Command referenceedit

Elastic Agent provides commands for running Elastic Agent, managing Fleet Server, and doing common tasks:

You might need to log in as a root user (or Administrator on Windows) to run these commands.


elastic-agent enrolledit

Enroll the Elastic Agent in Fleet.

Use this command to enroll the Elastic Agent in Fleet without installing the agent as a service. You will need to do this if you installed the Elastic Agent from a DEB or RPM package and plan to use systemd commands to start and manage the service. This command is also useful for testing Elastic Agent prior to installing it.

If you’ve already installed Elastic Agent, use this command to modify the settings that Elastic Agent runs with.

To enroll an Elastic Agent and install it as a service, use the install command instead. Installing as a service is the most common scenario.

We recommend that you run the enroll (or install) command as the root user because some integrations require root privileges to collect sensitive data. This command overwrites the elastic-agent.yml file in the agent directory.

This command includes optional flags to set up Fleet Server.

This command enrolls the Elastic Agent in Fleet; it does not start the agent. To start the agent, either start the service, if one exists, or use the run command to start the agent from a terminal.

Synopsisedit

To enroll the Elastic Agent in Fleet:

elastic-agent enroll --url <string>
                     --enrollment-token <string>
                     [--ca-sha256 <string>]
                     [--certificate-authorities <string>]
                     [--force]
                     [--help]
                     [--insecure ]
                     [global-flags]

To enroll the Elastic Agent in Fleet and set up Fleet Server:

elastic-agent enroll --fleet-server-es <string>
                     --fleet-server-service-token <string>
                     [--ca-sha256 <string>]
                     [--certificate-authorities <string>]
                     [--fleet-server-cert <string>] 
                     [--fleet-server-cert-key <string>]
                     [--fleet-server-es-ca <string>]
                     [--fleet-server-host <string>]
                     [--fleet-server-insecure-http]
                     [--fleet-server-policy <string>]
                     [--fleet-server-port <uint16>]
                     [--force]
                     [--help]
                     [--insecure ]
                     [global-flags]

If no fleet-server-cert* flags are specified, Elastic Agent auto-generates a self-signed certificate with the hostname of the machine. Remote Elastic Agents enrolling into a Fleet Server with self-signed certificates must specify the insecure flag.

Optionsedit

--ca-sha256 <string>
Comma-separated list of certificate authority hash pins used for certificate verification.
--certificate-authorities <string>
Comma-separated list of root certificates used for server verification.
--enrollment-token <string>
Enrollment token to use to enroll Elastic Agent into Fleet. You can use the same enrollment token for multiple agents.
--fleet-server-cert <string>
Certificate to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-cert-key <string>
Private key to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-es <string>
Start a Fleet Server process when Elastic Agent is started, and connect to the specified Elasticsearch URL.
--fleet-server-es-ca <string>
Path to certificate authority to use to communicate with Elasticsearch.
--fleet-server-host <string>
Fleet Server HTTP binding host (overrides the policy).
--fleet-server-insecure-http
Expose Fleet Server over HTTP. This option is not recommended because it’s insecure. It’s useful during development and testing, but should not be used in production. When using this option, you should bind Fleet Server to the local host (this is the default).
--fleet-server-policy <string>
Used when starting a self-managed Fleet Server to allow a specific policy to be used, instead of the Default Fleet Server policy.
--fleet-server-port <uint16>
Fleet Server HTTP binding port (overrides the policy).
--fleet-server-service-token <string>
Service token to use for communication with Elasticsearch.
--force
Force overwrite of current configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments.
--help
Show help for the enroll command.
--insecure

Allow insecure connections to Fleet Server. This setting is required in the following situations:

  • When connecting to an HTTP server. The API keys are sent in clear text.
  • When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.

We strongly recommend that you use a secure connection.

--url <string>
Fleet Server URL to use to enroll the Elastic Agent into Fleet.

For more flags, see Global flags.

