Loading

How to deploy Elastic Agent

Stack

This guide provides comprehensive information about deploying Elastic Agent, including configuration flags, environment variables, mutual TLS (mTLS) setup, and best practices for managing configuration through policies versus command-line interface (CLI).

For platform-specific installation instructions, refer to:

Before deploying Elastic Agent, ensure you have:

  • A running Fleet Server accessible to your Elastic Agent
  • An enrollment token from Fleet for the agent policy you want to use
  • TLS certificates (if Fleet Server uses custom certificates)
  • Network connectivity between Elastic Agent and Fleet Server, and between Elastic Agent and output destinations (Elasticsearch, Logstash, and so on)

For more information about prerequisites, refer to the platform-specific installation guides listed above.

Elastic Agent requires configuration for two main connection types:

The following sections organize all configuration flags and environment variables by connection type.

These settings configure how Elastic Agent connects to Fleet Server.

The following CLI flags are available for configuring the connection from Elastic Agent to Fleet Server:

Flag Purpose Required Can be overridden by policy?
--url Fleet Server URL to enroll into Yes No - must be CLI or environment variable
--enrollment-token Enrollment token for the agent policy Yes No - must be CLI or environment variable
--certificate-authorities CA certificates to validate Fleet Server certificate Optional* Yes - configured in Fleet settings
--ca-sha256 SHA-256 fingerprint of CA for certificate pinning Optional* No - must be CLI
--elastic-agent-cert Client certificate for mTLS connection to Fleet Server Optional (mTLS only) Yes - configured in Fleet settings
--elastic-agent-cert-key Private key for mTLS client certificate Optional (mTLS only) Yes - configured in Fleet settings
--elastic-agent-cert-key-passphrase Path to passphrase file for encrypted private key Optional Yes - configured in Fleet settings
--insecure Deactivate certificate verification (not recommended) No - not recommended No - must be CLI or environment variable
--id Unique agent identifier Optional No - must be CLI or environment variable
--replace-token Token to replace an existing agent with same ID Optional No - must be CLI or environment variable
--tag Comma-separated list of tags for the agent Optional No - must be CLI or environment variable
--proxy-url Proxy URL for Fleet Server connections Optional Yes - configured in agent policy
--proxy-disabled Deactivate proxy support Optional No - must be CLI
--proxy-header Additional headers for proxy CONNECT requests Optional No - must be CLI

* Required if Fleet Server uses certificates signed by a private or intermediate CA not publicly trusted

You can also configure the connection using environment variables instead of CLI flags:

Environment variable Purpose CLI flag equivalent Can be overridden by policy?
FLEET_URL Fleet Server URL --url No - must be CLI or environment variable
FLEET_ENROLLMENT_TOKEN Enrollment token --enrollment-token No - must be CLI or environment variable
FLEET_CA Path to CA certificate --certificate-authorities Yes - configured in Fleet settings
ELASTIC_AGENT_CERT Path to client certificate for mTLS --elastic-agent-cert Yes - configured in Fleet settings
ELASTIC_AGENT_CERT_KEY Path to private key for mTLS --elastic-agent-cert-key Yes - configured in Fleet settings
ELASTIC_AGENT_CERT_KEY_PASSPHRASE Path to passphrase file --elastic-agent-cert-key-passphrase Yes - configured in Fleet settings
FLEET_INSECURE Deactivate certificate verification --insecure No - must be CLI or environment variable
ELASTIC_AGENT_ID Unique agent identifier --id No - must be CLI or environment variable
FLEET_REPLACE_TOKEN Token to replace existing agent --replace-token No - must be CLI or environment variable
ELASTIC_AGENT_TAGS Comma-separated tags --tag No - must be CLI or environment variable

For one-way TLS (Elastic Agent validates Fleet Server certificate, but Fleet Server does not validate Elastic Agent certificate), use the following command:

elastic-agent install \
  --url=https://fleet-server:8220 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
  --certificate-authorities=/path/to/fleet-ca.crt

For mutual TLS (both Elastic Agent and Fleet Server validate each other's certificates), use the following command:

elastic-agent install \
  --url=https://fleet-server:8220 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
  --certificate-authorities=/path/to/fleet-ca.crt \
  --elastic-agent-cert=/path/to/agent-client.crt \
  --elastic-agent-cert-key=/path/to/agent-client.key
Note

When using mTLS between Elastic Agent and Fleet Server, the Fleet Server must be configured with --fleet-server-client-auth=required (or optional) and the corresponding CA certificates. For more information, refer to How to deploy Fleet Server.

