Merge branch 'main' into tbs-metrics-docs

Author: carsonip

deploy-manage/deploy/cloud-enterprise/post-installation-steps.md

@@ -18,6 +18,12 @@ To start creating {{es}} deployments directly, refer to [](./working-with-deploy
 
 * Add your own [load balancer](./ece-load-balancers.md). Load balancers are user supplied and we do not currently provide configuration steps for you.
 
+* [Add more capacity](/deploy-manage/maintenance/ece/scale-out-installation.md) to your ECE installation, [resize your deployment](./resize-deployment.md), [upgrade to a newer {{es}} version](/deploy-manage/upgrade/deployment-or-cluster/upgrade-on-ece.md), and [add some plugins](./add-plugins.md).
+
+* [Configure ECE system deployments](./system-deployments-configuration.md) to ensure a highly available and resilient setup.
+
+* [Configure ECE for deployment templates](./configure-deployment-templates.md) to indicate what kind of hardware you have available for {{stack}} deployments.
+
 * In production systems, add your own [Cloud UI and Proxy certificates](../../security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) to enable secure connections over HTTPS. The proxy certificate must be a wildcard certificate signed for the needed DNS records of your domain.
 
   ::::{note}
@@ -32,19 +38,21 @@ To start creating {{es}} deployments directly, refer to [](./working-with-deploy
   For example, if your proxy certificate is signed for `*.elastic-cloud-enterprise.example.com` and you have a wildcard DNS register pointing `*.elastic-cloud-enterprise.example.com` to your load balancer, you should configure `elastic-cloud-enterprise.example.com` as the **deployment domain name** in Platform → Settings. Refer to [](./change-endpoint-urls.md) for more details.
   ::::
 
-* If you received a license from Elastic, [manage the licenses](../../license/manage-your-license-in-ece.md) for your {{ece}} installation.
+* [Add a snapshot repository](../../tools/snapshot-and-restore/cloud-enterprise.md) to enable regular backups of your {{es}} clusters.
 
 * [Add more platform users](../../users-roles/cloud-enterprise-orchestrator/manage-users-roles.md) with role-based access control.
 
-* [Add a snapshot repository](../../tools/snapshot-and-restore/cloud-enterprise.md) to enable regular backups of your {{es}} clusters.
-
 * Consider enabling encryption-at-rest (EAR) on your hosts.
 
   :::{{note}}
   Encryption-at-rest is not implemented out of the box in {{ece}}. [Learn more](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md#ece_encryption).
   :::
 
-* Learn about common maintenance activities—such as adding capacity, applying OS patches, and addressing host failures--at [](../../maintenance/ece.md).
+* Set up [traffic filters](/deploy-manage/security/network-security.md) to restrict traffic to your deployment to only trusted IP addresses or VPCs.
+
+* Learn how to work around host maintenance or a host failure by [moving nodes off of an allocator](/deploy-manage/maintenance/ece/move-nodes-instances-from-allocators.md). For an overview of common ECE maintenance activities, refer to [ECE maintenance](../../maintenance/ece.md).
+
+* If you received a license from Elastic, [manage the licenses](../../license/manage-your-license-in-ece.md) for your {{ece}} installation.
 
 ::::{warning}
 During installation, the system generates secrets that are placed into the `/mnt/data/elastic/bootstrap-state/bootstrap-secrets.json` secrets file, unless you passed in a different path with the --host-storage-path parameter. Keep the information in the `bootstrap-secrets.json` file secure by removing it from its default location and placing it into a secure storage location.

deploy-manage/distributed-architecture/discovery-cluster-formation.md

@@ -8,7 +8,7 @@ products:
 ---
 
 ::::{important}
-The information provided in this section is applicable to all deployment types. However, the configuration settings detailed here are only valid for self-managed {{es}} deployments. For {{ecloud}} and {{serverless-full}} deployments this seciton should only be used for general information.
+The information provided in this section is applicable to all deployment types. However, the configuration settings detailed here are only valid for fully self-managed {{es}} deployments. For ECE, ECK, and ECH deployments, this section should only be used for general information and troubleshooting.
 ::::
 
