Fleet settings in Kibana

By default, Fleet is enabled. To use Fleet, you also need to configure Kibana and Elasticsearch hosts.

Many Fleet settings can also be configured directly through the Fleet UI. See Fleet UI settings for details.

Go to the Fleet docs for more information about Fleet.

Note

In Elastic Cloud, Fleet flags are already configured.

General Fleet settings

xpack.fleet.agents.enabled

Supported on:

Set to true (default) to enable Fleet.

Datatype: bool

Default: true

xpack.fleet.isAirGapped

Supported on:

Set to true to indicate Fleet is running in an air-gapped environment. Refer to Air-gapped environments for details. Enabling this flag helps Fleet skip needless requests and improve the user experience for air-gapped environments.

Datatype: bool

Default: false

xpack.fleet.createArtifactsBulkBatchSize

Supported on:

Allow to configure batch size for creating and updating Fleet user artifacts. Examples include creation of Trusted Applications and Endpoint Exceptions in Security. It is available in Elastic Cloud 8.9.0 and later versions.

Datatype: int

Elastic Package Manager settings

xpack.fleet.registryUrl

Supported on:

The address to use to reach the Elastic Package Manager registry.

Datatype: string

xpack.fleet.registryProxyUrl

Supported on:

The proxy address to use to reach the Elastic Package Manager registry if an internet connection is not directly available. Refer to Air-gapped environments for details.

Datatype: string

xpack.fleet.packageVerification.gpgKeyPath

Supported on:

The path on disk to the GPG key used to verify Elastic Package Manager packages. If the Elastic public key is ever reissued as a security precaution, you can use this setting to specify the new key.

Datatype: string

Fleet settings

Note

The xpack.fleet.agents.elasticsearch.* settings are intended for a quickstart setup. For more advanced use cases, use the xpack.fleet.outputs setting to preconfigure outputs.

xpack.fleet.agents.fleet_server.hosts

Supported on:

Hostnames used by Elastic Agent for accessing Fleet Server.

If configured in your kibana.yml, this setting is grayed out and unavailable in the Fleet UI. To make this setting editable in the UI, do not configure it in the configuration file.

Datatype: string

xpack.fleet.agents.elasticsearch.hosts

Supported on:

Hostnames used by Elastic Agent for accessing Elasticsearch.

Datatype: string

xpack.fleet.agents.elasticsearch.ca_sha256

Supported on:

Hash pin used for certificate verification. The pin is a base64-encoded string of the SHA-256 fingerprint.

Datatype: string

Preconfiguration settings (for advanced use cases)

Use these settings to pre-define integrations, agent policies, and Fleet Server hosts or proxies that you want Fleet to load up by default.

Note

These settings are not supported to pre-configure the Endpoint and Cloud Security integration.

xpack.fleet.packages

Supported on:

List of integrations that are installed when the Fleet app starts up for the first time.

Datatype: string

		xpack.fleet.packages:
  - name: apache
    version: 0.5.0

xpack.fleet.agentPolicies:
  - name: Preconfigured Policy
    id: preconfigured-policy
    namespace: test
    package_policies:
      - package:
          name: system
        name: System Integration
        namespace: test
        id: preconfigured-system
        inputs:
          system-system/metrics:
            enabled: true
            vars:
              '[system.hostfs]': home/test
            streams:
              '[system.core]':
                enabled: true
                vars:
                  period: 20s
          system-winlog:
            enabled: false
		
	

xpack.fleet.packages[n].name

Supported on:

Required. Name of the integration from the package registry.

Datatype: string

xpack.fleet.packages[n].version

Supported on:

Required. Either an exact semantic version, or the keyword latest to fetch the latest integration version.

Datatype: string

xpack.fleet.agentPolicies

Supported on:

List of agent policies that are configured when the Fleet app starts.

Datatype: string

xpack.fleet.agentPolicies[n].id

Supported on:

Required. Unique ID for this policy. The ID may be a number or string.

Datatype: string

xpack.fleet.agentPolicies[n].name

Supported on:

Required. Name of the agent policy.

Datatype: string

xpack.fleet.agentPolicies[n].description

Supported on:

Optional. Text description of this policy.

Datatype: string

xpack.fleet.agentPolicies[n].namespace

Supported on:

Optional. String identifying this policy's namespace.

Datatype: string

xpack.fleet.agentPolicies[n].monitoring_enabled

Supported on:

Optional. List of keywords that specify the monitoring data to collect. Valid values include ['logs'], ['metrics'], and ['logs', 'metrics'].

Datatype: string

xpack.fleet.agentPolicies[n].keep_monitoring_alive

Supported on:

Optional. If true, monitoring will be enabled, but logs/metrics collection will be disabled. Use this if you want to keep agent's monitoring server alive even when logs/metrics aren't being collected.

Datatype: bool

xpack.fleet.agentPolicies[n].is_managed

Supported on:

Optional. If true, this policy is not editable by the user and can only be changed by updating the Kibana config.