These settings configure how Elastic Agent sends data to output destinations (Elasticsearch, Logstash, Kafka, and so on).

Output configuration for Fleet-managed Elastic Agents is primarily managed through Fleet settings and agent policies, not CLI flags. However, some settings can be configured using environment variables for containerized deployments.

The following environment variables can be used for output configuration:

Environment variable Purpose Can be overridden by policy?
ELASTICSEARCH_HOST Elasticsearch host URL Yes - configured in Elasticsearch output
ELASTICSEARCH_USERNAME Basic authentication username Yes - configured in Elasticsearch output
ELASTICSEARCH_PASSWORD Basic authentication password Yes - configured in Elasticsearch output
ELASTICSEARCH_API_KEY API key for authentication Yes - configured in Elasticsearch output
ELASTICSEARCH_CA Path to CA certificate Yes - configured in Elasticsearch output
Note

Environment variables are typically used for containerized deployments or when using the env provider to reference values in policies.

For standalone Elastic Agents, output configuration is done in the elastic-agent.yml file. For more information, refer to Configure outputs for standalone Elastic Agents.

For one-way TLS (Elastic Agent validates the output's certificate, but the output does not validate Elastic Agent's certificate), configure the following:

In Fleet settings (Elasticsearch output):

  • Configure the output host URL

  • Add CA certificate in Elasticsearch CA trusted fingerprint or advanced YAML configuration:

    ssl.certificate_authorities: ["/path/to/es-ca.crt"]

Using environment variables (containerized deployments):

ELASTICSEARCH_HOST=https://elasticsearch:9200
ELASTICSEARCH_CA=/path/to/es-ca.crt

For mutual TLS (both Elastic Agent and output validate each other's certificates), configure the following:

In Fleet settings (Elasticsearch output - advanced YAML configuration):

ssl.certificate_authorities:
  - /path/to/es-ca.crt
ssl.certificate: /path/to/agent-client.crt
ssl.key: /path/to/agent-client.key
Important

When configuring mTLS for Elastic Agent to Elasticsearch connections:

  • The certificate and key paths must be available on all hosts running Elastic Agents. Alternatively, you can embed the certificates directly in the YAML configuration.
  • The CA used to sign the agent certificate must be trusted by Elasticsearch.

For more information, refer to Mutual TLS connection and Output SSL options.

For Elastic Agent to Logstash connections, configure the output in Fleet settings as follows:

  • Configure the Logstash host URL

  • Configure TLS settings if required. For one-way TLS, only include ssl.certificate_authorities. For mutual TLS, also include ssl.certificate and ssl.key:

    ssl.certificate_authorities:
  - /path/to/logstash-ca.crt
ssl.certificate: /path/to/agent-client.crt
ssl.key: /path/to/agent-client.key

For more information, refer to Configure Logstash output and Secure Logstash connections.

Understanding what can be configured using policy and what must be provided using CLI or environment variables is crucial for managing Elastic Agent deployments.

The following settings cannot be overridden by policy and must be provided during enrollment:

  • Fleet Server URL: --url or FLEET_URL
  • Enrollment token: --enrollment-token or FLEET_ENROLLMENT_TOKEN
  • Agent ID: --id or ELASTIC_AGENT_ID (if specified)
  • Replace token: --replace-token or FLEET_REPLACE_TOKEN (if replacing an agent)
  • Tags: --tag or ELASTIC_AGENT_TAGS
  • CA fingerprint: --ca-sha256 (if using certificate pinning)
  • Insecure flag: --insecure or FLEET_INSECURE (not recommended)

The following settings can be set using CLI during enrollment, but can also be updated using policy after enrollment:

  • CA certificates for Fleet Server: Configured in Fleet settings under Fleet Server hosts
  • mTLS client certificates for Fleet Server: Configured in Fleet settings under Fleet Server hosts
  • Output configuration: Configured in Fleet settings under Outputs
    • Output host URLs
    • Output authentication (API keys, usernames/passwords)
    • Output TLS/mTLS settings
  • Proxy settings: Configured in agent policy