Examplesedit

Enroll the Elastic Agent in Fleet:

elastic-agent enroll -f \
  --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==

Enroll the Elastic Agent in Fleet and start Fleet Server:

elastic-agent enroll -f --fleet-server-es=http://elasticsearch:9200 \
  --fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ

Start Elastic Agent with Fleet Server (running on a custom CA). This example assumes you’ve generated the certificates with the following names:

  • ca.crt: Root CA certificate
  • fleet-server.crt: Fleet Server certificate
  • fleet-server.key: Fleet Server private key
elastic-agent enroll -f --fleet-server-es=https://elasticsearch:9200 \
  --fleet-server-es-ca=ca.crt --fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ \
  --fleet-server-cert fleet-server.crt --fleet-server-cert-key fleet-server.key

Then enroll another Elastic Agent into the Fleet Server started in the previous example:

elastic-agent enroll -f --url https://fleet-server-host:8220 \
  --enrollment-token NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==
  --certificate-authorities root.ca

elastic-agent helpedit

Show help for a specific command.

Synopsisedit

elastic-agent help <command> [--help] [global-flags]

Optionsedit

command
The name of the command.
--help
Show help for the help command.

For more flags, see Global flags.

Exampleedit

elastic-agent help enroll

elastic-agent inspectedit

Show the current Elastic Agent configuration.

If no parameters are specified, shows the full Elastic Agent configuration.

Synopsisedit

elastic-agent inspect [--help] [global-flags]
elastic-agent inspect output [--output <string>]
                             [--program <string>]
                             [--help]
                             [global-flags]

Optionsedit

output

Display the current configuration for the output. This command accepts additional flags:

--output <string>
The name of the output to inspect.
--program <string>
The type of program to inspect. For example, filebeat. This option must be combined with --output.
--help
Show help for the inspect command.

For more flags, see Global flags.

Examplesedit

elastic-agent inspect
elastic-agent inspect output --output default
elastic-agent inspect output --output default --program filebeat

elastic-agent installedit

Install Elastic Agent permanently on the system and manage it by using the system’s service manager. The agent will start automatically after installation is complete. On Linux (tar package), this command requires a system and service manager like systemd.

If you installed Elastic Agent from a DEB or RPM package, use the enroll command instead of install. The DEB and RPM packages include a service unit for Linux systems with systemd.

You must run this command as the root user (or Administrator on Windows) to write files to the correct locations. This command overwrites the elastic-agent.yml file in the agent directory.

Synopsisedit

To install the Elastic Agent as a service, enroll it in Fleet, and start the elastic-agent service:

elastic-agent install [--ca-sha256 <string>]
                      [--certificate-authorities <string>]
                      [--enrollment-token <string>]
                      [--force]
                      [--help]
                      [--insecure ]
                      [--url string]
                      [global-flags]

To install the Elastic Agent as a service, enroll it in Fleet, and start a fleet-server process alongside the elastic-agent service:

elastic-agent install [--ca-sha256 <string>]
                     [--certificate-authorities <string>]
                     [--fleet-server-cert <string>]
                     [--fleet-server-cert-key <string>]
                     [--fleet-server-es <string>]
                     [--fleet-server-es-ca <string>]
                     [--fleet-server-host <string>]
                     [--fleet-server-insecure-http]
                     [--fleet-server-policy <string>]
                     [--fleet-server-port <uint16>]
                     [--fleet-server-service-token <string>]
                     [--force]
                     [--help]
                     [--insecure ]
                     [global-flags]

Optionsedit

--ca-sha256 <string>
Comma-separated list of certificate authority hash pins used for certificate verification.
--certificate-authorities <string>
Comma-separated list of root certificates used for server verification.
--enrollment-token <string>
Enrollment token to use to enroll Elastic Agent into Fleet. You can use the same enrollment token for multiple agents.
--fleet-server-cert <string>
Certificate to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-cert-key <string>
Private key to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-es <string>
Start a Fleet Server process when Elastic Agent is started, and connect to the specified Elasticsearch URL.
--fleet-server-es-ca <string>
Path to certificate authority to use to communicate with Elasticsearch.
--fleet-server-host <string>
Fleet Server HTTP binding host (overrides the policy).
--fleet-server-insecure-http
Expose Fleet Server over HTTP. This option is not recommended because it’s insecure. It’s useful during development and testing, but should not be used in production. When using this option, you should bind Fleet Server to the local host (this is the default).
--fleet-server-policy <string>
Used when starting a self-managed Fleet Server to allow a specific policy to be used, instead of the Default Fleet Server policy.
--fleet-server-port <uint16>
Fleet Server HTTP binding port (overrides the policy).
--fleet-server-service-token <string>
Service token to use for communication with Elasticsearch.
--force
Force overwrite of current configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments.
--help
Show help for the enroll command.
--insecure

Allow insecure connections to Fleet Server. This setting is required in the following situations:

  • When connecting to an HTTP server. The API keys are sent in clear text.
  • When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.

