Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion reference/fleet/add_docker_metadata-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ If the Docker daemon is restarted, the mounted socket will become invalid, and m
#match_source: true
#match_source_index: 4
#match_short_id: true
#cleanup_timeout: 60
#cleanup_timeout: 60s
#labels.dedot: false
# To connect to Docker over TLS you must specify a client and CA certificate.
#ssl:
Expand Down
2 changes: 1 addition & 1 deletion reference/fleet/add_host_metadata-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,5 +95,5 @@ If `host.*` fields already exist in the event, they are overwritten by default u
| `geo.city_name` | No | | Name of the city. |
| `geo.country_iso_code` | No | | ISO country code. |
| `geo.region_iso_code` | No | | ISO region code. |
| `replace_fields` | No | `true` | Whether to replace original host fields from the event. If set `false`, original host fields from the event are not replaced by host fields from `add_host_metadata`. |
| `replace_fields` | No | `true` | Whether to replace existing host fields in the event. If `true` (default), the processor always runs and overwrites any existing `host.*` fields with metadata from `add_host_metadata`. If `false`, the processor only adds metadata when no `host.*` fields exist in the event or when only `host.name` is present. If other host fields exist, the processor is skipped entirely. |

2 changes: 1 addition & 1 deletion reference/fleet/add_kubernetes_metadata-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ This configuration enables the processor on an {{agent}} running as a process on
host: <hostname>
# If kube_config is not set, KUBECONFIG environment variable will be checked
# and if not present it will fall back to InCluster
kube_config: ${fleet} and {agent} Guide/.kube/config
kube_config: ~/.kube/config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wowzer. This must've been a bad regex match? Good find.

# Defining indexers and matchers manually is required for {beatname_lc}, for instance:
#indexers:
# - ip_port:
Expand Down
3 changes: 2 additions & 1 deletion reference/fleet/configure-standalone-elastic-agents.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ inputs:
data_stream.namespace: default
use_output: default
streams:
- metricset: cpu
- metricsets:
- cpu
data_stream.dataset: system.cpu
```

Expand Down
2 changes: 1 addition & 1 deletion reference/fleet/data-streams-scenario2.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ products:
# Scenario 2: Apply an ILM policy to specific data streams generated from Fleet integrations across all namespaces [data-streams-scenario2]


Mappings and settings for data streams can be customized through the creation of `*@custom` component templates, which are referenced by the index templates created by the {{es}} apm-data plugin. The easiest way to configure a custom index lifecycle policy per data stream is to edit this template.
Mappings and settings for data streams can be customized through the creation of `*@custom` component templates, which are referenced by the index templates created by each integration. The easiest way to configure a custom index lifecycle policy per data stream is to edit this template.

This tutorial explains how to apply a custom index lifecycle policy to the `logs-system.auth` data stream.

Expand Down
8 changes: 4 additions & 4 deletions reference/fleet/decode_duration-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ processors:

## Configuration settings [_configuration_settings_21]

| Name | Required | Default | Description | |
| --- | --- | --- | --- | --- |
| `field` | yes | | Which field of event needs to be decoded as `time.Duration` | |
| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` | |
| Name | Required | Default | Description |
| --- | --- | --- | --- |
| `field` | yes | | Which field of event needs to be decoded as `time.Duration` |
| `format` | yes | `milliseconds` | Supported formats: `milliseconds`/`seconds`/`minutes`/`hours` |

6 changes: 3 additions & 3 deletions reference/fleet/decode_xml_wineventlog-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,10 +149,10 @@ If `map_ecs_fields` is enabled then the following field mappings are also perfor
| --- | --- | --- |
| `event.code` | `winlog.event_id` | |
| `event.kind` | `"event"` | |
| `event.provider` | `<Event><System><Provider>` | `Name` attribute |
| `event.action` | `<Event><RenderingInfo><Task>` | |
| `event.host.name` | `<Event><System><Computer>` | |
| `event.provider` | `winlog.provider_name` | `Name` attribute |
| `event.action` | `winlog.task` | |
| `event.outcome` | `winlog.outcome` | |
| `host.name` | `winlog.computer_name` | |
Comment on lines +152 to +155
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how to validate these changes

Copy link
Contributor Author

@vishaangelova vishaangelova Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bmorelli25, yeah, I should have added a note about this change as it’s not obvious.. Originally, Cursor only highlighted that event.host.name should be changed to host.name. Here’s what it said:

  1. decode_xml_wineventlog-processor.md - Inconsistent Field Mapping Documentation
    File: decode_xml_wineventlog-processor.md (Lines 148-158)
    Issue: The ECS field mapping table shows event.host.name but this is not a standard ECS field. The correct field is host.name.
    Current Documentation:
    | event.host.name | <Event><System><Computer> |
    Recommendation:
    | host.name | <Event><System><Computer> |
    Based on the source code and the actual output example in the same file (lines 49-51), the correct ECS field is host.name, not event.host.name.

So I went ahead and checked the example it refers to on line 39-87 (this is a link to the original doc before the current change).

Because the original table for mapping the ECS fields, where the AI found the error, was inconsistent in how it referred to the winlog fields, I checked the example and figured out I could replace <Event><System><Provider> with the respective winlog field name that matched based on the example - see lines 47 and 61.

I applied the same logic for the other changes in the Field column - checking against the winlog fields that are in the example. Does that make sense?

It made sense to me, but I’m not an expert, so if you think it would be safer to stick with the original values, I can revert these changes and we could only keep event.host.name -> host.name. Or revert that as well?

Copy link
Contributor Author

@vishaangelova vishaangelova Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just another thought:

So the doc includes two tables at the end:

Because the second column says "Source XML or other field”, I suppose it’s not incorrect to have mixed values in this column, including both winlog fields and the original event information, so my change may be unnecessary. But they’re essentially the same thing as far as I understand (because of the mapping: original event info -> winglog fields -> ECS fields).

Hmm 🤔 If we go with the winlog fields as the values in the "Source XML or other field” column, then maybe the third column “Notes” and the information about the Name attribute should also be deleted.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanation.

So I agree that event.host.namehost.name is definitely correct as ECS doesn’t have event.host.name.

And I now understand what the other changes are. I guess whether the “Source XML or other field” column says winlog.provider_name or <Event><System><Provider> is just a question of which stage in the pipeline we choose to show. The value itself is the same.

Also the column is literally titled “Source XML or other field”, so having a mix of raw XML and winlog.* is not incorrect. Standardizing on winlog where we already have a clear winlog mapping arguably makes the ECS table easier to read.

Also also, if the source column says winlog.provider_name, I still think it’s still helpful to say that it comes from the provider Name attribute” in the notes (as the Guid attribute matches the same pattern). So I don't think I'd get rid of that.

You could have an extra column and call out XML in one column and field in the other. But idk if that's needed.

tl;dr I think this is an okay change as the information is correct and the table is now easier to read.

| `log.level` | `winlog.level` | |
| `message` | `winlog.message` | |
| `error.code` | `winlog.error.code` | |
Expand Down
6 changes: 4 additions & 2 deletions reference/fleet/dynamic-input-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,8 @@ inputs:
- id: unique-system-metrics-id
type: system/metrics
streams:
- metricset: load
- metricsets:
- load
data_stream.dataset: system.cpu
condition: ${host.platform} != 'windows'
```
Expand All @@ -196,7 +197,8 @@ inputs:
- id: unique-system-metrics-id
type: system/metrics
streams:
- metricset: load
- metricsets:
- load
data_stream.dataset: system.cpu
processors:
- add_fields:
Expand Down
4 changes: 2 additions & 2 deletions reference/fleet/elastic-agent-container.md
Original file line number Diff line number Diff line change
Expand Up @@ -189,10 +189,10 @@ If you’d like to run {{agent}} in a Docker container on a read-only file syste
For example:

```bash subs=true
docker run --rm --mount source=$(pwd)/state,destination=/state -e {STATE_PATH}=/state --read-only docker.elastic.co/elastic-agent/elastic-agent:{{version.stack}} <1>
docker run --rm --mount source=$(pwd)/state,destination=/state -e STATE_PATH=/state --read-only docker.elastic.co/elastic-agent/elastic-agent:{{version.stack}} <1>
```

