Kibana Fleet APIs
You can find details for all available Fleet API endpoints in the Kibana API docs. For Elastic Cloud Serverless projects, check the Kibana Serverless API docs.
In this section, we provide examples of some commonly used Fleet APIs.
You can run Fleet API requests through the Kibana Console.
Open the Kibana menu and go to Management → Dev Tools.
In your request, prepend your Fleet API endpoint with
kbn:, for example:GET kbn:/api/fleet/agent_policies
For more detail about using the Kibana Console refer to Run API requests.
Authentication is required to send Fleet API requests. For more information, refer to Authentication.
To create a new agent policy in Fleet, call POST /api/fleet/agent_policies.
This cURL example creates an agent policy called Agent policy 1 in the default namespace.
curl --request POST \
--url 'https://my-kibana-host:9243/api/fleet/agent_policies?sys_monitoring=true' \
--header 'Accept: */*' \
--header 'Authorization: ApiKey yourbase64encodedkey' \
--header 'Cache-Control: no-cache' \
--header 'Connection: keep-alive' \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: xxx' \
--data '{
"name": "Agent policy 1",
"description": "",
"namespace": "default",
"monitoring_enabled": [
"logs",
"metrics"
]
}'
To save time, you can use Kibana to generate the API request, then run it from the Dev Tools console.
- Go to Fleet → Agent policies.
- Click Create agent policy and give the policy a name.
- Click Preview API request.
- Click Open in Console and run the request.
Example response:
{
"item": {
"id": "2b820230-4b54-11ed-b107-4bfe66d759e4",
"name": "Agent policy 1",
"description": "",
"namespace": "default",
"monitoring_enabled": [
"logs",
"metrics"
],
"status": "active",
"is_managed": false,
"revision": 1,
"updated_at": "2022-10-14T00:07:19.763Z",
"updated_by": "1282607447",
"schema_version": "1.0.0"
}
}
- Make a note of the policy ID. You’ll need the policy ID to add integration policies.
To create an integration policy (also known as a package policy) and add it to an existing agent policy, call POST /api/fleet/package_policies.
You can use the Fleet API to Create and customize an Elastic Defend policy.
This cURL example creates an integration policy for Nginx and adds it to the agent policy created in the previous example:
curl --request POST \
--url 'https://my-kibana-host:9243/api/fleet/package_policies' \
--header 'Authorization: ApiKey yourbase64encodedkey' \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: xx' \
--data '{
"name": "nginx-demo-123",
"policy_id": "2b820230-4b54-11ed-b107-4bfe66d759e4",
"package": {
"name": "nginx",
"version": "1.5.0"
},
"inputs": {
"nginx-logfile": {
"streams": {
"nginx.access": {
"vars": {
"tags": [
"test"
]
}
},
"nginx.error": {
"vars": {
"tags": [
"test"
]
}
}
}
}
}
}'
To save time, you can use Kibana to generate the API call, then run it from the Dev Tools console.
Go to Integrations, select an Elastic Agent integration, and click Add <Integration>.
Configure the integration settings and select which agent policy to use.
Click Preview API request.
If you’re creating the integration policy for a new agent policy, the preview shows two requests: one to create the agent policy, and another to create the integration policy.
Click Open in Console and run the request (or requests).
To find out which inputs, streams, and variables are available for an integration, go to Integrations, select an Elastic Agent integration, and click API reference.