 # Discovery and cluster formation [modules-discovery]

deploy-manage/remote-clusters/ece-enable-ccs.md

@@ -32,8 +32,18 @@ To use CCS or CCR, your environment must meet the following criteria:
   :::{include} _snippets/remote-cluster-certificate-compatibility.md
   :::
 
-* Proxies must answer TCP requests on the port 9400. Check the [prerequisites for the ports that must permit outbound or inbound traffic](../deploy/cloud-enterprise/ece-networking-prereq.md).
-* Load balancers must pass-through TCP requests on port 9400. Check the [configuration details](../deploy/cloud-enterprise/ece-load-balancers.md).
+* ECE proxies must answer TCP requests on the port used by the selected [security model](./security-models.md):
+  * `9400` when using TLS certificate–based authentication (deprecated).
+  * `9443` when using API key–based authentication.
+  
+  For details, refer to the [remote cluster security models](./security-models.md) documentation and [ECE networking prerequisites](/deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md).
+
+* Load balancers must pass through TCP requests on the port that corresponds to the security model:
+  * `9400` for TLS certificate–based authentication (deprecated).
+  * `9443` for API key–based authentication.
+
+  For configuration details, refer to the [ECE load balancer requirements](../deploy/cloud-enterprise/ece-load-balancers.md).
+
 * If your deployment was created before ECE version `2.9.0`, the Remote clusters page in {{kib}} must be enabled manually from the **Security** page of your deployment, by selecting **Enable CCR** under **Trust management**.
 
 ::::{note}
@@ -62,4 +72,4 @@ The steps, information, and authentication method required to configure CCS and
 
 ## Remote clusters and network security [ece-ccs-ccr-network-security]
 
-If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).

deploy-manage/security/updating-certificates.md

@@ -23,7 +23,7 @@ Regardless of the scenario, {{es}} monitors the SSL resources for updates by def
 
 Because {{es}} doesn’t reload the `elasticsearch.yml` configuration, you must use **the same file names** if you want to take advantage of automatic certificate and key reloading.
 
-If you need to update the `elasticsearch.yml`](/deploy-manage/stack-settings.md) configuration or change passwords for keys or keystores that are stored in the [secure settings](secure-settings.md), then you must complete a [rolling restart](#use-rolling-restarts). {{es}} will not automatically reload changes for passwords stored in the secure settings.
+If you need to update the [`elasticsearch.yml`](/deploy-manage/stack-settings.md) configuration or change passwords for keys or keystores that are stored in the [secure settings](secure-settings.md), then you must complete a [rolling restart](#use-rolling-restarts). {{es}} will not automatically reload changes for passwords stored in the secure settings.
 
 ::::{admonition} Rolling restarts are preferred
 :name: use-rolling-restarts

reference/fleet/alert-templates.md

@@ -1,6 +1,4 @@
 ---
-mapped_pages:
-  - https://www.elastic.co/guide/en/fleet/current/data-streams.html
 applies_to:
   stack: ga 9.2
   serverless: ga
@@ -17,23 +15,34 @@ navigation_title: Built-in alerts and templates
 When you install or upgrade {{agent}}, new alert rules are created automatically. You can configure and customize out-of-the-box alerts to get them up and running quickly. 
 
 ::::{note}
-The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place before you install or upgrade {{agent}} before this feature is available. 
+The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place _before_ you install or upgrade {{agent}} for the alert rules to be available. 
 
-Refer [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. 
+Refer to [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. 
 ::::
 
 In {{kib}}, you can enable out-of-the-box rules pre-configured with reasonable defaults to provide immediate value for managing agents.
-You can use [ES|QL](/explore-analyze/discover/try-esql.md) to author conditions for each rule.
-
-Connectors are not added to rules automatically, but you can attach a connector to route alerts to your platform of choice -- Slack or email, for example.
-In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents  
+You can use [{{esql}}](/explore-analyze/discover/try-esql.md) to author conditions for each rule.
 
 You can find these rules in **Stack Management** > **Alerts and Insights** > **Rules**.
 
