Elastic Agent command reference

edit

Elastic Agent command referenceedit

Elastic Agent provides commands for running Elastic Agent, managing Fleet Server, and doing common tasks.

You might need to log in as a root user (or Administrator on Windows) to run these commands. After the Elastic Agent service is installed and running, make sure you run these commands without prepending them with ./ to avoid invoking the wrong binary.


elastic-agent diagnosticsedit

Gather diagnostics information from the Elastic Agent and component/unit it’s running. This command produces an archive that contains:

  • version.txt - version information
  • pre-config.yaml - pre-configuration before variable substitution
  • variables.yaml - current variable contexts from providers
  • computed-config.yaml - configuration after variable substitution
  • components-expected.yaml - expected computed components model from the computed-config.yaml
  • components-actual.yaml - actual running components model as reported by the runtime manager
  • state.yaml - current state information of all running components
  • Components Directory - diagnostic information from each running component:

    • goroutine.txt - goroutine dump
    • heap.txt - memory allocation of live objects
    • allocs.txt - sampling past memory allocations
    • threadcreate.txt - traces led to creation of new OS threads
    • block.txt - stack traces that led to blocking on synchronization primitives
    • mutex.txt - stack traces of holders of contended mutexes
    • Unit Directory - If a given unit provides specific diagnostics, it will be placed here.

Note that credentials may not be redacted in the archive; they may appear in plain text in the configuration or policy files inside the archive.

This command is intended for debugging purposes only. The output format and structure of the archive may change between releases.

Synopsisedit

elastic-agent diagnostics [--file <string>]
                          [-p]
                          [--help]
                          [global-flags]

Optionsedit

--file
Specifies the output archive name. Defaults to elastic-agent-diagnostics-<timestamp>.zip, where the timestamp is the current time in UTC.
--help
Show help for the diagnostics command.
-p
Additionally runs a 30-second CPU profile on each running component. This will generate an additional cpu.pprof file for each component.

For more flags, see Global flags.

Exampleedit

elastic-agent diagnostics

elastic-agent enrolledit

Enroll the Elastic Agent in Fleet.

Use this command to enroll the Elastic Agent in Fleet without installing the agent as a service. You will need to do this if you installed the Elastic Agent from a DEB or RPM package and plan to use systemd commands to start and manage the service. This command is also useful for testing Elastic Agent prior to installing it.

If you’ve already installed Elastic Agent, use this command to modify the settings that Elastic Agent runs with.

To enroll an Elastic Agent and install it as a service, use the install command instead. Installing as a service is the most common scenario.

We recommend that you run the enroll (or install) command as the root user because some integrations require root privileges to collect sensitive data. This command overwrites the elastic-agent.yml file in the agent directory.

This command includes optional flags to set up Fleet Server.

This command enrolls the Elastic Agent in Fleet; it does not start the agent. To start the agent, either start the service, if one exists, or use the run command to start the agent from a terminal.

Synopsisedit

To enroll the Elastic Agent in Fleet:

elastic-agent enroll --url <string>
                     --enrollment-token <string>
                     [--ca-sha256 <string>]
                     [--certificate-authorities <string>]
                     [--delay-enroll]
                     [--force]
                     [--non-interactive]
                     [--help]
                     [--insecure ]
                     [--tag <string>]
                     [global-flags]

To enroll the Elastic Agent in Fleet and set up Fleet Server:

elastic-agent enroll --fleet-server-es <string>
                     --fleet-server-service-token <string>
                     [--fleet-server-service-token-path <string>]
                     [--ca-sha256 <string>]
                     [--certificate-authorities <string>]
                     [--delay-enroll]
                     [--fleet-server-cert <string>] 
                     [--fleet-server-cert-key <string>]
                     [--fleet-server-cert-key-passphrase <string>]
                     [--fleet-server-es-ca <string>]
                     [--fleet-server-es-ca-trusted-fingerprint <string>] 
                     [--fleet-server-es-insecure]
                     [--fleet-server-host <string>]
                     [--fleet-server-insecure-http]
                     [--fleet-server-policy <string>]
                     [--fleet-server-port <uint16>]
                     [--force]
                     [--non-interactive]
                     [--help]
                     [--tag <string>]
                     [--url <string>] 
                     [global-flags]

If no fleet-server-cert* flags are specified, Elastic Agent auto-generates a self-signed certificate with the hostname of the machine. Remote Elastic Agents enrolling into a Fleet Server with self-signed certificates must specify the --insecure flag.