1. Where `{STATE_PATH}` is the path to a stateful directory to mount where {{agent}} application data can be stored.
1. Where `STATE_PATH` is the path to a stateful directory to mount where {{agent}} application data can be stored.

You can also add `type=tmpfs` to the mount parameter (`--mount type=tmpfs,destination=/state...`) to specify a temporary file storage location. This should be done with caution as it can cause data duplication, particularly for logs, when the container is restarted, as no state data is persisted.

Expand Down
2 changes: 1 addition & 1 deletion reference/fleet/elasticsearch-output.md
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ Settings used to parse, filter, and transform data.
```yaml
outputs:
default:
type: elasticsearchoutput.elasticsearch:
type: elasticsearch
hosts: ["http://localhost:9200"]
pipeline: my_pipeline_id
```
Expand Down
10 changes: 5 additions & 5 deletions reference/fleet/install-standalone-elastic-agent.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,12 +106,12 @@ To install and run {{agent}} standalone:
You can use either of the two command formats to set the `ELASTIC_AGENT_FLAVOR` environment variable:

```shell subs=true
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-amd64.deb
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-x86_64.rpm
sudo ELASTIC_AGENT_FLAVOR=servers rpm -vi elastic-agent-{{version.stack}}-x86_64.rpm
```

```shell subs=true
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-amd64.deb
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{{version.stack}}-x86_64.rpm
ELASTIC_AGENT_FLAVOR=servers sudo -E rpm -vi elastic-agent-{{version.stack}}-x86_64.rpm
```

Expand Down Expand Up @@ -163,7 +163,7 @@ To install and run {{agent}} standalone:
sudo ./elastic-agent install
```

By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--ìnstall-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--install-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.

::::

Expand All @@ -177,7 +177,7 @@ To install and run {{agent}} standalone:
sudo ./elastic-agent install
```

By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--ìnstall-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--install-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.

