Remote Elasticsearch output

Remote Elasticsearch outputs allow you to send Elastic Agent data to a remote Elasticsearch cluster. This is especially useful for data that you want to keep separate and independent from the deployment where you use Fleet to manage the Elastic Agents.

A remote Elasticsearch cluster supports the same output settings as your management Elasticsearch cluster.

Limitations

These limitations apply to remote Elasticsearch output:

At least one Fleet Server must be able to reach the remote Elasticsearch cluster with a service token to generate API keys for the Elastic Agents that use the remote output for data ingestion.
Using a remote Elasticsearch output with a target cluster that has network security enabled is not currently supported.
Using Elastic Defend when a remote Elasticsearch output is configured for an Elastic Agent is not currently supported.

Configure the remote output

To configure a remote Elasticsearch cluster for your Elastic Agent data:

Create a new remote output
1. In your management Elasticsearch cluster, open Kibana, and search for Fleet settings in the search bar. Select Fleet/Settings in the results.
2. In the Outputs section, select Add output.
3. In the Add new output flyout, provide a name for the output.
4. Select Remote Elasticsearch as the output type.
Add remote cluster host URL

In the Hosts field, add the URL that Elastic Agents should use to access the remote Elasticsearch cluster.
Find the remote host address of the remote cluster
1. In the remote cluster, open Kibana, and search for Fleet settings in the search bar. Select Fleet/Settings in the results.
2. In the Outputs section, copy the Hosts value of the default Elasticsearch output. If the value is not visible in full, edit the default Elasticsearch output to display the full value.
3. In your management cluster, paste the value you copied into the Hosts field of the remote output configuration.
Configure service token authentication

In the Service Token field, add a service token to access the remote cluster.
Create a service token to access the remote cluster
1. Copy the API request located below the Service Token field.
2. In the remote cluster, open the Kibana menu, then go to Management → Dev Tools in self-managed deployments, or to Developer tools in Elastic Cloud deployments.
3. Paste the API request in the console, then run it.
4. Copy the value for the generated service token.
5. In the management cluster, paste the value you copied into the Service Token field of the remote output configuration.
Note

To prevent unauthorized access, the Elasticsearch service token is stored as a secret value. While secret storage is recommended, you can choose to override this setting, and store the password as plain text in the agent policy definition. Secret storage requires Fleet Server version 8.12 or later. This setting can also be stored as a secret value or as plain text for preconfigured outputs. To learn more about this option, check Preconfiguration settings.
Configure SSL certificate authorities (optional)

Configure SSL certificate authorities if the remote Elasticsearch cluster uses certificates that are not publicly trusted. The certificate authority (CA) is used to sign the remote Elasticsearch cluster's SSL certificate. This allows Fleet Server to validate the remote cluster's certificate.
Expand the Authentication section, then paste the certificate content into the Server SSL certificate authorities field.
Add the SSL certificate authorities in the Advanced YAML configuration section. For example:
ssl: certificate_authorities: ["/path/to/ca.pem"]
Alternatively, you can embed the CA certificate directly in the YAML configuration:
ssl: certificate_authorities: - | -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ ... -----END CERTIFICATE-----
Configure mutual TLS (optional)

If your remote Elasticsearch cluster requires mutual TLS (mTLS) authentication, configure the client certificate and key.
Expand the Authentication section to configure mTLS settings:
- Client SSL certificate: Paste the client certificate content that Elastic Agents will use to authenticate with the remote cluster.
- Client SSL certificate key: Paste the private key content associated with the client certificate.
Add the client certificate settings in the Advanced YAML configuration section. For example:
ssl: certificate: "/path/to/client-cert.pem" key: "/path/to/client-cert.key"
Alternatively, you can embed the certificate and key directly in the YAML configuration:
ssl: certificate: | -----BEGIN CERTIFICATE----- MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF ... -----END CERTIFICATE----- key: | -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI ... -----END PRIVATE KEY-----
For more information about TLS configuration options, refer to One-way and mutual TLS certifications flow → Output SSL options.
Configure output preferences
1. Choose whether integrations should be automatically synchronized on the remote Elasticsearch cluster. To configure this feature, refer to Automatic integrations synchronization.
  
  Note
  
  Automatic integrations synchronization is available only for certain subscription levels. For more information, check Fleet Multi-Cluster support on the Elastic subscriptions page.
2. Choose whether the remote output should be the default for agent integrations or for agent monitoring data. When set as the default, Elastic Agents use this output to send data if no other output is set in the agent policy.
3. Select the performance tuning settings to optimize Elastic Agents for throughput, scale, or latency, or leave the default balanced setting.
4. Choose whether Elastic Agents using this output should send data to wired streams. Using this feature requires additional steps. For more details, refer to Ship data to streams → Fleet.
Configure advanced settings (optional)

Add any advanced YAML configuration settings that you'd like for the remote output.
Save the output configuration

Click Save and apply settings.

Use the remote Elasticsearch output

After creating the output, update an Elastic Agent policy to use it and send data to the remote Elasticsearch cluster:

In the management cluster, go to Fleet, then open the Agent policies tab.
Click the agent policy you want to update, then click Settings.
To send integrations data, set the Output for integrations option to use the output that you configured in the previous steps.
To send Elastic Agent monitoring data, set the Output for agent monitoring option to use the output that you configured in the previous steps.
Click Save changes.

The remote Elasticsearch output is now configured for the remote cluster.

If you choose not to synchronize integrations automatically, you need to make sure that for any integrations that are added to your Elastic Agent policy, the integration assets are also installed on the remote Elasticsearch cluster. For detailed steps on this process, refer to Install and uninstall Elastic Agent integration assets.

Remote output health status

Fleet Server requires connectivity to the remote cluster to generate API keys for Elastic Agents. When you use a remote Elasticsearch output, Fleet Server tests whether it can reach the remote cluster. The result determines whether the remote output is reported as healthy or unhealthy in the Status column for the output on the Fleet → Settings page.

Note

If you have multiple Fleet Server instances, each Fleet Server will attempt to test connectivity to all remote Elasticsearch outputs. If the Fleet Server instances have different network scopes, it's expected that some of them might not be able to reach a certain remote output. In this case, the remote output will show as unhealthy in the UI with an Unable to connect error. You can ignore this status as long as the Fleet Server instance that manages the Elastic Agents using that remote output has connectivity to the remote cluster.