+### Available alert rules [available-alert-rules]
+
+| Alert | Description |
+| -------- | -------- |
+| [Elastic Agent] CPU usage spike|  Checks if {{agent}} or any of its processes were pegged at a high CPU for a specified window of time. This could signal a bug in an application and warrant further investigation.<br> - Condition: Alert on `system.process.cpu.total.time.ms` over 80% for 5 minutes<br>- Default: Enabled |
+| [Elastic Agent] Dropped events | Checks ratio of dropped events to acknowledged events. Rows are distinguished by agent ID and component ID. <br> - Condition: Alert on ratio of dropped events to acked events of 5% or more<br>- Default: Enabled|
+| [Elastic Agent] Excessive memory usage|  Checks if {{agent}} or any of its processes have a high memory usage or memory usage that is trending up. This could signal a memory leak in an application and warrant further investigation.<br>- Condition: Alert on `system.process.memory.rss.pct` more than 50%<br>- Default: Enabled |
+| [Elastic Agent] Excessive restarts| Checks for excessive restarts on a host. Some restarts can have a business impact, and getting alerts for them can enable timely mitigation.<br>- Condition: Alert on 11 or more restarts in a 5-minute window<br>- Default: Enabled |
+| [Elastic Agent] High pipeline queue | Checks percentage of pipeline queue. Rows are distinguished by agent ID and component ID. <br> - Condition: Alert on max of `beat.stats.libbeat.pipeline.queue.filled.pct` exceeding 90%  <br>- Default: Enabled|
+| [Elastic Agent] Output errors | Checks errors per minute from an agent component. Rows are distinguished by agent ID and component ID. <br> - Condition: Alert on 6 or more errors per minute  <br>- Default: Enabled|
+| [Elastic Agent] Unhealthy status | Checks agent status. An `unhealthy` status can indicate errors or degraded functionality of the agent. <br> - Condition: Alert on `unhealthy` status <br>- Default: Enabled|
+
+**Connectors** are not added to rules automatically, but you can attach a connector to route alerts to your Slack, email, or other notification platforms.
+In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents.  
 
-## Alert templates assets for integrations [alert-templates]
+## Alert template assets for integrations [alert-templates]
 
-Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine tune. 
+Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine-tune. 
 
 When you click a template, you get a pre-filled rule creation form. You can define and adjust values, set up connectors, and define rule actions to create your custom alerting rule.
 

reference/fleet/manage-integrations.md

@@ -47,4 +47,4 @@ You can perform a variety of actions in the **Integrations** app in {{kib}}. Som
 
 ## Customize integrations [customize-integrations]
 
-After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [Index lifecycle management](/reference/fleet/data-streams.md#data-streams-ilm) to learn more.
+After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [{{ilm-cap}}](/reference/fleet/data-streams.md#data-streams-ilm) to learn more.

release-notes/elastic-security/known-issues.md

@@ -20,7 +20,7 @@ Known issues are significant defects or limitations that may impact your impleme
 
 Applies to: 9.2.0
 
-**Details**
+**Impact**
 
 A new feature introduced to the entity store in 9.2.0 caused the transform to scan for nonexistent indices.
 
@@ -54,6 +54,11 @@ Two workarounds are available:
     3. Your agent-based integration deployments will work as expected.
 2. Use agentless deployment. 
     1. Instead of using agent-based deployment, use agentless deployment. Agentless deployment works as expected.
+
+**Resolved**<br>
+
+Resolved in {{stack}} 9.2.1
+
 ::::
 
 

solutions/observability/streams/management/extract/manual-pipeline-configuration.md

@@ -5,13 +5,17 @@ applies_to:
 ---
 # Manual pipeline configuration [streams-manual-pipeline-configuration]
 
+:::{note}
+The manual pipeline configuration processor is only available on [classic streams](../../streams.md#streams-classic-vs-wired).
+:::
+
 The **Manual pipeline configuration** lets you create a JSON-encoded array of ingest pipeline processors.This is helpful if you want to add more advanced processing that isn't currently available as part of the UI-based processors.
 
