| navigation_title | Command reference | ||||||
|---|---|---|---|---|---|---|---|
| mapped_pages | |||||||
| applies_to |
|
||||||
| products |
|
{{agent}} provides commands for running {{agent}}, managing {{fleet-server}}, and doing common tasks. The commands listed here apply to both {{fleet}}-managed and standalone {{agent}}.
::::{admonition} Restrictions :class: important
Note the following restrictions for running {{agent}} commands:
- You might need to log in as a root user (or Administrator on Windows) to run the commands described here. After the {{agent}} service is installed and running, make sure you run these commands without prepending them with
./to avoid invoking the wrong binary. - Running {{agent}} commands using the Windows PowerShell ISE is not supported.
::::
:::{admonition} Command options for {{fleet-server}}
:applies_to: serverless: unavailable
Because self-managed {{fleet-server}} is not supported on {{serverless-full}}, the elastic-agent enroll and elastic-agent install options that configure {{fleet-server}} are not available on {{serverless-short}}.
:::
- diagnostics
- enroll
- help
- inspect
- install
- otel
- privileged
- restart
- run
- status
- uninstall
- upgrade
- logs
- unprivileged
- version
Gather diagnostics information from the {{agent}} and component/unit it’s running. This command produces an archive that contains:
- version.txt - version information
- agent-info.yaml - contains the agent local metadata that is also sent to Fleet
- pre-config.yaml - pre-configuration before variable substitution - this is the elastic-agent.yaml from disk or from Fleet
- otel.yaml - the OpenTelemetry collector configuration file used with the
otelsub-command - otel-merged.yaml - the final configuration file provided to the OpenTelemetry collector, including any internally generated collector components
- variables.yaml - current variable contexts from providers
- environment.yaml - current environment variables visible to the Elastic Agent process
- computed-config.yaml - configuration after variable substitution
- components-expected.yaml - expected computed components model from the computed-config.yaml
- components-actual.yaml - actual running components model as reported by the runtime manager
- state.yaml - current state information of all running components
- *.pprof.gz files from the running
elastic-agentprocess for analysis withgo tool pprof:- goroutine.pprof.gz - goroutine dump
- heap.pprof.gz - memory allocation of live objects
- allocs.pprof.gz - sampling past memory allocations
- threadcreate.pprof.gz - traces led to creation of new OS threads
- block.pprof.gz - stack traces that led to blocking on synchronization primitives
- mutex.pprof.gz - stack traces of holders of contended mutexes
- components/ directory - diagnostic information from each running component process:
- Typically one directory per input-output pair representing a supervised process containing:
- *.pprof.gz - profiles for analysis with
go tool pprof; refer to the previous descriptions - *_metrics.json - metrics snapshots captured from running Beat processes
- *.pprof.gz - profiles for analysis with
- Typically one directory per input-output pair representing a supervised process containing:
- edot/ directory - the output of Elastic's collector diagnostics extension:
- otel-merged-actual.yaml - the current configuration of the running collector, which should match the otel-merged.yaml file described previously
- *.profile.gz - profiles for analysis with
go tool pprof; refer to the previous descriptions
Note that credentials may not be redacted in the archive; they may appear in plain text in the configuration or policy files inside the archive.
This command is intended for debugging purposes only. The output format and structure of the archive may change between releases.
elastic-agent diagnostics [--file <string>]
[--cpu-profile]
[--exclude-events]
[--help]
[global-flags]--file
: Specifies the output archive name. Defaults to elastic-agent-diagnostics-<timestamp>.zip, where the timestamp is the current time in UTC.
--help
: Show help for the diagnostics command.
--cpu-profile
: Additionally runs a 30-second CPU profile on each running component. This will generate an additional cpu.pprof file for each component.
--p
: Alias for --cpu-profile.
--exclude-events
: Exclude the events log files from the diagnostics archive.
For more flags, see Global flags.
elastic-agent diagnosticsEnroll the {{agent}} in {{fleet}}.
Use this command to enroll the {{agent}} in {{fleet}} without installing the agent as a service. You will need to do this if you installed the {{agent}} from a DEB or RPM package and plan to use systemd commands to start and manage the service. This command is also useful for testing {{agent}} prior to installing it.
If you’ve already installed {{agent}}, use this command to modify the settings that {{agent}} runs with.
::::{tip}
To enroll an {{agent}} and install it as a service, use the install command instead. Installing as a service is the most common scenario.
::::
We recommend that you run the enroll (or install) command as the root user because some integrations require root privileges to collect sensitive data. This command overwrites the elastic-agent.yml file in the agent directory.
This command includes optional flags to set up {{fleet-server}}.
::::{important}
This command enrolls the {{agent}} in {{fleet}}; it does not start the agent. To start the agent, either start the service, if one exists, or use the run command to start the agent from a terminal.
