Skip to content

Fix code examples in doc for running Elastic Agent unprivileged #4070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Fix code examples in doc for running Elastic Agent unprivileged #4070

Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
93a26b7
Initial plan
Copilot Nov 25, 2025
da74d8a
Fix documentation for unprivileged mode with pre-existing user and group
Copilot Nov 25, 2025
f35413c
Clarify that --user/--group are optional on Linux/macOS
Copilot Nov 25, 2025
9cdf6d9
Add synchronized tabs and fix remaining examples
Copilot Nov 25, 2025
534d8e7
Add tabs to initial install example in unprivileged mode section
Copilot Nov 25, 2025
cf0133d
Specify PowerShell before Windows install example
Copilot Nov 25, 2025
8efec3b
Format note block with bullet points for better readability
Copilot Nov 25, 2025
f1f0c9e
Fix documentation for unprivileged mode with pre-existing user and group
Copilot Nov 25, 2025
cfee58d
Fix note formatting: proper backtick around --password parameter
Copilot Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
162 changes: 154 additions & 8 deletions reference/fleet/elastic-agent-unprivileged.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,37 @@ Refer to [Agent and dashboard behaviors in unprivileged mode](#unprivileged-comm

To run {{agent}} without administrative privileges you use exactly the same commands that you use for {{agent}} otherwise, with one exception. When you run the [`elastic-agent install`](/reference/fleet/agent-command-reference.md#elastic-agent-install-command) command, add the `--unprivileged` flag. For example:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

```shell
elastic-agent install \
sudo elastic-agent install \
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
--unprivileged
```

::::

::::{tab-item} Windows
:sync: windows

From PowerShell:

```shell
elastic-agent install `
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 `
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== `
--unprivileged
```

::::

:::::

::::{important}
Note the following current restrictions for running {{agent}} in `unprivileged` mode:

Expand Down Expand Up @@ -153,18 +177,56 @@ For any installed {{agent}} you can change the mode that it’s running in by ru

Change mode from privileged to unprivileged:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

```shell
sudo elastic-agent unprivileged
```

::::

::::{tab-item} Windows
:sync: windows

```shell
elastic-agent unprivileged
```

::::

:::::

Changing to `unprivileged` mode is prevented if the agent is currently enrolled in a policy that includes an integration that requires administrative access, such as the {{elastic-defend}} integration.

Change mode from unprivileged to privileged:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

```shell
sudo elastic-agent privileged
```

::::

::::{tab-item} Windows
:sync: windows

```shell
elastic-agent privileged
```

::::

:::::

When an agent is running in `unprivileged` mode, if it doesn’t have the right level of privilege to read a data source, you can also adjust the agent’s privileges by adding `elastic-agent-user` to the user group that has privileges to read the data source.

As background, when you run {{agent}} in `unprivileged` mode, one user and one group are created on the host. The same names are used for all operating systems:
Expand All @@ -188,24 +250,108 @@ This functionality is in technical preview and may be changed or removed in a fu

In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account.

To install {{agent}} in `unprivileged` mode as a specific user, add the `--user` and `--password` parameters to the install command:
::::{note}
The `--password` parameter is only required on Windows.

On Linux and macOS, the `--user` and `--group` parameters are optional:
* If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`).
* If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group.
::::

To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

To install with a specific user:

```shell
elastic-agent install --unprivileged --user="my.path\username" --password="mypassword"
sudo elastic-agent install --unprivileged --user="username"
```

To install {{agent}} in `unprivileged` mode as part of a specific group, add the `--group` and `--password` parameters to the install command:
To install with a specific group:

```shell
elastic-agent install --unprivileged --group="my.path\groupname" --password="mypassword"
sudo elastic-agent install --unprivileged --group="groupname"
```

Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group. For example:
To install with both a specific user and group:

```shell
elastic-agent unprivileged --user="my.path\username" --password="mypassword"
sudo elastic-agent install --unprivileged --user="username" --group="groupname"
```

::::

::::{tab-item} Windows
:sync: windows

On Windows, the `--password` parameter is required when specifying a custom user account.

To install as a specific user:

```shell
elastic-agent unprivileged --group="my.path\groupname" --password="mypassword"
elastic-agent install --unprivileged --user="my.domain\username" --password="mypassword"
```

To install as part of a specific group:

```shell
elastic-agent install --unprivileged --group="my.domain\groupname"
```

To install with both a specific user and group:

```shell
elastic-agent install --unprivileged --user="my.domain\username" --group="my.domain\groupname" --password="mypassword"
```

::::

:::::

Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group.

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

To change to a specific user:

```shell
sudo elastic-agent unprivileged --user="username"
```

To change to a specific group:

```shell
sudo elastic-agent unprivileged --group="groupname"
```

::::

::::{tab-item} Windows
:sync: windows

On Windows, the `--password` parameter is required when specifying a custom user account.

To change to a specific user:

```shell
elastic-agent unprivileged --user="my.domain\username" --password="mypassword"
```

To change to a specific group:

```shell
elastic-agent unprivileged --group="my.domain\groupname"
```

::::

:::::