 Refer to the following documentation for more on manually configuring processors:
 
 - [Create readable and maintainable ingest pipelines](../../../../../manage-data/ingest/transform-enrich/readable-maintainable-ingest-pipelines.md)
 - [Error handling in ingest pipelines](../../../../../manage-data/ingest/transform-enrich/error-handling.md)
-- [Ingest processor reference][elasticsearch://reference/enrich-processor.md]
+- [Ingest processor reference](elasticsearch://reference/enrich-processor/index.md)
 
 To manually create an array of ingest pipeline processors:
 

solutions/observability/streams/streams.md

@@ -8,11 +8,11 @@ applies_to:
 
 Streams provides a single, centralized UI within {{kib}} that streamlines common tasks like extracting fields, setting data retention, and routing data, so you don't need to use multiple applications or manually configure underlying {{es}} components.
 
-## Classic vs. wired streams
+## Classic versus wired streams [streams-classic-vs-wired]
 
 Streams can operate in two modes: wired and classic. Both manage data streams in {{es}}, but differ in configuration, inheritance, and field mapping.
 
-### Classic streams
+### Classic streams [streams-classic-streams]
 
 Classic streams work with existing {{es}} data streams. Use classic streams when you want the ease of extracting fields and configuring data retention while working with data that's already being ingested into {{es}}.
 
@@ -22,13 +22,13 @@ Classic streams:
 - Can follow the data retention policy set in the existing index template.
 - Do not support hierarchical inheritance or cascading configuration updates.
 
-### Wired streams
+### Wired streams [streams-wired-streams]
 ```{applies_to}
 stack: preview 9.2
 serverless: preview
 ```
 
-Wired streams data is sent directly to a single endpoint, from which you can route data into child streams based on [partitioning](./management/partitioning.md) set up manually or with the help of AI suggestions.
+Wired streams send data directly to a single endpoint, from which you can route data into child streams based on [partitioning](./management/partitioning.md) set up manually or with the help of AI suggestions.
 
 Wired streams:
 - Allow you to organize streams in a parent-child hierarchy.
@@ -37,22 +37,22 @@ Wired streams:
 
 For more information, refer to [sending data to wired streams](./wired-streams.md).
 
-## Managed components
+## Managed components [streams-managed-components]
 When you configure classic or wired streams through the Streams UI or [Streams API](#streams-api), {{es}}-level components like templates and pipelines are created for the stream. These components are considered *managed* and shouldn't be modified using {{es}} APIs. When managing a stream through the Streams UI or API, continue doing so whenever possible.
 
 You can still edit non-managed ingest pipelines, templates, and other components, but avoid those marked as managed or any per-data-stream mappings and settings. This behavior is similar to how Elasticsearch handles components managed by integrations. Refer to the [**Advanced** tab](./management/advanced.md) to review managed components.
 
-## Required permissions
+## Required permissions [streams-required-permissions]
 
 Streams requires the following permissions:
 
 ::::{tab-set}
 
-:::{tab-item} Serverless
-Streams requires these Elastic Cloud Serverless roles:
+:::{tab-item} {{serverless-short}}
+Streams requires these {{serverless-full}} roles:
 
 - Admin: Ability to manage all Streams
-- Editor/Viewer: Limited access, unable to perform all actions
+- Editor/Viewer: Limited access, cannot perform all actions
 
 :::
 
@@ -71,15 +71,15 @@ For more information, refer to [Cluster privileges](elasticsearch://reference/el
 
 ::::
 
-## Access Streams
+## Access Streams [streams-access]
 
 Open Streams from the following places in {{kib}}:
 
 - Select **Streams** from the navigation menu or use the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
 
-- Open the data stream for a specific document from **Discover**. To do this, expand the details flyout for a document that's stored in a data stream, and select **Stream** or an action associated with the document's data stream. Streams will open filtered to the selected data stream.
+- Open the data stream for a specific document from **Discover**. To do this, expand the details flyout for a document that's stored in a data stream, and select **Stream** or an action associated with the document's data stream. Streams then opens filtered to the selected data stream.
 
-### Streams API
+### Streams API [streams-api]
 ``` yaml {applies_to}
 stack: preview 9.1
 serverless: preview