::::
To enroll the {{agent}} in {{fleet}}:
elastic-agent enroll --url <string>
--enrollment-token <string>
[--ca-sha256 <string>]
[--certificate-authorities <string>]
[--daemon-timeout <duration>]
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--force]
[--header <strings>]
[--help]
[--id <string>]
[--insecure ]
[--proxy-disabled]
[--proxy-header <strings>]
[--proxy-url <string>]
[--replace-token <string>]
[--staging <string>]
[--tag <string>]
[global-flags]To enroll the {{agent}} in {{fleet}} and set up {{fleet-server}}:
elastic-agent enroll --fleet-server-es <string>
--fleet-server-service-token <string>
[--fleet-server-service-token-path <string>]
[--ca-sha256 <string>]
[--certificate-authorities <string>]
[--daemon-timeout <duration>]
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--fleet-server-cert <string>] <1>
[--fleet-server-cert-key <string>]
[--fleet-server-cert-key-passphrase <string>]
[--fleet-server-client-auth <string>]
[--fleet-server-es-ca <string>]
[--fleet-server-es-ca-trusted-fingerprint <string>] <2>
[--fleet-server-es-cert <string>]
[--fleet-server-es-cert-key <string>]
[--fleet-server-es-insecure]
[--fleet-server-host <string>]
[--fleet-server-policy <string>]
[--fleet-server-port <uint16>]
[--fleet-server-timeout <duration>]
[--force]
[--header <strings>]
[--help]
[--proxy-disabled]
[--proxy-header <strings>]
[--proxy-url <string>]
[--staging <string>]
[--tag <string>]
[--url <string>] <3>
[global-flags]- If no
fleet-server-cert*flags are specified, {{agent}} auto-generates a self-signed certificate with the hostname of the machine. Remote {{agent}}s enrolling into a {{fleet-server}} with self-signed certificates must specify the--insecureflag. - Required when using self-signed certificates with {{es}}.
- Required when enrolling in a {{fleet-server}} with custom certificates. The URL must match the DNS name used to generate the certificate specified by
--fleet-server-cert.
For more information about custom certificates, refer to Configure SSL/TLS for self-managed {{fleet-server}}s.
--ca-sha256 <string>
: Comma-separated list of certificate authority hash pins used for certificate verification.
--certificate-authorities <string>
: Comma-separated list of root certificates used for server verification.
--daemon-timeout <duration>
: Timeout waiting for {{agent}} daemon.
--delay-enroll
: Delays enrollment to occur on first start of the {{agent}} service. This setting is useful when you don't want the {{agent}} to enroll until the next reboot or manual start of the service, for example, when you're preparing an image that includes {{agent}} or deploying to environments where network access may not be immediately available. If {{fleet-server}} is unreachable when the service starts, {{agent}} will retry enrollment indefinitely until it succeeds.
--elastic-agent-cert
: Certificate to use as the client certificate for the {{agent}}'s connections to {{fleet-server}}.
--elastic-agent-cert-key
: Private key to use as for the {{agent}}'s connections to {{fleet-server}}.
--elastic-agent-cert-key-passphrase
: The path to the file that contains the passphrase for the mutual TLS private key that {{agent}} will use to connect to {{fleet-server}}. The file must only contain the characters of the passphrase, no newline or extra non-printing characters.
This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use.
--enrollment-token <string>
: Enrollment token to use to enroll {{agent}} into {{fleet}}. You can use the same enrollment token for multiple agents.
--fleet-server-cert <string> {applies_to}serverless: unavailable
: Certificate to use for exposed {{fleet-server}} HTTPS endpoint.
--fleet-server-cert-key <string> {applies_to}serverless: unavailable
: Private key to use for exposed {{fleet-server}} HTTPS endpoint.
--fleet-server-cert-key-passphrase <string> {applies_to}serverless: unavailable
: Path to passphrase file for decrypting {{fleet-server}}'s private key if an encrypted private key is used.
--fleet-server-client-auth <string> {applies_to}serverless: unavailable
: One of none, optional, or required. Defaults to none. {{fleet-server}}'s client_authentication option for client mTLS connections. If optional, or required is specified, client certificates are verified using CAs specified in the --certificate-authorities flag.
--fleet-server-es <string> {applies_to}serverless: unavailable
: Start a {{fleet-server}} process when {{agent}} is started, and connect to the specified {{es}} URL.
--fleet-server-es-ca <string> {applies_to}serverless: unavailable
: Path to certificate authority file to use to communicate with {{es}}. This is an alternative to using --fleet-server-es-ca-trusted-fingerprint.
