            ...
            -----END CERTIFICATE-----
        ```
      </applies-item>
    </applies-switch>
  </step>

  <step title="Configure mutual TLS (optional)">
    If your remote Elasticsearch cluster requires mutual TLS (mTLS) authentication, configure the client certificate and key.
    <applies-switch>
      <applies-item title="stack: ga 9.1" applies-to="Elastic Stack: Generally available since 9.1">
        Expand the **Authentication** section to configure mTLS settings:
        - **Client SSL certificate**: Enter the path to the client certificate that the Elastic Agents will use to authenticate with the remote cluster, or paste the certificate content directly.
        - **Client SSL certificate key**: Enter the path to the private key associated with the client certificate, or paste the private key content directly.
      </applies-item>

      <applies-item title="stack: ga =9.0" applies-to="Elastic Stack: Generally available in 9.0">
        Add the client certificate settings in the **Advanced YAML configuration** section. For example:
        ```yaml
        ssl:
          certificate: "/path/to/client-cert.pem"
          key: "/path/to/client-cert.key"
        ```
        Alternatively, you can embed the certificate and key directly in the YAML configuration:
        ```yaml
        ssl:
          certificate: |
            -----BEGIN CERTIFICATE-----
            MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
            ...
            -----END CERTIFICATE-----
          key: |
            -----BEGIN PRIVATE KEY-----
            MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
            ...
            -----END PRIVATE KEY-----
        ```
      </applies-item>
    </applies-switch>
    For more information about TLS configuration options, refer to [One-way and mutual TLS certifications flow → Output SSL options](/elastic/docs-builder/docs/3016/reference/fleet/tls-overview#output-ssl-options).
  </step>

  <step title="Configure output preferences">
    1. <applies-to>Elastic Stack: Generally available since 9.1</applies-to> Choose whether integrations should be automatically synchronized on the remote Elasticsearch cluster. To configure this feature, refer to [Automatic integrations synchronization](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/automatic-integrations-synchronization).
       <note>
       Automatic integrations synchronization is available only for certain subscription levels. For more information, check **Fleet Multi-Cluster support** on the [Elastic subscriptions](https://www.elastic.co/subscriptions) page.
       </note>
    2. Choose whether the remote output should be the default for agent integrations or for agent monitoring data. When set as the default, Elastic Agents use this output to send data if no other output is set in the [agent policy](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/agent-policy).
    3. Select the [performance tuning settings](/elastic/docs-builder/docs/3016/reference/fleet/es-output-settings#es-output-settings-performance-tuning-settings) to optimize Elastic Agents for throughput, scale, or latency, or leave the default `balanced` setting.
    4. <applies-to>Elastic Stack: Preview since 9.2</applies-to> Choose whether Elastic Agents using this output should send data to [wired streams](/elastic/docs-builder/docs/3016/solutions/observability/streams/streams#streams-wired-streams). Using this feature requires additional steps. For more details, refer to [Ship data to streams → Fleet](/elastic/docs-builder/docs/3016/solutions/observability/streams/wired-streams#streams-wired-streams-ship).
  </step>

  <step title="Configure advanced settings (optional)">
    Add any [advanced YAML configuration settings](/elastic/docs-builder/docs/3016/reference/fleet/es-output-settings#es-output-settings-yaml-config) that you'd like for the remote output.
  </step>

  <step title="Save the output configuration">
    Click **Save and apply settings**.
  </step>
</stepper>


## Use the remote Elasticsearch output

After creating the output, update an Elastic Agent policy to use it and send data to the remote Elasticsearch cluster:
1. In the management cluster, go to **Fleet**, then open the **Agent policies** tab.
2. Click the agent policy you want to update, then click **Settings**.
3. To send integrations data, set the **Output for integrations** option to use the output that you configured in the previous steps.
4. To send Elastic Agent monitoring data, set the **Output for agent monitoring** option to use the output that you configured in the previous steps.
5. Click **Save changes**.

The remote Elasticsearch output is now configured for the remote cluster.
If you choose not to synchronize integrations automatically, you need to ensure that for any integrations [added to your Elastic Agent policy](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/add-integration-to-policy), you also install the integration assets on the remote Elasticsearch cluster. For detailed steps on this process, refer to [Install and uninstall Elastic Agent integration assets](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/install-uninstall-integration-assets).

## Remote output health status

Fleet Server requires connectivity to the remote cluster to generate API keys for Elastic Agents. When you use a remote Elasticsearch output, Fleet Server tests whether it can reach the remote cluster. The result determines whether the remote output is reported as healthy or unhealthy in the **Status** column for the output on the **Fleet** → **Settings** page.
If you have multiple Fleet Server instances, each Fleet Server tests connectivity to all remote Elasticsearch outputs. If the Fleet Server instances have different network scopes, some of them might not be able to reach a certain remote output. In this case, the remote output will display as unhealthy in the UI with an `Unable to connect` error. You can ignore this status as long as the Fleet Server instance that manages the Elastic Agents using that remote output has connectivity to the remote cluster.