Datatype: bool

xpack.fleet.agentPolicies[n].is_default

Supported on:

Optional. If true, this policy is the default agent policy.

Datatype: bool

Deprecation details

Deprecated in 8.1.0.

xpack.fleet.agentPolicies[n].is_default_fleet_server

Supported on:

Optional. If true, this policy is the default Fleet Server agent policy.

Datatype: bool

Deprecation details

Deprecated in 8.1.0.

xpack.fleet.agentPolicies[n].data_output_id

Supported on:

Optional. ID of the output to send data. (Need to be identical to monitoring_output_id)

Datatype: string

xpack.fleet.agentPolicies[n].monitoring_output_id

Supported on:

Optional. ID of the output to send monitoring data. (Need to be identical to data_output_id)

Datatype: string

xpack.fleet.agentPolicies[n].fleet_server_host_id

Supported on:

Optional. ID of the fleet server.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies

Supported on:

Optional. List of integration policies to add to this policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].id

Supported on:

Unique ID of the integration policy. The ID may be a number or string.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].name

Supported on:

Required. Name of the integration policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].package

Supported on:

Required. Integration that this policy configures.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].package.name

Supported on:

Name of the integration associated with this policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].description

Supported on:

Text string describing this integration policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].namespace

Supported on:

String identifying this policy's namespace.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].inputs

Supported on:

Map of input for the integration. Follows the same schema as the package policy API inputs, with the exception that any object in vars can be passed frozen: true in order to prevent that specific var from being edited by the user.

Datatype: string

xpack.fleet.outputs

Supported on:

List of outputs that are configured when the Fleet app starts.

Certain types of outputs have additional required and optional settings. Refer to Output settings in the Fleet and Elastic Agent Guide for the full list of settings for each output type.

If configured in your kibana.yml, output settings are grayed out and unavailable in the Fleet UI. To make these settings editable in the UI, do not configure them in the configuration file.

Datatype: string

Note

The xpack.fleet.outputs settings are intended for advanced configurations such as having multiple outputs. We recommend not enabling the xpack.fleet.agents.elasticsearch.host settings when using xpack.fleet.outputs.

		xpack.fleet.outputs:
  - id: my-logstash-output-with-a-secret
    name: preconfigured logstash output with a secret
    type:  logstash
    hosts: ["localhost:9999"]
    ssl:
      certificate: xxxxxxxxxx
    secrets:
      ssl:
        key: securekey
		
	

xpack.fleet.outputs[n].id

Supported on:

Required. Unique ID for this output. The ID should be a string.

Datatype: string

xpack.fleet.outputs[n].name

Supported on:

Required. Name of the output.

Datatype: string

xpack.fleet.outputs[n].type

Supported on:

Required. Type of Output.

Datatype: enum

Options:

elasticsearch
logstash
kafka
remote_elasticsearch

xpack.fleet.outputs[n].hosts

Supported on:

Optional. Array that contains the list of host for that output.

Datatype: string

xpack.fleet.outputs[n].is_default

Supported on:

Optional. If true, the output specified in xpack.fleet.outputs will be the one used to send agent data unless there is another one configured specifically for the agent policy.

Datatype: bool

xpack.fleet.outputs[n].is_default_monitoring

Supported on:

Optional. If true, the output specified in xpack.fleet.outputs will be the one used to send agent monitoring data unless there is another one configured specifically for the agent policy.

Datatype: bool

xpack.fleet.outputs[n].is_internal

Supported on:

Optional. If true, the output specified in xpack.fleet.outputs will not appear in the UI, and can only be managed via kibana.yml or the Fleet API.

Datatype: bool

xpack.fleet.outputs[n].config

Supported on:

Optional. Extra config for that output.

Datatype: string

xpack.fleet.outputs[n].proxy_id

Supported on:

Optional. Unique ID of a proxy to access the output.

Datatype: string

xpack.fleet.outputs[n].ssl

Supported on:

Optional. Set to enable authentication using the Secure Sockets Layer (SSL) protocol.

Datatype: string

xpack.fleet.outputs[n].ssl.certificate

Supported on:

The SSL certificate that Elastic Agents use to authenticate with the output. Include the full contents of the certificate here.

Datatype: string

xpack.fleet.outputs[n].ssl.certificate_authorities

Supported on:

Certificate authority (CA) used to issue the certificate.

Datatype: string

xpack.fleet.outputs[n].secrets

Supported on:

Include here any values for preconfigured outputs that should be stored as secrets. A secret value is replaced in the kibana.yml settings file with a reference, with the original value stored externally as a secure hash. Note that this type of secret storage requires all configured Fleet Servers to be on version 8.12.0 or later.

Datatype: string

xpack.fleet.outputs[n].secrets.key

Supported on:

The private certificate key that Elastic Agents use to authenticate with the output.