--fleet-server-es-ca-trusted-fingerprint <string> {applies_to}serverless: unavailable
: The SHA-256 fingerprint (hash) of a certificate authority that is present in the certificate chain sent by {{es}} during the TLS handshake. If this certificate is found in the chain, it will be added to the trusted CAs. This is an alternative to using --fleet-server-es-ca to provide a CA certificate file. For more information, refer to Using certificate fingerprints.
--fleet-server-es-cert {applies_to}serverless: unavailable
: The path to the client certificate that {{fleet-server}} will use when connecting to {{es}}.
--fleet-server-es-cert-key {applies_to}serverless: unavailable
: The path to the private key that {{fleet-server}} will use when connecting to {{es}}.
--fleet-server-es-insecure {applies_to}serverless: unavailable
: Allows fleet server to connect to {{es}} in the following situations:
* When connecting to an HTTP server.
* When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.
When this flag is used the certificate verification is disabled.
--fleet-server-host <string> {applies_to}serverless: unavailable
: {{fleet-server}} HTTP binding host (overrides the policy).
--fleet-server-policy <string> {applies_to}serverless: unavailable
: Used when starting a self-managed {{fleet-server}} to allow a specific policy to be used.
--fleet-server-port <uint16> {applies_to}serverless: unavailable
: {{fleet-server}} HTTP binding port (overrides the policy).
--fleet-server-service-token <string> {applies_to}serverless: unavailable
: Service token to use for communication with {{es}}. Mutually exclusive with --fleet-server-service-token-path.
--fleet-server-service-token-path <string> {applies_to}serverless: unavailable
: Service token file to use for communication with {{es}}. Mutually exclusive with --fleet-server-service-token.
--fleet-server-timeout <duration> {applies_to}serverless: unavailable
: Timeout waiting for {{fleet-server}} to be ready to start enrollment.
--force
: Force overwrite of current configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments.
::::{note}
If the {{agent}} is already installed on the host, using `--force` may result in unpredictable behavior with duplicate {{agent}}s appearing in {{fleet}}.
::::
--header <strings>
: Headers used in communication with elasticsearch.
--help
: Show help for the enroll command.
--id <string>
: Specifies the unique identifier (agent ID) to use when enrolling the {{agent}} with {{fleet-server}}. This setting is useful when restoring a previously enrolled agent or in stateless environments where the agent cannot persist enrollment data between redeployments.
:::{note}
If an agent with the same ID is already enrolled in {{fleet}}, enrollment will fail unless a valid replacement token is provided using the `--replace-token` flag.
:::
--insecure
: Allow the {{agent}} to connect to {{fleet-server}} over insecure connections. This setting is required in the following situations:
* When connecting to an HTTP server. The API keys are sent in clear text.
* When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.
* When using self-signed certificates generated by {{agent}}.
We strongly recommend that you use a secure connection.
--proxy-disabled
: Disable proxy support including environment variables.
--proxy-header <strings>
: Proxy headers used with CONNECT request.
--proxy-url <string>
: Configures the proxy URL.
--replace-token <string>
: Specifies a token that can be used to replace the {{agent}} after its enrollment in {{fleet-server}}. The token must be provided when enrolling an agent with a specific agent ID for the first time. Subsequently, the agent can be replaced by enrolling another agent using the same agent ID and replacement token. Once replaced, the original agent can no longer communicate with {{fleet}}.
:::{note}
If an {{agent}} is enrolled without a replacement token, it cannot be replaced by another agent with the same ID. This mechanism prevents accidental or malicious takeovers by requiring the replacement token to match the hashed token stored in {{fleet}}.
:::
--staging <string>
: Configures agent to download artifacts from a staging build.
--tag <string>
: A comma-separated list of tags to apply to {{fleet}}-managed {{agent}}s. You can use these tags to filter the list of agents in {{fleet}}.
::::{note}
Currently, there is no way to remove or edit existing tags. To change the tags, you must unenroll the {{agent}}, then re-enroll it using new tags.
::::
--url <string>
: {{fleet-server}} URL to use to enroll the {{agent}} into {{fleet}}.
For more flags, see Global flags.