Required when using self-signed certificates with Elasticsearch.

Required when enrolling in a Fleet Server with custom certificates. The URL must match the DNS name used to generate the certificate specified by --fleet-server-cert.

For more information about custom certificates, refer to Configure SSL/TLS for self-managed Fleet Servers.

Optionsedit

--ca-sha256 <string>
Comma-separated list of certificate authority hash pins used for certificate verification.
--certificate-authorities <string>
Comma-separated list of root certificates used for server verification.
--delay-enroll
Delays enrollment to occur on first start of the Elastic Agent service. This setting is useful when you don’t want the Elastic Agent to enroll until the next reboot or manual start of the service, for example, when you’re preparing an image that includes Elastic Agent.
--enrollment-token <string>
Enrollment token to use to enroll Elastic Agent into Fleet. You can use the same enrollment token for multiple agents.
--fleet-server-cert <string>
Certificate to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-cert-key <string>
Private key to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-cert-key-passphrase <string>
Path to passphrase file for decrypting Fleet Server’s private key if an encrypted private key is used.
--fleet-server-es <string>
Start a Fleet Server process when Elastic Agent is started, and connect to the specified Elasticsearch URL.
--fleet-server-es-ca <string>
Path to certificate authority to use to communicate with Elasticsearch.
--fleet-server-es-ca-trusted-fingerprint <string>
The SHA-256 fingerprint (hash) of the certificate authority used to self-sign Elasticsearch certificates. This fingerprint will be used to verify self-signed certificates presented by Fleet Server and any inputs started by Elastic Agent for communication. This flag is required when using self-signed certificates with Elasticsearch.
--fleet-server-es-insecure

Allows fleet server to connect to Elasticsearch in the following situations:

  • When connecting to an HTTP server.
  • When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.

When this flag is used the certificate verification is disabled.

--fleet-server-host <string>
Fleet Server HTTP binding host (overrides the policy).
--fleet-server-insecure-http
Expose Fleet Server over HTTP. This option is not recommended because it’s insecure. It’s useful during development and testing, but should not be used in production. When using this option, you should bind Fleet Server to the local host (this is the default).
--fleet-server-policy <string>
Used when starting a self-managed Fleet Server to allow a specific policy to be used.
--fleet-server-port <uint16>
Fleet Server HTTP binding port (overrides the policy).
--fleet-server-service-token <string>
Service token to use for communication with Elasticsearch. Mutually exclusive with --fleet-server-service-token-path.
--fleet-server-service-token-path <string>
Service token file to use for communication with Elasticsearch. Mutually exclusive with --fleet-server-service-token.
--force

Force overwrite of current configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments.

If the Elastic Agent is already installed on the host, using --force may result in unpredictable behavior with duplicate Elastic Agents appearing in Fleet.

--non-interactive
Install Elastic Agent in a non-interactive mode. This flag is helpful when using automation software or scripted deployments. If Elastic Agent is already installed on the host, the installation will terminate.
--help
Show help for the enroll command.
--insecure

Allow the Elastic Agent to connect to Fleet Server over insecure connections. This setting is required in the following situations:

  • When connecting to an HTTP server. The API keys are sent in clear text.
  • When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.
  • When using self-signed certificates generated by Elastic Agent.

We strongly recommend that you use a secure connection.

--tag <string>

A comma-separated list of tags to apply to Fleet-managed Elastic Agents. You can use these tags to filter the list of agents in Fleet.

Currently, there is no way to remove or edit existing tags. To change the tags, you must unenroll the Elastic Agent, then re-enroll it using new tags.

--url <string>
Fleet Server URL to use to enroll the Elastic Agent into Fleet.

For more flags, see Global flags.

Examplesedit

Enroll the Elastic Agent in Fleet:

elastic-agent enroll \
  --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==

Enroll the Elastic Agent in Fleet and set up Fleet Server:

elastic-agent enroll --fleet-server-es=http://elasticsearch:9200 \
  --fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ \
  --fleet-server-policy=a35fd520-26f5-11ec-8bd9-3374690g57b6

Start Elastic Agent with Fleet Server (running on a custom CA). This example assumes you’ve generated the certificates with the following names:

  • ca.crt: Root CA certificate
  • fleet-server.crt: Fleet Server certificate
  • fleet-server.key: Fleet Server private key
  • elasticsearch-ca.crt: CA certificate to use to connect to Elasticsearch
elastic-agent enroll \
  --url=https://fleet-server:8220 \
  --fleet-server-es=https://elasticsearch:9200 \
  --fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
  --fleet-server-policy=a35fd520-26f5-11ec-8bd9-3374690g57b6 \
  --certificate-authorities=/path/to/ca.crt \
  --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
  --fleet-server-cert=/path/to/fleet-server.crt \
  --fleet-server-cert-key=/path/to/fleet-server.key \
  --fleet-server-port=8220

Then enroll another Elastic Agent into the Fleet Server started in the previous example:

elastic-agent enroll --url=https://fleet-server:8220 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
  --certificate-authorities=/path/to/ca.crt

elastic-agent helpedit

Show help for a specific command.

Synopsisedit

elastic-agent help <command> [--help] [global-flags]

Optionsedit

command
The name of the command.
--help
Show help for the help command.

For more flags, see Global flags.

Exampleedit

elastic-agent help enroll

elastic-agent inspectedit

Show the current Elastic Agent configuration.

If no parameters are specified, shows the full Elastic Agent configuration.

Synopsisedit

elastic-agent inspect [--help]
elastic-agent inspect components [--show-config]
                             [--show-spec]
                             [--help]
                             [id]

Optionsedit

components

Display the current configuration for the component. This command accepts additional flags:

--show-config
Use to display the configuration in all units.
--show-spec
Use to get input/output runtime spectification for a component.
--help
Show help for the inspect command.

For more flags, see Global flags.

Examplesedit

elastic-agent inspect
elastic-agent inspect components --show-config
elastic-agent inspect components log-default

elastic-agent installedit

Install Elastic Agent permanently on the system and manage it by using the system’s service manager. The agent will start automatically after installation is complete. On Linux (tar package), this command requires a system and service manager like systemd.

If you installed Elastic Agent from a DEB or RPM package, the install command will skip the installation itself and function as an alias of the enroll command instead. Note that after an upgrade of the Elastic Agent using DEB or RPM the Elastic Agent service needs to be restarted.

You must run this command as the root user (or Administrator on Windows) to write files to the correct locations. This command overwrites the elastic-agent.yml file in the agent directory.

The syntax for running this command varies by platform. For platform-specific examples, refer to Install Elastic Agents.

Synopsisedit

To install the Elastic Agent as a service, enroll it in Fleet, and start the elastic-agent service:

elastic-agent install --url <string>
                      --enrollment-token <string>
                      [--ca-sha256 <string>]
                      [--certificate-authorities <string>]
                      [--delay-enroll]
                      [--force]
                      [--non-interactive]
                      [--help]
                      [--insecure ]
                      [--tag <string>]
                      [global-flags]

To install the Elastic Agent as a service, enroll it in Fleet, and start a fleet-server process alongside the elastic-agent service:

elastic-agent install --fleet-server-es <string>
                      --fleet-server-service-token <string>
                      [--fleet-server-service-token-path <string>]
                      [--ca-sha256 <string>]
                      [--certificate-authorities <string>]
                      [--delay-enroll]
                      [--fleet-server-cert <string>] 
                      [--fleet-server-cert-key <string>]
                      [--fleet-server-cert-key-passphrase <string>]
                      [--fleet-server-es-ca <string>]
                      [--fleet-server-es-ca-trusted-fingerprint <string>] 
                      [--fleet-server-host <string>]
                      [--fleet-server-insecure-http]
                      [--fleet-server-policy <string>]
                      [--fleet-server-port <uint16>]
                      [--force]
                      [--non-interactive]
                      [--help]
                      [--tag <string>]
                      [--url <string>] 
                      [--fleet-server-es-insecure]
                      [global-flags]

If no fleet-server-cert* flags are specified, Elastic Agent auto-generates a self-signed certificate with the hostname of the machine. Remote Elastic Agents enrolling into a Fleet Server with self-signed certificates must specify the --insecure flag.

Required when using self-signed certificate on Elasticsearch side.

Required when enrolling in a Fleet Server with custom certificates. The URL must match the DNS name used to generate the certificate specified by --fleet-server-cert.

For more information about custom certificates, refer to Configure SSL/TLS for self-managed Fleet Servers.