::::

Expand All @@ -191,7 +191,7 @@ To install and run {{agent}} standalone:
.\elastic-agent.exe install
```

By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--ìnstall-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.
By default the {{agent}} basic flavor is installed. To install the servers flavor, add the `--install-servers` parameter. Refer to [{{agent}} installation flavors](./install-elastic-agents.md#elastic-agent-installation-flavors) for details.

::::

Expand Down
9 changes: 5 additions & 4 deletions reference/fleet/kubernetes-provider.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,11 +150,12 @@ For example, if the Kubernetes provider provides the following inventory:
{
"id": "1",
"mapping:": {"namespace": "kube-system", "pod": {"name": "kube-controllermanger"}},
"processors": {"add_fields": {"kuberentes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-controllermanger"}}
"processors": {"add_fields": {"kuberentes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-controllermanger"}}}
},
{
"id": "2",
"mapping:": {"namespace": "kube-system", "pod": {"name": "kube-scheduler"}},
"processors": {"add_fields": {"kubernetes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-scheduler"}}
"processors": {"add_fields": {"kubernetes.namespace": "kube-system", "kubernetes.pod": {"name": "kube-scheduler"}}}
}
]
```
Expand All @@ -163,8 +164,8 @@ For example, if the Kubernetes provider provides the following inventory:

```json
[
{"kubernetes": {"id": "1", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-controllermanger"}},
{"kubernetes": {"id": "2", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-scheduler"}},
{"kubernetes": {"id": "1", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-controllermanger"}}},
{"kubernetes": {"id": "2", "namespace": {"name": "kube-system"}, "pod": {"name": "kube-scheduler"}}}
]
```

Expand Down
1 change: 0 additions & 1 deletion reference/fleet/ls-output-settings.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ output {
elasticsearch {
hosts => ["http://localhost:9200"] <2>
# cloud_id => "..."
data_stream => "true"
api_key => "<api_key>" <3>
data_stream => true
ssl_enabled => true
Expand Down
14 changes: 7 additions & 7 deletions reference/fleet/move_fields-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,11 @@ Your final event will be:

## Configuration settings [_configuration_settings_32]

| Name | Required | Default | Description | |
| --- | --- | --- | --- | --- |
| `from` | no | | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. | |
| `fields` | no | | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. | |
| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. | |
| `exclude` | no | | A list of fields to exclude and not move. | |
| `to` | yes | | These fields extract from `from` destination field prefix the `to` will base on fields root. | |
| Name | Required | Default | Description |
| --- | --- | --- | --- |
| `from` | no | | Which field you want extract. This field and any nested fields will be moved into `to` unless they are filtered out. If empty, indicates event root. |
| `fields` | no | | Which fields to extract from `from` and move to `to`. An empty list indicates all fields. |
| `ignore_missing` | no | false | Ignore "not found" errors when extracting fields. |
| `exclude` | no | | A list of fields to exclude and not move. |
| `to` | yes | | These fields extract from `from` destination field prefix the `to` will base on fields root. |

2 changes: 1 addition & 1 deletion reference/fleet/registered_domain-processor.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ This processor uses the Mozilla Public Suffix list to determine the value.
field: dns.question.name
target_field: dns.question.registered_domain
target_etld_field: dns.question.top_level_domain
target_subdomain_field: dns.question.sudomain
target_subdomain_field: dns.question.subdomain
ignore_missing: true
ignore_failure: true
```
Expand Down
2 changes: 1 addition & 1 deletion reference/fleet/secure-connections.md
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ To encrypt traffic between {{agent}}s, {{fleet-server}}, and {{es}}:
`elastic-agent-cert-key`
: The path to the private key to use as for {{agent}}'s connections to {{fleet-server}}.

`elastic-agent-cert-key`
`elastic-agent-cert-key-passphrase`
: The path to the file that contains the passphrase for the mutual TLS private key that {{agent}} will use to connect to {{fleet-server}}. The file must only contain the characters of the passphrase, no newline or extra non-printing characters. This option is only used if the `elastic-agent-cert-key` is encrypted and requires a passphrase to use.

`fleet-server-es-cert`
Expand Down
2 changes: 1 addition & 1 deletion reference/fleet/tls-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
--certificate-authorities=/path/to/fleet-ca,/path/to/agent-ca \
--elastic-agent-cert=/path/to/agent-cert \
--elastic-agent-cert-key=/path/to/agent-cert-key \
--elastic-agent-cert-key=/path/to/agent-cert-key-passphrase \
--elastic-agent-cert-key-passphrase=/path/to/agent-cert-key-passphrase \
--fleet-server-es=https://es.elastic.com:443 \
--fleet-server-es-ca=/path/to/es-ca \
--fleet-server-es-cert=/path/to/fleet-es-cert \
Expand Down
Loading