Enroll the {{agent}} in {{fleet}}:
elastic-agent enroll \
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==Enroll the {{agent}} in {{fleet}} and set up {{fleet-server}}:
elastic-agent enroll --fleet-server-es=http://elasticsearch:9200 \
--fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ \
--fleet-server-policy=a35fd520-26f5-11ec-8bd9-3374690g57b6Start {{agent}} with {{fleet-server}} (running on a custom CA). This example assumes you’ve generated the certificates with the following names:
ca.crt: Root CA certificatefleet-server.crt: {{fleet-server}} certificatefleet-server.key: {{fleet-server}} private keyelasticsearch-ca.crt: CA certificate to use to connect to {{es}}
elastic-agent enroll \
--url=https://fleet-server:8220 \
--fleet-server-es=https://elasticsearch:9200 \
--fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
--fleet-server-policy=a35fd520-26f5-11ec-8bd9-3374690g57b6 \
--certificate-authorities=/path/to/ca.crt \
--fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
--fleet-server-cert=/path/to/fleet-server.crt \
--fleet-server-cert-key=/path/to/fleet-server.key \
--fleet-server-port=8220Then enroll another {{agent}} into the {{fleet-server}} started in the previous example:
elastic-agent enroll --url=https://fleet-server:8220 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
--certificate-authorities=/path/to/ca.crtReplace an {{agent}} enrolled in {{fleet-server}} with a specific agent ID and a replacement token:
elastic-agent enroll \
--url=https://fleet-server:8220 \
--enrollment-token=ENROLLMENT_TOKEN_HASH \
--id=MY_AGENT_ID \
--replace-token=REPLACEMENT_TOKEN_HASHShow help for a specific command.
elastic-agent help <command> [--help] [global-flags]command
: The name of the command.
--help
: Show help for the help command.
For more flags, see Global flags.
elastic-agent help enrollShow the current {{agent}} configuration. Use this command to verify and troubleshoot the configuration that {{agent}} is using, including variable substitution and the computed components model.
If no flags are specified, the command shows the full {{agent}} configuration. By default, variable substitution is not performed, and the raw configuration is displayed.
Use the --variables flag to enable variable substitution. The first set of computed variables are used when only the --variables flag is defined. This can prevent some of the dynamic providers like {{k8s}} and Docker from providing all the possible variables they could have discovered if given more time. Use the --variables-wait flag to specify an amount of time to wait for variable discovery before using the variables for the configuration.
Use the components subcommand to view the components model. Components represent individual processes running underneath {{agent}}, such as {{filebeat}} or {{endpoint-sec}}. Units represent discrete configuration units within a component, such as {{filebeat}} inputs or {{metricbeat}} modules.
elastic-agent inspect [--variables]
[--monitoring]
[--variables-wait <duration>]
[--help]
[global-flags]
elastic-agent inspect components [--show-config]
[--show-spec]
[--variables-wait <duration>]
[--help]
[<component_id>]
[<component_id>/<unit_id>]components
: Display the generated components model for the current configuration. Variable substitution is always performed when computing the components model and cannot be disabled. By default, only the first set of computed variables are used. Use the --variables-wait flag to allow more time for dynamic providers to discover variables.
This command accepts the following arguments and flags:
`<component_id>`
: Select a specific component by its ID. Only that component and all its units are returned. Use `elastic-agent inspect components` without an ID to see all available component IDs. Configuration for units is not shown by default; use `--show-config` to display it.
`<component_id>/<unit_id>`
: Select a specific unit inside a component by specifying both the component ID and unit ID separated by a forward slash. In this mode, the unit configuration is shown by default.
`--show-config`
: Display the configuration for all units. By default, unit configuration is hidden unless you select a specific unit using the `<component_id>/<unit_id>` format.
`--show-spec`
: Display the input/output runtime specification for a component. By default, the runtime specification is hidden.
`--variables-wait <duration>`
: Wait the specified amount of time for variable discovery before computing the components model. This is useful when using dynamic providers like {{k8s}} or Docker that may need additional time to discover all available variables.
--variables
: Render the configuration with variables substituted. When not specified, the raw configuration is displayed without variable substitution.
--monitoring
: Include the monitoring configuration in the output. This option implies --variables, as the monitoring configuration requires variable substitution.
--variables-wait <duration>
: Wait the specified amount of time for variable discovery before performing substitution. This is useful when using dynamic providers like {{k8s}} or Docker that may need additional time to discover all available variables. Implies --variables. For example, --variables-wait 30s.
--help
: Show help for the inspect command.
For more flags, see Global flags.
Show the raw {{agent}} configuration without variable substitution:
elastic-agent inspectShow the configuration with variables substituted:
elastic-agent inspect --variablesShow the configuration with variables substituted, waiting 30 seconds for dynamic providers to discover variables:
elastic-agent inspect --variables-wait 30sShow the configuration including monitoring settings:
elastic-agent inspect --monitoringDisplay all components:
elastic-agent inspect componentsDisplay all components with their unit configurations:
elastic-agent inspect components --show-configDisplay a specific component by ID:
elastic-agent inspect components log-defaultDisplay a specific component with its runtime specification:
elastic-agent inspect components log-default --show-specDisplay a specific unit inside a component:
elastic-agent inspect components log-default/log-defaultWait 30 seconds for dynamic providers before computing components:
elastic-agent inspect components --variables-wait 30sRun {{agent}} with full superuser privileges. This is the usual, default running mode for {{agent}}. The privileged command allows you to switch back to running an agent with full administrative privileges when you have been running it in unprivileged mode.