Optionsedit

--ca-sha256 <string>
Comma-separated list of certificate authority hash pins used for certificate verification.
--certificate-authorities <string>
Comma-separated list of root certificates used for server verification.
--delay-enroll
Delays enrollment to occur on first start of the Elastic Agent service. This setting is useful when you don’t want the Elastic Agent to enroll until the next reboot or manual start of the service, for example, when you’re preparing an image that includes Elastic Agent.
--enrollment-token <string>
Enrollment token to use to enroll Elastic Agent into Fleet. You can use the same enrollment token for multiple agents.
--fleet-server-cert <string>
Certificate to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-cert-key <string>
Private key to use for exposed Fleet Server HTTPS endpoint.
--fleet-server-cert-key-passphrase <string>
Path to passphrase file for decrypting Fleet Server’s private key if an encrypted private key is used.
--fleet-server-es <string>
Start a Fleet Server process when Elastic Agent is started, and connect to the specified Elasticsearch URL.
--fleet-server-es-ca <string>
Path to certificate authority to use to communicate with Elasticsearch.
--fleet-server-es-ca-trusted-fingerprint <string>
The SHA-256 fingerprint (hash) of the certificate authority used to self-sign Elasticsearch certificates. This fingerprint will be used to verify self-signed certificates presented by Fleet Server and any inputs started by Elastic Agent for communication. This flag is required when using self-signed certificates with Elasticsearch.
--fleet-server-es-insecure

Allows fleet server to connect to Elasticsearch in the following situations:

  • When connecting to an HTTP server.
  • When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.

When this flag is used the certificate verification is disabled.

--fleet-server-host <string>
Fleet Server HTTP binding host (overrides the policy).
--fleet-server-insecure-http
Expose Fleet Server over HTTP. This option is not recommended because it’s insecure. It’s useful during development and testing, but should not be used in production. When using this option, you should bind Fleet Server to the local host (this is the default).
--fleet-server-policy <string>
Used when starting a self-managed Fleet Server to allow a specific policy to be used.
--fleet-server-port <uint16>
Fleet Server HTTP binding port (overrides the policy).
--fleet-server-service-token <string>
Service token to use for communication with Elasticsearch. Mutually exclusive with --fleet-server-service-token-path.
--fleet-server-service-token-path <string>
Service token file to use for communication with Elasticsearch. Mutually exclusive with --fleet-server-service-token.
--force

Force overwrite of current configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments.

If the Elastic Agent is already installed on the host, using --force may result in unpredictable behavior with duplicate Elastic Agents appearing in Fleet.

--non-interactive
Install Elastic Agent in a non-interactive mode. This flag is helpful when using automation software or scripted deployments. If Elastic Agent is already installed on the host, the installation will terminate.
--help
Show help for the enroll command.
--insecure

Allow the Elastic Agent to connect to Fleet Server over insecure connections. This setting is required in the following situations:

  • When connecting to an HTTP server. The API keys are sent in clear text.
  • When connecting to an HTTPs server and the certificate chain cannot be verified. The content is encrypted, but the certificate is not verified.
  • When using self-signed certificates generated by Elastic Agent.

We strongly recommend that you use a secure connection.

--tag <string>

A comma-separated list of tags to apply to Fleet-managed Elastic Agents. You can use these tags to filter the list of agents in Fleet.

Currently, there is no way to remove or edit existing tags. To change the tags, you must unenroll the Elastic Agent, then re-enroll it using new tags.

--url <string>
Fleet Server URL to use to enroll the Elastic Agent into Fleet.

For more flags, see Global flags.

Examplesedit

Install the Elastic Agent as a service, enroll it in Fleet, and start the elastic-agent service:

elastic-agent install \
  --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ==

Install the Elastic Agent as a service, enroll it in Fleet, and start a fleet-server process alongside the elastic-agent service:

elastic-agent install --fleet-server-es=http://elasticsearch:9200 \
  --fleet-server-service-token=AbEAAdesYXN1abMvZmxlZXQtc2VldmVyL3Rva2VuLTE2MTkxMzg3MzIzMTg7dzEta0JDTmZUcGlDTjlwRmNVTjNVQQ \
  --fleet-server-policy=a35fd620-26f6-11ec-8bd9-3374690f57b6

Start Elastic Agent with Fleet Server (running on a custom CA). This example assumes you’ve generated the certificates with the following names:

  • ca.crt: Root CA certificate
  • fleet-server.crt: Fleet Server certificate
  • fleet-server.key: Fleet Server private key
  • elasticsearch-ca.crt: CA certificate to use to connect to Elasticsearch
elastic-agent install \
  --url=https://fleet-server:8220 \
  --fleet-server-es=https://elasticsearch:9200 \
  --fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
  --fleet-server-policy=a35fd520-26f5-11ec-8bd9-3374690g57b6 \
  --certificate-authorities=/path/to/ca.crt \
  --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
  --fleet-server-cert=/path/to/fleet-server.crt \
  --fleet-server-cert-key=/path/to/fleet-server.key \
  --fleet-server-port=8220

Then install another Elastic Agent and enroll it into the Fleet Server started in the previous example:

elastic-agent install --url=https://fleet-server:8220 \
  --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
  --certificate-authorities=/path/to/ca.crt

elastic-agent restartedit

Restart the currently running Elastic Agent daemon.