Example response (truncated for readability):
{
"item" : {
"created_at" : "2022-10-15T00:41:28.594Z",
"created_by" : "1282607447",
"enabled" : true,
"id" : "92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd",
"inputs" : [
{
"enabled" : true,
"policy_template" : "nginx",
"streams" : [
{
"compiled_stream" : {
"exclude_files" : [
".gz$"
],
"ignore_older" : "72h",
"paths" : [
"/var/log/nginx/access.log*"
],
"processors" : [
{
"add_locale" : null
}
],
"tags" : [
"test"
]
},
"data_stream" : {
"dataset" : "nginx.access",
"type" : "logs"
},
"enabled" : true,
"id" : "logfile-nginx.access-92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd",
"release" : "ga",
"vars" : {
"ignore_older" : {
"type" : "text",
"value" : "72h"
},
"paths" : {
"type" : "text",
"value" : [
"/var/log/nginx/access.log*"
]
},
"preserve_original_event" : {
"type" : "bool",
"value" : false
},
"processors" : {
"type" : "yaml"
},
"tags" : {
"type" : "text",
"value" : [
"test"
]
}
}
},
{
"compiled_stream" : {
"exclude_files" : [
".gz$"
],
"ignore_older" : "72h",
"multiline" : {
"match" : "after",
"negate" : true,
"pattern" : "^\\d{4}\\/\\d{2}\\/\\d{2} "
},
"paths" : [
"/var/log/nginx/error.log*"
],
"processors" : [
{
"add_locale" : null
}
],
"tags" : [
"test"
]
},
"data_stream" : {
"dataset" : "nginx.error",
"type" : "logs"
},
"enabled" : true,
"id" : "logfile-nginx.error-92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd",
"release" : "ga",
"vars" : {
"ignore_older" : {
"type" : "text",
"value" : "72h"
},
"paths" : {
"type" : "text",
"value" : [
"/var/log/nginx/error.log*"
]
},
"preserve_original_event" : {
"type" : "bool",
"value" : false
},
"processors" : {
"type" : "yaml"
},
"tags" : {
"type" : "text",
"value" : [
"test"
]
}
}
}
],
"type" : "logfile"
},
...
{
"enabled" : true,
"policy_template" : "nginx",
"streams" : [
{
"compiled_stream" : {
"hosts" : [
"http://127.0.0.1:80"
],
"metricsets" : [
"stubstatus"
],
"period" : "10s",
"server_status_path" : "/nginx_status"
},
"data_stream" : {
"dataset" : "nginx.stubstatus",
"type" : "metrics"
},
"enabled" : true,
"id" : "nginx/metrics-nginx.stubstatus-92f33e57-3165-4dcd-a1d5-f01c8ffdcbcd",
"release" : "ga",
"vars" : {
"period" : {
"type" : "text",
"value" : "10s"
},
"server_status_path" : {
"type" : "text",
"value" : "/nginx_status"
}
}
}
],
"type" : "nginx/metrics",
"vars" : {
"hosts" : {
"type" : "text",
"value" : [
"http://127.0.0.1:80"
]
}
}
}
],
"name" : "nginx-demo-123",
"namespace" : "default",
"package" : {
"name" : "nginx",
"title" : "Nginx",
"version" : "1.5.0"
},
"policy_id" : "d625b2e0-4c21-11ed-9426-31f0877749b7",
"revision" : 1,
"updated_at" : "2022-10-15T00:41:28.594Z",
"updated_by" : "1282607447",
"version" : "WzI5OTAsMV0="
}
}
To get a list of valid enrollment tokens from Fleet, call GET /api/fleet/enrollment_api_keys.
This cURL example returns a list of enrollment tokens.
