You can configure an Elastic Agent policy to capture up to five environment variables (
- Env var names must be no more than 63 characters, and env var values must be no more than 1023 characters. Values outside these limits are silently ignored.
- Env var names are case sensitive in Linux.
To set up environment variable capture for an Elastic Agent policy:
- Go to Security → Manage → Policies.
- Select an Elastic Agent policy.
- Click Show advanced settings.
Scroll down or search for
Enter the names of env vars you want to capture, separated by commas. For example:
- Click Save.
Find captured environment variablesedit
Captured environment variables are associated with process events, and appear in each event’s
To view environment variables in the Events table:
- Click the Events tab on the Hosts, Network, or Users pages (Security → Explore), then click Fields in the Events table.
Search for the
process.env_varsfield, select it, and click Close. A new column appears containing captured environment variable data.