Synopsisedit

elastic-agent restart [--help] [global-flags]

Optionsedit

--help
Show help for the restart command.

For more flags, see Global flags.

Examplesedit

elastic-agent restart

elastic-agent runedit

Start the elastic-agent process.

Synopsisedit

elastic-agent run [global-flags]

Global flagsedit

These flags are valid whenever you run elastic-agent on the command line.

-c <string>
The configuration file to use. If not specified, Elastic Agent uses {path.config}/elastic-agent.yml.
--e
Log to stderr and disable syslog/file output.
--environment <environmentVar>
The environment in which the agent will run.
--path.config <string>
The directory where Elastic Agent looks for its configuration file. The default varies by platform.
--path.home <string>

The root directory of Elastic Agent. path.home determines the location of the configuration files and data directory.

If not specified, Elastic Agent uses the current working directory.

--path.logs <string>
Path to the log output for Elastic Agent. The default varies by platform.
--v
Set log level to INFO.

Exampleedit

elastic-agent run -c myagentconfig.yml

elastic-agent statusedit

Returns the current status of the running Elastic Agent daemon and of each process in the Elastic Agent. The last known status of the Fleet server is also returned. The output option controls the level of detail and formatting of the information.

Synopsisedit

elastic-agent status [--output <string>]
                     [--help]
                     [global-flags]

Optionsedit

--output <string>
Output the status information in either human (the default), full, json, or yaml. human returns limited information when Elastic Agent is in the HEALTHY state. If any components or units are not in HEALTHY state, then full details are displayed for that component or unit. full, json and yaml always return the full status information. Components map to individual processes running underneath Elastic Agent, for example Filebeat or Endpoint Security. Units map to discrete configuration units within that process, for example Filebeat inputs or Metricbeat modules.

When the output is json or yaml, status codes are returned as numerical values. The status codes can be mapped using the following table:

+

Code Status

0

STARTING

1

CONFIGURING

2

HEALTHY

3

DEGRADED

4

FAILED

5

STOPPING

6

UPGRADING

7

ROLLBACK

--help
Show help for the status command.

For more flags, see Global flags.

Examplesedit

elastic-agent status

elastic-agent uninstalledit

Permanently uninstall Elastic Agent from the system.

You must run this command as the root user (or Administrator on Windows) to remove files.

Synopsisedit

elastic-agent uninstall [--force] [--help] [global-flags]

Optionsedit

--force
Uninstall Elastic Agent and do not prompt for confirmation. This flag is helpful when using automation software or scripted deployments.
--help
Show help for the uninstall command.

For more flags, see Global flags.

Examplesedit

elastic-agent uninstall

elastic-agent upgradeedit

Upgrade the currently running Elastic Agent to the specified version. This should only be used with agents running in standalone mode. Agents enrolled in Fleet should be upgraded through Fleet.

Synopsisedit

elastic-agent upgrade <version> [--source-uri <string>] [--help] [flags]

Optionsedit

version
The version of Elastic Agent to upgrade to.
--source-uri <string>
The source URI to download the new version from. By default, Elastic Agent uses the Elastic Artifacts URL.
--skip-verify
Skip the package verification process. This option is not recommended as it is insecure.
--pgp-path <string>
Use a locally stored copy of the PGP key to verify the upgrade package.
--pgp-uri <string>
Use the specified online PGP key to verify the upgrade package.
--help
Show help for the upgrade command.

For details about using the --skip-verify, --pgp-path <string>, and --pgp-uri <string> package verification options, refer to Verifying Elastic Agent package signatures.

For more flags, see Global flags.

Examplesedit

elastic-agent upgrade 7.10.1

elastic-agent versionedit

Show the version of Elastic Agent.

Synopsisedit

elastic-agent version [--help] [global-flags]

Optionsedit

--help
Show help for the version command.

For more flags, see Global flags.

Exampleedit

elastic-agent version