Refer to Run {{agent}} without administrative privileges for more detail.
elastic-agent privilegedInstall {{agent}} permanently on the system and manage it by using the system’s service manager. The agent will start automatically after installation is complete. On Linux (tar package), this command requires a system and service manager like systemd.
::::{important}
If you installed {{agent}} from a DEB or RPM package, the install command will skip the installation itself and function as an alias of the enroll command instead. After an upgrade of the {{agent}} using DEB or RPM the {{agent}} service needs to be restarted.
::::
You must run this command as the root user (or Administrator on Windows) to write files to the correct locations. This command overwrites the elastic-agent.yml file in the agent directory.
The syntax for running this command varies by platform. As well, various flavors of the agent install package are available, allowing you to control the installed package size on disk and the set of included components. For platform-specific examples and for details about the available flavors, refer to Install {{agent}}s.
To install the {{agent}} as a service, enroll it in {{fleet}}, and start the elastic-agent service:
elastic-agent install --url <string>
--enrollment-token <string>
[--base-path <string>]
[--ca-sha256 <string>]
[--certificate-authorities <string>]
[--daemon-timeout <duration>]
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--force]
[--header <strings>]
[--help]
[--insecure ]
[--non-interactive]
[--privileged]
[--proxy-disabled]
[--proxy-header <strings>]
[--proxy-url <string>]
[--staging <string>]
[--tag <string>]
[--unprivileged]
[global-flags]To install the {{agent}} as a service, enroll it in {{fleet}}, and start a fleet-server process alongside the elastic-agent service:
elastic-agent install --fleet-server-es <string>
--fleet-server-service-token <string>
[--fleet-server-service-token-path <string>]
[--base-path <string>]
[--ca-sha256 <string>]
[--certificate-authorities <string>]
[--daemon-timeout <duration>]
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--fleet-server-cert <string>] <1>
[--fleet-server-cert-key <string>]
[--fleet-server-cert-key-passphrase <string>]
[--fleet-server-client-auth <string>]
[--fleet-server-es-ca <string>]
[--fleet-server-es-ca-trusted-fingerprint <string>] <2>
[--fleet-server-es-cert <string>]
[--fleet-server-es-cert-key <string>]
[--fleet-server-es-insecure]
[--fleet-server-host <string>]
[--fleet-server-policy <string>]
[--fleet-server-port <uint16>]
[--fleet-server-timeout <duration>]
[--force]
[--header <strings>]
[--help]
[--non-interactive]
[--privileged]
[--proxy-disabled]
[--proxy-header <strings>]
[--proxy-url <string>]
[--staging <string>]
[--tag <string>]
[--unprivileged]
[--url <string>] <3>
[global-flags]- If no
fleet-server-cert*flags are specified, {{agent}} auto-generates a self-signed certificate with the hostname of the machine. Remote {{agent}}s enrolling into a {{fleet-server}} with self-signed certificates must specify the--insecureflag. - Required when using self-signed certificate on {{es}} side.
- Required when enrolling in a {{fleet-server}} with custom certificates. The URL must match the DNS name used to generate the certificate specified by
--fleet-server-cert.
For more information about custom certificates, refer to Configure SSL/TLS for self-managed {{fleet-server}}s.
--base-path <string>
: Install {{agent}} in a location other than the default. Specify the custom base path for the install.
The `--base-path` option is not currently supported with [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md).
--ca-sha256 <string>
: Comma-separated list of certificate authority hash pins used for certificate verification.
--certificate-authorities <string>
: Comma-separated list of root certificates used for server verification.
--daemon-timeout <duration>
: Timeout waiting for {{agent}} daemon.
--delay-enroll
: Delays enrollment to occur on first start of the {{agent}} service. This setting is useful when you don’t want the {{agent}} to enroll until the next reboot or manual start of the service, for example, when you’re preparing an image that includes {{agent}}.
--elastic-agent-cert
: Certificate to use as the client certificate for the {{agent}}'s connections to {{fleet-server}}.
--elastic-agent-cert-key
: Private key to use as for the {{agent}}'s connections to {{fleet-server}}.
--elastic-agent-cert-key-passphrase
: The path to the file that contains the passphrase for the mutual TLS private key that {{agent}} will use to connect to {{fleet-server}}. The file must only contain the characters of the passphrase, no newline or extra non-printing characters.
This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use.
--enrollment-token <string>
: Enrollment token to use to enroll {{agent}} into {{fleet}}. You can use the same enrollment token for multiple agents.
--fleet-server-cert <string> {applies_to}serverless: unavailable
: Certificate to use for exposed {{fleet-server}} HTTPS endpoint.
