-
Notifications
You must be signed in to change notification settings - Fork 83
/
Copy pathfleet-server.reference.yml
319 lines (308 loc) · 12.4 KB
/
fleet-server.reference.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
###################### fleet-server configuration example #########################
# This file contains all configuration options for the fleet-server.
# These options are either specified through configuration flags or the
# fleet-server integration when running under elastic-agent.
# A configuration file can also be used when running fleet-server in stand alone
# (development only).
##############################
# Output configuration
# controls how fleet-server connects to elasticsearch.
##############################
output:
elasticsearch:
# protocol - either http or https
protocol: http
hosts: ['localhost:9200']
service_token: 'example-token'
timeout: 90s
max_retries: 3
max_conn_per_host: 128
max_content_length: 1048576 # 10MiB
# service_token_path: /path/to/service-token
# path: /elasticsearch
# headers: {key: value}
# proxy_url: 'https://proxy:8080'
# proxy_disable: false
# proxy_headers: {key: value}
# ssl.enabled: true
# ssl.verification_mode: full
# ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# ssl.certificate: /creds/cert.pem # optional mTLS keypair used to connect to Elasticsearch
# ssl.key: /creds/key.pem # optional mTLS keypair used to connect to Elasticsearch
# ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# ssl.cipher_suites: []
# ssl.curve_types: []
# ssl.ca_sha256: []
# ssl.ca_trusted_fingerprint: 'CA-FINGERPRINT-VALUE'
# ssl.renegotiation: never
##############################
# Fleet configuration
# indicators automatically populated when fleet-server runs under the elastic-agent
# only needs fleet.agent.id in stand alone operation
##############################
fleet:
agent:
# The id is provided by elastic-agent if fleet-server is supervised by an agent
# It must be explicitly provided if fleet-server runs in stand-alone mode
id: fleet-server-agent-idv
# # version is the version of the elastic-agent instance
# version:
# # specify logging level
# # deprecated: Use the top level logging.* attributes instead.
# logging.level: info
# host:
# id:
# name:
##############################
# Input configuration
# Controls the fleet-server API.
# Expected to be a list with a single object that has "type: fleet-server"
# Provided through the integration settings when running under elastic-agent.
##############################
# inputs:
# - type: fleet-server
# # The policy ID is used by a fleet-server running under elastic-agent
# policy.id: '${FLEET_SERVER_POLICY_ID:fleet-server-policy}'
# server:
# # host is the hostname the external api will bind to.
# # If running under the elastic-agent this setting must be specified at install time, the attribute recieved from the policy is ignored.
# host: 0.0.0.0
# # port is the port number the external api will bind to.
# # If running under the elastic-agent this setting must be specified at install time, the attribute recieved from the policy is ignored.
# port: 8220
# # the internal_port specifies the port the internal api will bind to on localhost.
# # the internal api is used if by elastic-agent to communicate to fleet-server if the agent is running a fleet-server instance.
# internal_port: 8221
# static_policy_tokens:
# enabled: true
# policy_tokens:
# -
# # policy_id is the id of the policy the token is associated with.
# policy_id: "${FLEET_SERVER_POLICY_ID:fleet-server-policy}"
# # token_key is the key used to authenticate the token.
# token_key: "${FLEET_SERVER_POLICY_TOKEN_KEY:fleet-server-policy-token}"
# # ssl controls all ssl settings of the fleet-server apis (internal and external).
# ssl:
# enabled: false
# verification_mode: full
# supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# cipher_suites: []
# curve_types: []
# certificate_authorities: [] # CA used to verify client certs
# ca_sha256: []
# client_authentication: none # 'none', 'optional', or 'required'
# certificate: /creds/cert.pem
# key: /creds/key.pem
# key_passphrase_path: /creds/key.pem
#
# # timeouts controls various api timeouts
# timeouts:
# # read timeout is how long from connection ACCEPT to reading the entire body including TLS handshake.
# # this timeout includes authenication in most cases, and as a result a large value is used to accomodate authentication lag.
# read: 60s
# # read_header timeout covers ACCEPT to the end of the HTTP headers including TLS handshake.
# # this timeout is a preauth timeout.
# read_header: 5s
# # write is the response write timeout.
# # it may be altered for certain endpoints such as the checkin endpoint.
# write: 10m
# # idle is the timeout to keep the connection open when keep-alives are enabled.
# idle: 30s
# # checkin_long_poll is the amount of time the fleet-server will poll for new actions on the checkin endpoint.
# # a different value may be used if the request-body specifies it.
# checkin_long_poll: 5m
# # how often to update the agent document timestamp on a long-poll checkin request
# checkin_timestamp: 30s
# # checkin_jitter time may be subtracted from the long_poll time.
# # a 0 value disables jitter
# checkin_jitter: 30s
# # checkin_max_poll is the maximum long_poll value a client can request.
# checkin_max_poll: 1h
# # drain is the amount of time fleet-server will wait for HTTP connections to terminate on a shutdown signal before forcing all connections closed
# drain: 10s
#
# # profiler will bind Go's pprof endpoints to a new listener if enabled.
# profiler:
# enabled: false
# bind: localhost:6060
#
# # compressions sesttings for checkin responses if the request accepts gzip encoding
# compression_level: 1 # flate.BestSpeed
# compression_threshold: 1024
#
# # limits controls api and rate limits for the fleet-server
# # Note that use of limit attributes excluding max_agents is considered an advanced use case.
# # A 0 value will disable any specific limit.
# limits:
# # max_agents is the preffered way to set limits
# # If specified a set of other limits is automatically loaded.
# max_agents: 0
# # policy_throttle is the duration that the fleet-server will wait in between attempts to dispatch policy updates to polling agents
# # deprecated: replaced by policy_limit settings
# policy_throttle: 5ms # 1ms min is forced
# # max_header_byte_size is the request header size limit
# max_header_byte_size: 8192 # 8Kib
# # max_connections is the maximum number of connnections per API endpoint
# max_connections: 0
#
# # action_limit is a limiter for the action dispatcher, it is added to control how fast the checkin endpoint writes responses when an action effecting multiple agents is detected.