curl --request GET \
--url 'https://my-kibana-host:9243/api/fleet/enrollment_api_keys' \
--header 'Authorization: ApiKey N2VLRDA0TUJIQ05MaGYydUZrN1Y6d2diMUdwSkRTWGFlSm1rSVZlc2JGQQ==' \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: xx'
Example response (formatted for readability):
{
"items" : [
{
"active" : true,
"api_key" : "QlN2UaA0TUJlMGFGbF8IVkhJaHM6eGJjdGtyejJUUFM0a0dGSwlVSzdpdw==",
"api_key_id" : "BSvR04MBe0aFl_HVHIhs",
"created_at" : "2022-10-14T00:07:21.420Z",
"id" : "39703af4-5945-4232-90ae-3161214512fa",
"name" : "Default (39703af4-5945-4232-90ae-3161214512fa)",
"policy_id" : "2b820230-4b54-11ed-b107-4bfe66d759e4"
},
{
"active" : true,
"api_key" : "Yi1MSTA2TUJIQ05MaGYydV9kZXQ5U2dNWFkyX19sWEdSemFQOUfzSDRLZw==",
"api_key_id" : "b-LI04MBHCNLhf2u_det",
"created_at" : "2022-10-13T23:58:29.266Z",
"id" : "e4768bf2-55a6-433f-a540-51d4ca2d34be",
"name" : "Default (e4768bf2-55a6-433f-a540-51d4ca2d34be)",
"policy_id" : "ee37a8e0-4b52-11ed-b107-4bfe66d759e4"
},
{
"active" : true,
"api_key" : "b3VLbjA0TUJIQ04MaGYydUk1Z3Q6VzhMTTBITFRTmnktRU9IWDaXWnpMUQ==",
"api_key_id" : "luKn04MBHCNLhf2uI5d4",
"created_at" : "2022-10-13T23:21:30.707Z",
"id" : "d18d2918-bb10-44f2-9f98-df5543e21724",
"name" : "Default (d18d2918-bb10-44f2-9f98-df5543e21724)",
"policy_id" : "c3e31e80-4b4d-11ed-b107-4bfe66d759e4"
},
{
"active" : true,
"api_key" : "V3VLRTa0TUJIQ05MaGYydVMx4S06WjU5dsZ3YzVRSmFUc5xjSThImi1ydw==",
"api_key_id" : "WuKE04MBHCNLhf2uS1E-",
"created_at" : "2022-10-13T22:43:27.139Z",
"id" : "aad31121-df89-4f57-af84-7c43f72640ee",
"name" : "Default (aad31121-df89-4f57-af84-7c43f72640ee)",
"policy_id" : "72fcc4d0-4b48-11ed-b107-4bfe66d759e4"
},
],
"page" : 1,
"perPage" : 20,
"total" : 4
}
Use the Get agents API to retrieve a list of currently enrolled Elastic Agents:
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents
By default, a maximum of 10,000 agents are returned, with 20 agents listed per page.
The following query returns the same list, showing 10,000 Elastic Agents per page:
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents?perPage=10000'
Beginning with Elastic Stack version 9.1, the previous query response includes a nextSearchAfter parameter that you can pass in a subsequent call, to retrieve the next page of 10,000 enrolled agents:
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents?perPage=10000&searchAfter=<nextSearchAfter>'
Beginning with Elastic Stack version 9.1, you can also capture a point-in-time ID (pitId) parameter from the Get agents API response, and use that together with the nextSearchAfter parameter to capture the next page of 10,000 enrolled agents for a specific point in time.
Include the openPit and pitKeepAlive parameters in your initial request:
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents?perPage=10000&openPit=true&pitKeepAlive=5m'
You can then use the returned values in a new request to retrieve the next set of 10,000 agents:
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents?perPage=10000&searchAfter=<nextSearchAfter>&pitId=<pit id>&pitKeepAlive=5m'
The manual rollback feature for Elastic Agent gives you the ability to roll back to the previously installed version if the install artifacts are still available on disk--typically seven days after the upgrade.
- To roll back a single agent:
- Call
POST /api/fleet/agents/{agentID}/rollback. - To roll back multiple agents:
- Call
POST /api/fleet/agents/bulk_rollback.
These limitations apply for the manual rollback feature:
- Rollback is limited to the version running before the upgrade. Both the previously and currently running versions must be 9.3.0 or later for this functionality to be available.
- Data required for the rollback is stored on disk for seven days, which can impact available disk space.
- Rollback must be performed within seven days of the upgrade. Rollback data is automatically cleaned up after seven days and becomes unavailable.
- Manual rollback is not available for system-managed packages such as DEB and RPM.
- Some data might be re-ingested after rollback.
If no version is available on disk to rollback to, you get an error. This situation can happen if:
the version you upgraded from is earlier than 9.3.0, as the feature is not supported for earlier versions.
the rollback window has ended (typically more than seven days). When the rollback window ends, the files from the previous version are removed to free up disk space.