--fleet-server-cert-key <string> {applies_to}serverless: unavailable
: Private key to use for exposed {{fleet-server}} HTTPS endpoint.
--fleet-server-cert-key-passphrase <string> {applies_to}serverless: unavailable
: Path to passphrase file for decrypting {{fleet-server}}'s private key if an encrypted private key is used.
--fleet-server-client-auth <string> {applies_to}serverless: unavailable
: One of none, optional, or required. Defaults to none. {{fleet-server}}'s client_authentication option for client mTLS connections. If optional, or required is specified, client certificates are verified using CAs specified in the --certificate-authorities flag.
--fleet-server-es <string> {applies_to}serverless: unavailable
: Start a {{fleet-server}} process when {{agent}} is started, and connect to the specified {{es}} URL.
--fleet-server-es-ca <string> {applies_to}serverless: unavailable
: Path to certificate authority file to use to communicate with {{es}}. This is an alternative to using --fleet-server-es-ca-trusted-fingerprint.
--fleet-server-es-ca-trusted-fingerprint <string> {applies_to}serverless: unavailable
: The SHA-256 fingerprint (hash) of a certificate authority that is present in the certificate chain sent by {{es}} during the TLS handshake. If this certificate is found in the chain, it will be added to the trusted CAs. This is an alternative to using --fleet-server-es-ca to provide a CA certificate file. For more information, refer to Using certificate fingerprints.
--fleet-server-es-cert {applies_to}serverless: unavailable
: The path to the client certificate that {{fleet-server}} will use when connecting to {{es}}.
--fleet-server-es-cert-key {applies_to}serverless: unavailable
: The path to the private key that {{fleet-server}} will use when connecting to {{es}}.
--fleet-server-es-insecure {applies_to}serverless: unavailable
: Allows fleet server to connect to {{es}} in the following situations:
* When connecting to an HTTP server.
* When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.
When this flag is used the certificate verification is disabled.
--fleet-server-host <string> {applies_to}serverless: unavailable
: {{fleet-server}} HTTP binding host (overrides the policy).
--fleet-server-policy <string> {applies_to}serverless: unavailable
: Used when starting a self-managed {{fleet-server}} to allow a specific policy to be used.
--fleet-server-port <uint16> {applies_to}serverless: unavailable
: {{fleet-server}} HTTP binding port (overrides the policy).
--fleet-server-service-token <string> {applies_to}serverless: unavailable
: Service token to use for communication with {{es}}. Mutually exclusive with --fleet-server-service-token-path.
--fleet-server-service-token-path <string> {applies_to}serverless: unavailable
: Service token file to use for communication with {{es}}. Mutually exclusive with --fleet-server-service-token.
--fleet-server-timeout <duration> {applies_to}serverless: unavailable
: Timeout waiting for {{fleet-server}} to be ready to start enrollment.
--force
: Force overwrite of current configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments.
::::{note}
If the {{agent}} is already installed on the host, using `--force` may result in unpredictable behavior with duplicate {{agent}}s appearing in {{fleet}}.
::::
--header <strings>
: Headers used in communication with elasticsearch.
--help
: Show help for the enroll command.
--insecure
: Allow the {{agent}} to connect to {{fleet-server}} over insecure connections. This setting is required in the following situations:
* When connecting to an HTTP server. The API keys are sent in clear text.
* When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.
* When using self-signed certificates generated by {{agent}}.
We strongly recommend that you use a secure connection.
--non-interactive
: Install {{agent}} in a non-interactive mode. This flag is helpful when using automation software or scripted deployments. If {{agent}} is already installed on the host, the installation will terminate.
--privileged
: Run {{agent}} with full superuser privileges. This is the usual, default running mode for {{agent}}. The --privileged option allows you to switch back to running an agent with full administrative privileges when you have been running it in unprivileged.
See the --unprivileged option and Run {{agent}} without administrative privileges for more detail.
--proxy-disabled
: Disable proxy support including environment variables.
--proxy-header <strings>
: Proxy headers used with CONNECT request.
--proxy-url <string>
: Configures the proxy URL.
--staging <string>
: Configures agent to download artifacts from a staging build.
--tag <strings>
: A comma-separated list of tags to apply to {{fleet}}-managed {{agent}}s. You can use these tags to filter the list of agents in {{fleet}}.
::::{note}
Currently, there is no way to remove or edit existing tags. To change the tags, you must unenroll the {{agent}}, then re-enroll it using new tags.
::::
--unprivileged
: Run {{agent}} without full superuser privileges. This option is useful in organizations that limit root access on Linux or macOS systems, or admin access on Windows systems. For details and limitations for running {{agent}} in this mode, refer to Run {{agent}} without administrative privileges.
