From 8b0a7b9025b4bd46e7b1d1b16c203c8bd2c6ac62 Mon Sep 17 00:00:00 2001 From: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com> Date: Wed, 24 Jan 2024 09:19:04 -0500 Subject: [PATCH] Add docs to configure remote ES output (#850) (cherry picked from commit 77340287413f384577574d70ba9a53a75f191ff2) --- ...eet-settings-remote-elasticsearch.asciidoc | 62 +++++++++++++++++++ .../fleet/fleet-settings.asciidoc | 1 + .../fleet/monitor-elastic-agent.asciidoc | 48 +------------- docs/en/ingest-management/index.asciidoc | 2 + 4 files changed, 66 insertions(+), 47 deletions(-) create mode 100644 docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc diff --git a/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc b/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc new file mode 100644 index 000000000..a8b7942d3 --- /dev/null +++ b/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc @@ -0,0 +1,62 @@ +:type: output-elasticsearch-fleet-settings + +[[remote-elasticsearch-output]] += Remote {es} output + +Beginning in version 8.12.0, you can send {agent} data to a remote {es} cluster. This is especially useful for data that you want to keep separate and independent from the deployment where you use {fleet} to manage the agents. + +A remote {es} cluster supports the same <> as your main {es} cluster. + +To configure a remote {es} cluster for your {agent} data: + +. In {kib}, go to **Management -> {fleet} -> Settings**. + +. In the **Outputs** section, select **Add output**. + +. In the **Add new output** flyout, provide a name for the output and select **Remote Elasticsearch** as the output type. + +. In the **Hosts** field, add the URL that agents should use to access the remote {es} cluster. + +.. To find the remote host address, in the remote cluster open {kib} and go to **Management -> {fleet} -> Settings**. + +.. Copy the **Hosts** value for the default output. + +.. Back in your main cluster, paste the value you copied into the output **Hosts** field. + +. Create a service token to access the remote cluster. + +.. Below the **Service Token** field, copy the API request. + +.. In the remote cluster, open the {kib} menu and go to **Management -> Dev Tools**. + +.. Run the API request. + +.. Copy the value for the generated token. + +.. Back in your main cluster, paste the value you copied into the output **Service Token** field. ++ +NOTE: To prevent unauthorized access the {es} Service Token is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the password as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher. This setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more. + +. Choose whether or not the remote output should be the default for agent integrations or for agent monitoring data. When set, {agent}s use this output to send data if no other output is set in the <>. + +. Select which <> you'd prefer in order to optimize {agent} for throughput, scale, or latency, or leave the default `balanced` setting. + +. Add any <> that you'd like for the output. + +. Click **Save and apply settings**. + +After the output is created, you can update an {agent} policy to use the new remote {es} cluster: + +. In {kib}, go to **Management -> {fleet} -> Agent policies**. + +. Click the agent policy to edit it, then click **Settings**. + +. To send integrations data, set the **Output for integrations** option to use the output that you configured in the previous steps. + +. To send {agent} monitoring data, set the **Output for agent monitoring** option to use the output that you configured in the previous steps. + +. Click **Save changes**. + +The remote {es} cluster is now configured. + +As a final step before using the remote {es} output, you need to make sure that for any integrations that have been <>, the integration assets have been installed on the remote {es} cluster. Refer to <> for the steps. diff --git a/docs/en/ingest-management/fleet/fleet-settings.asciidoc b/docs/en/ingest-management/fleet/fleet-settings.asciidoc index d5ff0d5a5..b54fa3bf0 100644 --- a/docs/en/ingest-management/fleet/fleet-settings.asciidoc +++ b/docs/en/ingest-management/fleet/fleet-settings.asciidoc @@ -90,6 +90,7 @@ The **Add new output** UI opens. * <> * <> * <> +* <> . Click **Save and apply settings**. diff --git a/docs/en/ingest-management/fleet/monitor-elastic-agent.asciidoc b/docs/en/ingest-management/fleet/monitor-elastic-agent.asciidoc index 2397a6583..f286aa9fd 100644 --- a/docs/en/ingest-management/fleet/monitor-elastic-agent.asciidoc +++ b/docs/en/ingest-management/fleet/monitor-elastic-agent.asciidoc @@ -238,53 +238,7 @@ To turn off agent monitoring when creating a new agent policy: You may want to store all of the health and status data about your {agents} in a remote {es} cluster, so that it's separate and independent from the deployment where you use {fleet} to manage the agents. -To configure a remote {es} cluster for your {agent} monitoring data: - -. In {kib}, go to **Management -> {fleet} -> Settings**. - -. In the **Outputs** section, select **Add output**. - -. In the **Add new output** flyout, provide a name for the output and select **Remote Elasticsearch** as the output type. - -. In the **Hosts** field, add the URL that agents should use to access the remote {es} cluster. - -.. To find the remote host address, in the remote cluster open {kib} and go to **Management -> {fleet} -> Settings**. - -.. Copy the **Hosts** value for the default output. - -.. Back in your main cluster, paste the value you copied into the output **Hosts** field. - -. Create a service token to access the remote cluster. - -.. Below the **Service Token** field, copy the API request. - -.. In the remote cluster, open the {kib} menu and go to **Management -> Dev Tools**. - -.. Run the API request. - -.. Copy the value for the generated token. - -.. Back in your main cluster, paste the value you copied into the output **Service Token** field. -+ -NOTE: To prevent unauthorized access the {es} Service Token is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the password as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher. This setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more. - -. Choose whether or not the remote output should be the default for agent monitoring. When set, {agent}s use this output to send data if no other output is set in the <>. - -. Add any <> that you'd like for the output. - -. Click **Save and apply settings**. - -After the output is created, you can update an {agent} policy to use the new remote {es} cluster: - -. In {kib}, go to **Management -> {fleet} -> Agent policies**. - -. Click the agent policy to edit it, then click **Settings**. - -. Set the **Output for agent monitoring** option to use the output that you configured in the previous steps. - -. Click **Save changes**. - -The remote {es} cluster is now configured. +To do so, follow the steps in <>. After the new output is configured, follow the steps to update the {agent} policy and make sure that the **Output for agent monitoring** setting is enabled. {agent} monitoring data will use the remote {es} output that you configured. [discrete] [[fleet-alerting]] diff --git a/docs/en/ingest-management/index.asciidoc b/docs/en/ingest-management/index.asciidoc index 0671e4d49..00cbac809 100644 --- a/docs/en/ingest-management/index.asciidoc +++ b/docs/en/ingest-management/index.asciidoc @@ -121,6 +121,8 @@ include::fleet/fleet-settings-output-logstash.asciidoc[leveloffset=+3] include::fleet/fleet-settings-output-kafka.asciidoc[leveloffset=+3] +include::fleet/fleet-settings-remote-elasticsearch.asciidoc[leveloffset=+3] + include::fleet/fleet-manage-agents.asciidoc[leveloffset=+2] include::fleet/unenroll-elastic-agent.asciidoc[leveloffset=+3]