APM input settingsedit

Configure and customize APM integration settings directly in Kibana:

  1. Open Kibana and navigate to Fleet.
  2. Under the Agent policies tab, select the policy you would like to configure.
  3. Find the Elastic APM integration and select Actions > Edit integration.

General settingsedit

Host

(text) Defines the host and port the server is listening on.

Use "unix:/path/to.sock" to listen on a Unix domain socket.

Default: localhost:8200

URL

The publicly reachable server URL. For deployments on Elastic Cloud or ECK, the default is unchangeable.

Maximum size of a request’s header

(int) Maximum permitted size of a request’s header accepted by the server to be processed (in Bytes).

Default: 1048576 Bytes

Idle time before underlying connection is closed

(text) Maximum amount of time to wait for the next incoming request before underlying connection is closed.

Default: 45s (45 seconds)

Maximum duration for reading an entire request

(text) Maximum permitted duration for reading an entire request.

Default: 3600s (3600 seconds)

Maximum duration before releasing resources when shutting down

(text) Maximum duration in seconds before releasing resources when shutting down the server.

Default: 30s (30 seconds)

Maximum size per event

(int) Maximum permitted size of an event accepted by the server to be processed (in Bytes).

Default: 307200 Bytes

Simultaneously accepted connections

(int) Maximum number of TCP connections to accept simultaneously. 0 means unlimited.

Default: 0 (unlimited)

Custom HTTP response headers

(text) Custom HTTP headers to add to HTTP responses. Useful for security policy compliance.

Capture personal data

(bool) Capture personal data such as IP or User Agent. If true, APM Server captures the IP of the instrumented service and its User Agent if any.

Default: true

Default Service Environment

(text) The default service environment for events without a defined service environment.

Default: none

Enable APM Server Golang expvar support

(bool) When set to true, the server exposes Golang expvar under /debug/vars.

Default: false

Real User Monitoring (RUM) settingsedit

Enable RUM

(bool) Enables and disables Real User Monitoring (RUM).

Default: false (disabled)

Allowed Origins

(text) A list of permitted origins for RUM support. User-agents send an Origin header that will be validated against this list. This is done automatically by modern browsers as part of the CORS specification. An origin is made of a protocol scheme, host and port, without the URL path.

Default: ["*"] (allows everything)

Access-Control-Allow-Headers

(text) By default, HTTP requests made from the RUM agent to the APM integration are limited in the HTTP headers they are allowed to have. If any other headers are added, the request will be rejected by the browser due to Cross-Origin Resource Sharing (CORS) restrictions. If you need to add extra headers to these requests, use this configuration to allow additional headers.

The default list of values includes "Content-Type", "Content-Encoding", and "Accept". Configured values are appended to the default list and used as the value for the Access-Control-Allow-Headers header.

Custom HTTP response headers

(text) Custom HTTP headers to add to RUM responses. For example, for security policy compliance. Headers set here are in addition to those set in the "Custom HTTP response headers", but only apply to RUM responses.

Default: none

Library Frame Pattern

(text) RegExp to be matched against a stack trace frame’s file_name and abs_path attributes. If the RegExp matches, the stack trace frame is considered to be a library frame. When source mapping is applied, the error.culprit is set to reflect the function and the filename of the first non-library frame. This aims to provide an entry point for identifying issues.

Default: "node_modules|bower_components|~"

Exclude from grouping

(text) RegExp to be matched against a stack trace frame’s file_name. If the RegExp matches, the stack trace frame is excluded from being used for calculating error groups.

Default: "^/webpack" (excludes stack trace frames that have a filename starting with /webpack)

TLS settingsedit

Enable TLS

(bool) Enable TLS.

Default: false

File path to server certificate

(text) The path to the file containing the certificate for server authentication. Required when TLS is enabled.

Default: none

File path to server certificate key

(text) The path to the file containing the Server certificate key. Required when TLS is enabled.

Default: none

Supported protocol versions

(array) A list of allowed TLS protocol versions.

Default: ["TLSv1.1", "TLSv1.2", "TLSv1.3"]

Cipher suites for TLS connections

(text) The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list.

Curve types for ECDHE based cipher suites

(text) The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).

Default: none

Agent authorization settingsedit

API key for agent authentication

(bool) Enable or disable API key authorization between APM Server and APM agents.

Default: false (disabled)

Number of keys

(int) Each unique API key triggers one request to Elasticsearch. This setting restricts the number of unique API keys are allowed per minute. The minimum value for this setting should be the number of API keys configured in your monitored services.

Default: 100

Secret token

(text) Authorization token for sending APM data. The same token must also be set in each APM agent. This token is not used for RUM endpoints.

Default: No secret token set

Anonymous Agent access

(bool) Enable or disable anonymous authentication. RUM agents do not support authentication, so disabling anonymous access will effectively disable RUM agents.

Default: true (enabled)

Allowed Anonymous agents

(array) A list of permitted APM agent names for anonymous authentication. Names in this list must match the agent’s agent.name.

Default: [rum-js, js-base, iOS/swift] (only RUM and iOS/Swift agent events are accepted)

Allowed Anonymous services

(array) A list of permitted service names for anonymous authentication. Names in this list must match the agent’s service.name. This can be used to limit the number of service-specific indices or data streams created.

Default: Not set (any service name is accepted)

Anonymous Rate limit (IP limit)

(int) The number of unique IP addresses to track in a least recently used (LRU) cache. IP addresses in the cache will be rate limited according to the anonymous_rate_limit_event_limit setting. Consider increasing this default if your application has many concurrent clients.

Default: 10000

Anonymous Event rate limit (event limit)

(int) The maximum amount of events allowed to be sent to the APM Server anonymous auth endpoint per IP per second.

Default: 10

Tail-based samplingedit

Top-level tail-based sampling settings:

Enable Tail-based sampling

(bool) Enable and disable tail-based sampling.

Default: false

Interval

(duration) Synchronization interval for multiple APM Servers. Should be in the order of tens of seconds or low minutes.

Default: 1m

Policies

([]policy) Criteria used to match a root transaction to a sample rate. Order is important; the first policy on the list that an event matches is the winner. Each policy list must conclude with a default policy that only specifies a sample rate. The default policy is used to catch remaining trace events that don’t match a stricter policy.

Required when tail-based sampling is enabled.

Policy settings:

Sample rate

sample_rate

(int) The sample rate to apply to trace events matching this policy. Required in each policy.

The sample rate must be greater than 0 and less than or equal to 1. For example, a sample_rate of 0.01 means that 1% of trace events matching the policy will be sampled. A sample_rate of 1 means that 100% of trace events matching the policy will be sampled.

Trace name

trace.name

(string) The trace name for events to match a policy. A match occurs when the configured trace.name matches the transaction.name of the root transaction of a trace. A root transaction is any transaction without a parent.id.

Trace outcome

trace.outcome

(string) The trace outcome for events to match a policy. A match occurs when the configured trace.outcome matches a trace’s event.outcome field. Trace outcome can be success, failure, or unknown.

Service name

service.name

(string) The service name for events to match a policy.

Service Environment

service.environment

(string) The service environment for events to match a policy.