We strongly recommend that you use a secure connection.

--url <string>
Fleet Server URL to use to enroll the Elastic Agent into Fleet.

For more flags, see Global flags.

Examplesedit

Install the Elastic Agent as a service, enroll it in Fleet, and start the elastic-agent service:

elastic-agent install -f \
  --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==

Install the Elastic Agent as a service, enroll it in Fleet, and start a fleet-server process alongside the elastic-agent service:

elastic-agent install -f --fleet-server-es=http://elasticsearch:9200 \
  --fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ

Start Elastic Agent with Fleet Server (running on a custom CA). This example assumes you’ve generated the certificates with the following names:

  • ca.crt: Root CA certificate
  • fleet-server.crt: Fleet Server certificate
  • fleet-server.key: Fleet Server private key
elastic-agent install -f --fleet-server-es=https://elasticsearch:9200 \
  --fleet-server-es-ca=ca.crt --fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ \
  --fleet-server-cert fleet-server.crt --fleet-server-cert-key fleet-server.key

Then install another Elastic Agent and enroll it into the Fleet Server started in the previous example:

elastic-agent install -f --url https://fleet-server-host:8220 \
  --enrollment-token NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==
  --certificate-authorities root.ca

elastic-agent restartedit

Restart the currently running Elastic Agent daemon.

Synopsisedit

elastic-agent restart [--help] [global-flags]

Optionsedit

--help
Show help for the restart command.

For more flags, see Global flags.

Examplesedit

elastic-agent restart

elastic-agent runedit

Start the elastic-agent process.

Synopsisedit

elastic-agent run [global-flags]

Global flagsedit

These flags are valid whenever you run elastic-agent on the command line.

-c <string>
The configuration file to use. If not specified, Elastic Agent uses {path.config}/elastic-agent.yml.
--e
Log to stderr and disable syslog/file output.
--environment <environmentVar>
The environment in which the agent will run.
--path.config <string>
The directory where Elastic Agent looks for its configuration file. The default varies by platform.
--path.home <string>

The root directory of Elastic Agent. path.home determines the location of the configuration files and data directory.

If not specified, Elastic Agent uses the current working directory.

--path.logs <string>
Path to the log output for Elastic Agent. The default varies by platform.
--v
Set log level to INFO.

Exampleedit

elastic-agent run -c myagentconfig.yml

elastic-agent uninstalledit

Permanently uninstall Elastic Agent from the system.

You must run this command as the root user (or Administrator on Windows) to remove files.

Synopsisedit

elastic-agent uninstall [--force] [--help] [global-flags]

Optionsedit

--force
Uninstall Elastic Agent and do not prompt for confirmation. This flag is helpful when using automation software or scripted deployments.
--help
Show help for the uninstall command.

For more flags, see Global flags.

Examplesedit

elastic-agent uninstall

elastic-agent upgradeedit

Upgrade the currently running Elastic Agent to the specified version. This should only be used with agents running in standalone mode. Agents enrolled in Fleet should be upgraded through Fleet.

Synopsisedit

elastic-agent upgrade <version> [--source-uri <string>] [--help] [flags]

Optionsedit

version
The version of Elastic Agent to upgrade to.
--source-uri <string>
The source URI to download the new version from. By default, Elastic Agent uses the Elastic Artifacts URL.
--help
Show help for the upgrade command.

For more flags, see Global flags.

Examplesedit

elastic-agent upgrade 7.10.1

elastic-agent versionedit

Show the version of Elastic Agent.

Synopsisedit

elastic-agent version [--help] [global-flags]

Optionsedit

--help
Show help for the version command.

For more flags, see Global flags.

Exampleedit

elastic-agent version