Changing to `unprivileged` mode is prevented if the agent is currently enrolled in a policy that includes an integration that requires administrative access, such as the {{elastic-defend}} integration.
{applies_to}`stack: preview` {applies_to}`serverless: preview` To run {{agent}} without superuser privileges as a pre-existing user or group, for instance under an Active Directory account, you can specify the user or group, and the password to use.
For example:
```shell
elastic-agent install --unprivileged --user="my.path\username" --password="mypassword"
```
```shell
elastic-agent install --unprivileged --group="my.path\groupname" --password="mypassword"
```
--url <string>
: {{fleet-server}} URL to use to enroll the {{agent}} into {{fleet}}.
For more flags, see Global flags.
Install the {{agent}} as a service, enroll it in {{fleet}}, and start the elastic-agent service:
elastic-agent install \
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==Install the {{agent}} as a service, enroll it in {{fleet}}, and start a fleet-server process alongside the elastic-agent service:
elastic-agent install --fleet-server-es=http://elasticsearch:9200 \
--fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ \
--fleet-server-policy=a35fd620-26f6-11ec-8bd9-3374690f57b6Start {{agent}} with {{fleet-server}} (running on a custom CA). This example assumes you’ve generated the certificates with the following names:
ca.crt: Root CA certificatefleet-server.crt: {{fleet-server}} certificatefleet-server.key: {{fleet-server}} private keyelasticsearch-ca.crt: CA certificate to use to connect to {{es}}
elastic-agent install \
--url=https://fleet-server:8220 \
--fleet-server-es=https://elasticsearch:9200 \
--fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
--fleet-server-policy=a35fd520-26f5-11ec-8bd9-3374690g57b6 \
--certificate-authorities=/path/to/ca.crt \
--fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
--fleet-server-cert=/path/to/fleet-server.crt \
--fleet-server-cert-key=/path/to/fleet-server.key \
--fleet-server-port=8220Then install another {{agent}} and enroll it into the {{fleet-server}} started in the previous example:
elastic-agent install --url=https://fleet-server:8220 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
--certificate-authorities=/path/to/ca.crtRun {{agent}} as an Elastic Distribution of OpenTelemetry Collector (EDOT Collector).
elastic-agent otel [flags]
elastic-agent otel [command]::::{note}
You can also run the ./otelcol command, which calls ./elastic-agent otel and passes any arguments to it.
::::
validate
: Validates the OpenTelemetry collector configuration without running the collector.
--config=file:/path/to/first --config=file:path/to/second
: Locations to the config file(s). Only a single location can be set per flag entry, for example --config=file:/path/to/first --config=file:path/to/second.
--feature-gates flag
: Comma-delimited list of feature gate identifiers. Prefix with - to disable the feature. Prefixing with + or no prefix will enable the feature.
-h, --help
: Get help for the otel sub-command. Use elastic-agent otel [command] --help for more information about a command.
--set string
: Set an arbitrary component config property. The component has to be defined in the configuration file and the flag has a higher precedence. Array configuration properties are overridden and maps are joined. For example, --set=processors::batch::timeout=2s.
Run {{agent}} as an EDOT Collector using the supplied otel.yml configuration file.
./elastic-agent otel --config otel.ymlChange the default verbosity setting in the {{agent}} EDOT Collector configuration from detailed to normal.
./elastic-agent otel --config otel.yml --set "exporters::debug::verbosity=normal"Restart the currently running {{agent}} daemon.
elastic-agent restart [--help] [global-flags]--help
: Show help for the restart command.
For more flags, see Global flags.
elastic-agent restartStart the elastic-agent process.
elastic-agent run [global-flags]These flags are valid whenever you run elastic-agent on the command line.
-c <string>
: The configuration file to use. If not specified, {{agent}} uses {path.config}/elastic-agent.yml.
--e
: Log to stderr and disable syslog/file output.
--environment <environmentVar>
: The environment in which the agent will run.
--path.config <string>
: The directory where {{agent}} looks for its configuration file. The default varies by platform.
--path.home <string>
: The root directory of {{agent}}. path.home determines the location of the configuration files and data directory.
If not specified, {{agent}} uses the current working directory.
--path.logs <string>
: Path to the log output for {{agent}}. The default varies by platform.
--v
: Set log level to INFO.
elastic-agent run -c myagentconfig.ymlReturns the current status of the running {{agent}} daemon and of each process in the {{agent}}. The last known status of the {{fleet}} server is also returned. The output option controls the level of detail and formatting of the information.
elastic-agent status [--output <string>]
[--help]
[global-flags]--output <string>
: Output the status information in either human (the default), full, json, or yaml. human returns limited information when {{agent}} is in the HEALTHY state. If any components or units are not in HEALTHY state, then full details are displayed for that component or unit. full, json and yaml always return the full status information. Components map to individual processes running underneath {{agent}}, for example {{filebeat}} or {{endpoint-sec}}. Units map to discrete configuration units within that process, for example {{filebeat}} inputs or {{metricbeat}} modules.