The configuration precedence is as follows (highest to lowest):

  1. CLI flags (during installation/enrollment)
  2. Environment variables (during installation/enrollment)
  3. Policy configuration (after enrollment, downloaded from Fleet Server)

Settings provided using CLI or environment variables during enrollment are used for the initial connection to Fleet Server. After enrollment, the Elastic Agent downloads its policy from Fleet Server, and policy settings take precedence for most configuration options (except those listed in the Must be provided using CLI or environment variables section above).

Note

If the agent policy contains mTLS configuration settings, those settings take precedence over those used during enrollment. This includes both the mTLS settings used for connectivity between Elastic Agent and Fleet Server, and the settings used between Elastic Agent and its specified output.

The initial TLS, mTLS, or proxy configuration settings specified when Elastic Agent is enrolled cannot be removed through the agent policy; they can only be updated.

Mutual TLS provides enhanced security by requiring both parties in a connection to authenticate using certificates.

Use this option when you need Fleet Server to verify the identity of connecting Elastic Agents in addition to Elastic Agents verifying Fleet Server.

Configure the following settings:

  1. During Elastic Agent enrollment (CLI or environment variables):

    • --elastic-agent-cert / ELASTIC_AGENT_CERT: Client certificate for Elastic Agent
    • --elastic-agent-cert-key / ELASTIC_AGENT_CERT_KEY: Private key for client certificate
    • --certificate-authorities / FLEET_CA: CA to validate Fleet Server certificate

  2. During Fleet Server installation (must be configured):

    • --fleet-server-client-auth=required / FLEET_SERVER_CLIENT_AUTH=required: Enable client authentication
    • --certificate-authorities / FLEET_CA: CA to validate agent client certificates

  3. In Fleet settings (Fleet Server hosts):

    • Server SSL certificate authorities: CA to validate agent certificates
    • Enable client authentication: Set to required

For more information, refer to Mutual TLS connection and How to deploy Fleet Server.

Use this option when you need output destinations (Elasticsearch, Logstash) to verify the identity of Elastic Agents in addition to Elastic Agents verifying the output.

Configure the following settings:

  1. In Fleet settings (Elasticsearch or Logstash output - advanced YAML configuration):

    ssl.certificate_authorities:
  - /path/to/output-ca.crt
ssl.certificate: /path/to/agent-client.crt
ssl.key: /path/to/agent-client.key

  2. On the output side (Elasticsearch or Logstash):

    • Configure the output to require client certificates
    • Ensure the CA used to sign agent certificates is trusted by the output
Note

For Elasticsearch outputs, mTLS configuration is done in the output settings. For Logstash outputs, mTLS configuration is also done in the output settings, but you might also need to configure Logstash itself to require client certificates.

For more information, refer to Mutual TLS connection and Secure Logstash connections.

The following sections provide best practices for deploying and managing Elastic Agent:

Follow these best practices for managing certificates:

  • Never use self-signed certificates in production. Generate certificates using a trusted CA or your organization's CA.
  • When generating certificates, include all hostnames and IP addresses that will be used in the certificate's Subject Alternative Name (SAN) list.
  • Store private keys securely and use appropriate file permissions. Consider using encrypted keys with passphrases.
  • Plan for certificate rotation. For more information, refer to Certificate rotation.

Follow these best practices for managing configuration:

  • After initial enrollment, manage most settings through Fleet policies rather than CLI flags.
  • Document your configuration to keep track of which settings are configured using CLI, environment variables, and policies.
  • Test policy changes in a non-production environment before applying to production.
  • For containerized Elastic Agents, use environment variables to provide host-specific settings while keeping policies generic.

Follow these security best practices:

  • Use mutual TLS for both Elastic Agent to Fleet Server and Fleet Server to Elastic Agent to output connections in high-security environments.
  • Prefer API keys or service tokens over basic authentication for output connections.
  • Consider network segmentation to limit which hosts can connect to Fleet Server and outputs.
  • Keep Elastic Agent versions up to date to benefit from security patches.

After deploying Elastic Agent, you can: