Elastic Agent environment variables
Use environment variables to configure Elastic Agent when running in a containerized environment. Variables on this page are grouped by action type:
- Common variables
- Configure Kibana: prepare the Fleet plugin in {kib}
- Configure Fleet Server: bootstrap Fleet Server on an {agent}
- Configure Elastic Agent and Fleet: enroll an {agent}
To limit the number of environment variables that need to be set, the following common variables are available. These variables can be used across all Elastic Agent actions, but have a lower precedence than action-specific environment variables.
These common variables are useful, for example, when using the same Elasticsearch and Kibana credentials to prepare the Fleet plugin in Kibana, configure Fleet Server, and enroll an Elastic Agent.
| Settings | Description |
|---|---|
ELASTICSEARCH_HOST |
(string) The Elasticsearch host to communicate with. Default: http://elasticsearch:9200 |
ELASTICSEARCH_USERNAME |
(string) The basic authentication username used to connect to Kibana and retrieve a service_token for Fleet.Default: none |
ELASTICSEARCH_PASSWORD |
(string) The basic authentication password used to connect to Kibana and retrieve a service_token for Fleet.Default: none |
ELASTICSEARCH_API_KEY |
(string) API key used for authenticating to Elasticsearch. Default: none |
ELASTICSEARCH_CA |
(string) The path to a certificate authority. By default, Elastic Agent uses the list of trusted certificate authorities (CA) from the operating system where it is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, use this config to add the path to the .pem file that contains your CA’s certificate.Default: "" |
KIBANA_HOST |
(string) The Kibana host. Default: http://kibana:5601 |
KIBANA_USERNAME |
(string) The basic authentication username used to connect to Kibana to retrieve a service_token.Default: elastic |
KIBANA_PASSWORD |
(string) The basic authentication password used to connect to Kibana to retrieve a service_token.Default: changeme |
KIBANA_CA |
(string) The path to a certificate authority. By default, Elastic Agent uses the list of trusted certificate authorities (CA) from the operating system where it is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, use this config to add the path to the .pem file that contains your CA’s certificate.Default: "" |
ELASTIC_NETINFO |
(bool) When false, disables netinfo.enabled parameter of add_host_metadata processor. Setting this to false is recommended for large scale setups where the host.ip and host.mac fields index size increases.By default, Elastic Agent initializes the add_host_metadata processor. The netinfo.enabled parameter defines ingestion of IP addresses and MAC addresses as fields host.ip and host.mac. For more information see add_host_metadataDefault: "false" |
Settings used to prepare the Fleet plugin in Kibana.
Settings used to bootstrap Fleet Server on this Elastic Agent. At least one Fleet Server is required in a deployment.
| Settings | Description |
|---|---|
FLEET_SERVER_ENABLE |
(int) Set to 1 to bootstrap Fleet Server on this Elastic Agent. When set to 1, this automatically forces Fleet enrollment as well.Default: none |
FLEET_SERVER_ELASTICSEARCH_HOST |
(string) The Elasticsearch host for Fleet Server to communicate with. Overrides ELASTICSEARCH_HOST when set.Default: http://elasticsearch:9200 |
FLEET_SERVER_ELASTICSEARCH_CA |
(string) The path to a certificate authority. Overrides ELASTICSEARCH_CA when set.By default, Elastic Agent uses the list of trusted certificate authorities (CA) from the operating system where it is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, use this config to add the path to the .pem file that contains your CA’s certificate.Default: "" |
FLEET_SERVER_ES_CERT |
(string) The path to the mutual TLS client certificate that Fleet Server will use to connect to Elasticsearch. Default: "" |
FLEET_SERVER_ES_CERT_KEY |
(string) The path to the mutual TLS private key that Fleet Server will use to connect to Elasticsearch. Default: "" |
FLEET_SERVER_INSECURE_HTTP |
(bool) When true, Fleet Server is exposed over insecure or unverified HTTP. Setting this to true is not recommended.Default: false |
FLEET_SERVER_SERVICE_TOKEN |
(string) Service token to use for communication with Elasticsearch and Kibana if KIBANA_FLEET_SETUP is enabled. If the service token value and service token path are specified the value may be used for setup and the path is passed to the agent in the container.Default: none |
FLEET_SERVER_SERVICE_TOKEN_PATH |
(string) The path to the service token file to use for communication with Elasticsearch and Kibana if KIBANA_FLEET_SETUP is enabled. If the service token value and service token path are specified the value may be used for setup and the path is passed to the agent in the container.Default: none |
FLEET_SERVER_POLICY_NAME |
(string) The name of the policy for Fleet Server to use on itself. Overrides FLEET_TOKEN_POLICY_NAME when set.Default: none |
FLEET_SERVER_POLICY_ID |
(string) The policy ID for Fleet Server to use on itself. |
FLEET_SERVER_HOST |
(string) The binding host for Fleet Server HTTP. Overrides the host defined in the policy. Default: none |
FLEET_SERVER_PORT |
(string) The binding port for Fleet Server HTTP. Overrides the port defined in the policy. Default: none |
FLEET_SERVER_CERT |
(string) The path to the certificate to use for HTTPS. Default: none |
FLEET_SERVER_CERT_KEY |
(string) The path to the private key for the certificate used for HTTPS. Default: none |
FLEET_SERVER_CERT_KEY_PASSPHRASE |
(string) The path to the private key passphrase for an encrypted private key file. Default: none |
FLEET_SERVER_CLIENT_AUTH |
(string) One of none, optional, or required. Fleet Server's client authentication option for client mTLS connections. If optional or required is specified, client certificates are verified using CAs.Default: none |
FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT |
(string) The SHA-256 fingerprint (hash) of the certificate authority used to self-sign Elasticsearch certificates. This fingerprint is used to verify self-signed certificates presented by Fleet Server and any inputs started by Elastic Agent for communication. This flag is required when using self-signed certificates with Elasticsearch. Default: "" |
FLEET_DAEMON_TIMEOUT |
(duration) Set to indicate how long Fleet Server will wait during the bootstrap process for Elastic Agent. |
FLEET_SERVER_TIMEOUT |
(duration) Set to indicate how long Elastic Agent will wait for Fleet Server to check in as healthy. |
Settings used to enroll an Elastic Agent into a Fleet Server.