Datatype: string

xpack.fleet.fleetServerHosts

Supported on:

List of Fleet Server hosts that are configured when the Fleet app starts.

Datatype: string

xpack.fleet.fleetServerHosts[n].id

Supported on:

Required. Unique ID for the host server.

Datatype: string

xpack.fleet.fleetServerHosts[n].name

Supported on:

Required. Name of the host server.

Datatype: string

xpack.fleet.fleetServerHosts[n].host_urls

Supported on:

Required. Array of one or more host URLs that Elastic Agents will use to connect to Fleet Server.

Datatype: string

xpack.fleet.fleetServerHosts[n].is_default

Supported on:

Optional. Whether or not this host should be the default to use for Fleet Server.

Datatype: bool

xpack.fleet.fleetServerHosts[n].is_internal

Supported on:

Optional. If true the host will not appear in the UI, and can only be managed through kibana.yml or the Fleet API.

Datatype: bool

xpack.fleet.fleetServerHosts[n].proxy_id

Supported on:

Optional. Unique ID of the proxy to access the Fleet Server host.

Datatype: string

xpack.fleet.proxy

Supported on:

List of proxies to access Fleet Server that are configured when the Fleet app starts.

Datatype: string

xpack.fleet.proxy[n].id

Supported on:

Required. Unique ID of the proxy to access the Fleet Server host.

Datatype: string

xpack.fleet.proxy[n].name

Supported on:

Required. Name of the proxy to access the Fleet Server host.

Datatype: string

xpack.fleet.proxy[n].url

Supported on:

Required. URL that Elastic Agents use to connect to the proxy to access Fleet Server.

Datatype: string

xpack.fleet.proxy[n].proxy_headers

Supported on:

Optional. Map of headers to use with the proxy.

Datatype: string

xpack.fleet.proxy[n].proxy_headers.key

Supported on:

Key to use for the proxy header.

Datatype: string

xpack.fleet.proxy[n].proxy_headers.value

Supported on:

Value to use for the proxy header.

Datatype: string

xpack.fleet.proxy[n].certificate_authorities

Supported on:

Optional. Certificate authority (CA) used to issue the certificate.

Datatype: string

xpack.fleet.proxy[n].certificate

Supported on:

Optional. The name of the certificate used to authenticate the proxy.

Datatype: string

xpack.fleet.proxy[n].certificate_key

Supported on:

Optional. The certificate key used to authenticate the proxy.

Datatype: string

xpack.fleet.enableExperimental

Supported on:

List of experimental feature flag to enable in Fleet. It is available in Elastic Cloud 8.6.0 and later versions. Deprecated beginning in 9.3.0.

Datatype: string

Deprecation details

From 9.3.0 onwards, use xpack.fleet.experimentalFeatures to explicitly enable or disable experimental features.

xpack.fleet.experimentalFeatures

Supported on:

Set experimental feature flags to true or false to enable or disable them, respectively.

Datatype: string

Note

Experimental features should not be enabled in production environments. The features in this section are experimental and may be changed or removed completely in future releases. Elastic will make a best effort to fix any issues, but experimental features are not supported to the same level as generally available (GA) features.

		xpack.fleet.experimentalFeatures:
  useSpaceAwareness: false
  enableAgentPrivilegeLevelChange: true
		
	

xpack.fleet.enableManagedLogsAndMetricsDataviews

Supported on:

Set to true (default), to enable the automatic creation of global logs-* and metrics-* data views.

Datatype: bool

Default: true

xpack.fleet.autoUpgrades.taskInterval

Supported on:

Configure the interval of the automatic upgrade task for Fleet-managed Elastic Agents.

Datatype: string

Default: 30m

xpack.fleet.autoUpgrades.retryDelays

Supported on:

Configure the retry delays of the automatic upgrade task for Fleet-managed Elastic Agents. The array's length indicates the maximum number of retries.

Datatype: string

Default: ['30m', '1h', '2h', '4h', '8h', '16h', '24h']

xpack.fleet.integrationRollbackTTL

Supported on:

Configure the time-to-live (TTL) for integration rollback availability. This setting controls how long the rollback option remains available after an integration is upgraded. The value must be specified in a duration format (for example, 7d, 14d, 168h, or 1w). For more information, refer to Roll back an integration.

Datatype: string

Default: 7d

xpack.fleet.fleetPolicyRevisionsCleanup.max_revisions

Supported on:

The maximum number of revisions to maintain for a Fleet agent policy.

Datatype: int

Default: 10

xpack.fleet.fleetPolicyRevisionsCleanup.interval

Supported on:

The time interval for performing cleanups of Fleet agent policy revisions. The value must be specified in a duration format (for example, 30m, 1h, 1d).

Datatype: string

Default: 1h

xpack.fleet.fleetPolicyRevisionsCleanup.max_policies_per_run

Supported on:

The maximum number of Fleet agent policies to clean up revisions from per interval.

Datatype: int

Default: 100