When the output is json or yaml, status codes are returned as numerical values. The status codes can be mapped using the following table:
| Code | Status |
|---|---|
| 0 | STARTING |
| 1 | CONFIGURING |
| 2 | HEALTHY |
| 3 | DEGRADED |
| 4 | FAILED |
| 5 | STOPPING |
| 6 | UPGRADING |
| 7 | ROLLBACK |
--help
: Show help for the status command.
For more flags, see Global flags.
elastic-agent statusPermanently uninstall {{agent}} from the system.
You must run this command as the root user (or Administrator on Windows) to remove files.
::::{important}
Be sure to run the uninstall command from a directory outside of where {{agent}} is installed.
For example, on a Windows system the install location is C:\Program Files\Elastic\Agent. Run the uninstall command from C:\Program Files\Elastic or \tmp, or even your default home directory:
C:\"Program Files"\Elastic\Agent\elastic-agent.exe uninstall::::
:::::::{tab-set}
::::::{tab-item} macOS ::::{tip} You must run this command as the root user. ::::
sudo /Library/Elastic/Agent/elastic-agent uninstall::::::
::::::{tab-item} Linux ::::{tip} You must run this command as the root user. ::::
sudo /opt/Elastic/Agent/elastic-agent uninstall::::::
::::::{tab-item} Windows Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, run:
C:\"Program Files"\Elastic\Agent\elastic-agent.exe uninstall::::::
:::::::
elastic-agent uninstall [--force] [--help] [global-flags]--force
: Uninstall {{agent}} and do not prompt for confirmation. This flag is helpful when using automation software or scripted deployments.
--skip-fleet-audit
: Skip auditing with the {{fleet-server}}.
--help
: Show help for the uninstall command.
For more flags, see Global flags.
elastic-agent uninstallRun {{agent}} without full superuser privileges. This is useful in organizations that limit root access on Linux or macOS systems, or admin access on Windows systems. For details and limitations for running {{agent}} in this mode, refer to Run {{agent}} without administrative privileges.
Changing a running {{agent}} to unprivileged mode is prevented if the agent is currently enrolled with a policy that contains the {{elastic-defend}} integration.
{applies_to}stack: preview {applies_to}serverless: preview To run {{agent}} without superuser privileges as a pre-existing user or group, for instance under an Active Directory account, add either a --user or --group parameter together with a --password parameter.
Run {{agent}} without administrative privileges:
elastic-agent unprivileged{applies_to}stack: preview {applies_to}serverless: preview Run {{agent}} without administrative privileges, as a pre-existing user:
elastic-agent unprivileged --user="my.pathl\username" --password="mypassword"{applies_to}stack: preview {applies_to}serverless: preview Run {{agent}} without administrative privileges, as a pre-existing group:
elastic-agent unprivileged --group="my.pathl\groupname" --password="mypassword"Upgrade the currently running {{agent}} to the specified version. This should only be used with agents running in standalone mode. Agents enrolled in {{fleet}} should be upgraded through {{fleet}}.
elastic-agent upgrade <version> [--source-uri <string>] [--help] [flags]version
: The version of {{agent}} to upgrade to.
--source-uri <string>
: The source URI to download the new version from. By default, {{agent}} uses the Elastic Artifacts URL.
--skip-verify
: Skip the package verification process. This option is not recommended as it is insecure.
--pgp-path <string>
: Use a locally stored copy of the PGP key to verify the upgrade package.
--pgp-uri <string>
: Use the specified online PGP key to verify the upgrade package.
--help
: Show help for the upgrade command.
For details about using the --skip-verify, --pgp-path <string>, and --pgp-uri <string> package verification options, refer to Verifying {{agent}} package signatures.
For more flags, see Global flags.
elastic-agent upgrade 7.10.1Show the logs of the running {{agent}}.
elastic-agent logs [--follow] [--number <int>] [--component <string>] [--no-color] [--help] [global-flags]--follow or -f
: Follow log updates until the command is interrupted (for example with Ctrl-C).
--number <int> or -n <int>
: How many lines of logs to print. If logs following is enabled, affects the initial output.
--component <string> or -C <string>
: Filter logs based on the component name.
--no-color
: Disable color based on log-level of each entry.
--help
: Show help for the logs command.
For more flags, see Global flags.
elastic-agent logs -n 100 -f -C "system/metrics-default"Show the version of {{agent}}.
elastic-agent version [--help] [global-flags]--help
: Show help for the version command.
For more flags, see Global flags.
elastic-agent version