Fleetserver connectivity requirments when using an elasticsearch remote output (#4244)

mjmbischoff · vishaangelova · web-flow · commit 5e20b22b0a50 · 2026-01-13T12:02:55.000+01:00
In addition to connectivity check the fleet server also creates apikeys
using the service token. This is currently not documented well, moreover
we currently lead users astray telling them to ignore the output health.

This PR only addresses the note, a more elaborate section should be
added to guide the user.

&lt;!--
Thank you for contributing to the Elastic Docs! 🎉
Use this template to help us efficiently review your contribution.
--&gt;

## Summary
&lt;!--
Describe what your PR changes or improves.  
If your PR fixes an issue, link it here. If your PR does not fix an
issue, describe the reason you are making the change.
--&gt;

## Generative AI disclosure
&lt;!--
To help us ensure compliance with the Elastic open source and
documentation guidelines, please answer the following:
--&gt;
1. Did you use a generative AI (GenAI) tool to assist in creating this
contribution?
- [ ] Yes  
- [x] No  
&lt;!--
2. If you answered "Yes" to the previous question, please specify the
tool(s) and model(s) used (e.g., Google Gemini, OpenAI ChatGPT-4, etc.).

Tool(s) and model(s) used:
--&gt;

---------

Co-authored-by: Visha Angelova &lt;91186315+vishaangelova@users.noreply.github.com&gt;
Co-authored-by: Visha Angelova &lt;visha.angelova@elastic.co&gt;
diff --git a/reference/fleet/remote-elasticsearch-output.md b/reference/fleet/remote-elasticsearch-output.md
@@ -21,6 +21,7 @@ A remote {{es}} cluster supports the same [output settings](/reference/fleet/es-
 
 These limitations apply to remote {{es}} output:
 
+* {{fleet-server}} must be able to reach the remote {{es}} cluster with a service token to create API keys for any {{agents}} that use the remote {{es}} output.
 * Using a remote {{es}} output with a target cluster that has [network security](/deploy-manage/security/network-security.md) enabled is not currently supported.
 * Using {{elastic-defend}} when a remote {{es}} output is configured for an {{agent}} is not currently supported.
 
@@ -118,5 +119,5 @@ If you choose not to synchronize integrations automatically, you need to make su
 ::::{note}
 When you use a remote {{es}} output, {{fleet-server}} performs a test to ensure connectivity to the remote cluster. The result of that connectivity test is used to report whether the remote output is healthy or unhealthy, and is displayed on the **{{fleet}}** → **Settings** → **Outputs** page, in the **Status** column.
 
-In some cases, the remote {{es}} output used for {{agent}} data can be reached by the {{agent}}s but not by {{fleet-server}}. In those cases, you can ignore the resulting unhealthy state of the output and the associated `Unable to connect` error on the UI.
+In some cases, the remote {{es}} output used for {{agent}} data can be reached by the {{agents}} but not by {{fleet-server}}. This will result in the unhealthy status of the output and an `Unable to connect` error on the UI. To generate API keys for {{agents}}, {{fleet-server}} requires connectivity to the remote cluster.
 ::::