# # This is done in order to be able to reuse gzip writers if gzip is requested as allocating new writers is expensive (around 1.2MB for a new allocation).
# # If the interval is too high it may negativly effect assumtions around server write timeouts and poll poll durations, if used we expect the value to be around 5ms.
# # An interval value of 0 disables the limiter by using an infinite rate limit (default behavior).
# # Burst controls concurrency and has a larger influence on the gzip writer pool size (default 5).
# action_limit:
# interval: 0
# burst: 5
#
# # policy_limit is a limiter used to control how fast fleet-server sends POLICY_CHANGE actions to agents.
# # As with the action_limit settings this is done to avoid allocating a lot of gzip writers.
# # The default settings are to have the interval of 5ms with a burst of 1.
# # A min burst value of 1 is always enforced.
# # If no interval is specified, the policy_throttle may be used as the interval instead.
# # if both interval and policy_throttle are 0, a value of 1ns is used instead.
# policy_limit:
# interval: 5ms
# burst: 1
#
# # endpoint specific limits below
# checkin_limit:
# interval: 1ms
# burst: 1000
# max: 0
# max_body_byte_size: 1048567 # 1MiB
# artifact_limit:
# interval: 5ms
# burst: 25
# max: 50
# max_body_byte_size: 0
# enroll_limit:
# interval: 10ms
# burst: 100
# max: 50
# max_body_byte_size: 524288 # 512Kib
# ack_limit:
# interval: 10ms
# burst: 100
# max: 50
# max_body_byte_size: 2097152 # 2MiB
# status_limit:
# interval: 5ms
# burst: 25
# max: 50
# max_body_byte_size: 0
# upload_start_limit:
# interval: 3s
# burst: 8
# max: 3
# max_body_byte_size: 5242880 # 5MiB
# upload_chunk_limit:
# interval: 3s
# burst: 10
# max: 4
# max_body_byte_size: 4194304 # 4MiB - hard coded value # TODO check
# upload_end_limit:
# interval: 2s
# burst: 5
# max: 2
# max_body_byte_size: 1024
# file_delivery_limit:
# interval: 100ms
# burst: 8
# max: 5
# max_body_byte_size: 5242880 # 5MiB
# pgp_retrieval_limit:
# interval: 10ms
# burst: 100
# max: 50
# max_body_byte_size: 0
# audit_unenroll_limit:
# interval: 10ms
# burst: 100
# max: 50
# max_body_byte_size: 1024
#
# # go runtime limits
# runtime:
# gc_percent: 0
# memory_limit: math.MaxInt64
#
# # elasticsearch bulk client config
# bulk:
# flush_interval: 250ms
# flush_threshold_cnt: 2048
# flush_threshold_size: 1048567 # 1MiB
# flush_max_pending: 8
#
# # gc controls fleet-server index garbage collection operations
# # currently manages actions cleanup
# gc:
# schedule_interval: 1h
# cleanup_after_expired_interval: 30d
#
# # instrumentation controls APM tracing
# instrumentation:
# enabled: false
# tls:
# skip_verify: false
# server_certificate: ""
# server_ca: ""
# environment: ""
# api_key: ""
# api_key_path: ""
# secret_token: ""
# secret_token_path: ""
# hosts: []
# global_labels: ""
# transaction_sample_rate: ""
#
# # Add static token values to fleet-server
# static_policy_tokens:
# enabled: false
# policy_tokens:
# - token_key: "value"
# policy_id: "value"
#
# # configuration for pgp key endpoint
# pgp:
# upstream_url: "https://artifacts.elastic.co/GPG-KEY-elastic-agent"
# # By default dir is the directory containing the fleet-server executable (following symlinks) joined with elastic-agent-upgrade-keys
# dir: ./elastic-agent-upgrade-keys
# # monitor options are advanced configuration and should not be adjusted is most cases
# monitor:
# fetch_size: 1000 # The number of documents that each monitor may fetch at once
# poll_timeout: 4m # The poll timeout for each monitor's wait_for_advancement request
# policy_debounce_time: 1s # The debounce duration for the policy index monitor on successfull document retrievals.
##############################
# Logging configuration
# control logging output
# logging is disabled if to_files and to_stderr are both false.
##############################
logging:
level: info
# to_files will output logs to files as described by the logging.files attribute
to_files: true
# to_stderr forces logging output to stderr, logging.files is ignored in this case
to_stderr: false
# pretty will pretty print output if to_stderr: true is used
pretty: false
files:
path: "."
name: "fleet-server.log"
rotateeverybytes: 104857600 # 10MiB
keepfiles: 7
permissions: 0600
interval: 0
rotateonstartup: true
redirect_stderr: true
##############################
# Metrics endpoint configuration
# enables the stats endpoint at http://localhost:5601, disabled by default.
# Additional stats can be found under http://127.0.0.1:5066/stats and http://127.0.0.1:5066/state
##############################
http:
enabled: false
host: localhost
port: 5066
# # named_pipe attributes are used to bind the metrics endpoint to a Named Pipe on Windows systems.
# named_pipe.user: ""
# named_pipe.security_descriptor: ""