Understanding Headers in Elastic Agents: Normal Mode vs. Fleet Server Mode
Elastic Agents are flexible and powerful tools used within the Elastic Stack for collecting and shipping logs, metrics, and other data to Elasticsearch. However, the headers they use can vary depending on whether they are running in “normal” mode or acting as a Fleet Server. Let’s explore these differences.
Note that a fleet server is just a special instance of an Elastic agent, running in “normal” mode. See What is Fleet Server? | Elastic for details.
Headers Used in Normal Mode
When an Elastic Agent is running in standard mode, it primarily focuses on collecting and sending data to Elasticsearch or a Logstash service. Some common headers used in this mode include:
Authorization: This header is used to pass the API token or credentials necessary for authenticating with Elasticsearch or Kibana, and starts with “ApiKey”.
User-Agent: This header provides information about the Elastic Agent version and its environment, such as the operating system and agent version. It starts with “Elastic-Agent”.
Headers Used When Acting as a Fleet Server
In addition to the standard headers used by Elastic Agents, when an agent is running as a Fleet Server, it assumes additional responsibilities, requiring the use of the above headers, but with different content. The differences include:
Authorization: This header is used to pass the Bearer token or credentials necessary for authenticating with Elasticsearch or Kibana, and starts with “Bearer”.
User-Agent: This header contains the version and its environment (such as the operating system used) and reflects the fact that Elastic Agent is running as a Fleet Server.
Conclusion
Understanding the different headers used by Elastic Agents in various modes is essential for ensuring smooth operation within your Elastic deployment, especially when you have some network gateways between the agent or fleet server and the Elasticsearch service.
In the ever-evolving landscape of IT monitoring and management, the ability to efficiently handle multi-dimensional namespaces is crucial. Within NetEye, Log-SIEM (Elastic), provides a comprehensive solution for managing the single namespace dimension with the namespace of a data_stream. This blog Read More
In this article, we’ll explore how to configure the “Agent Binary Download” setting and set up your own artifact registry for binary downloads within a NetEye cluster. Prerequisites Before we begin, ensure you have the following prerequisites in place: Your Elastic Agents Read More
With the latest version of NetEye 4.33, the Fleet Server and ElasticAgent officially join the NetEye Elastic Stack (see NetEye 4.33 Release Notes ) Related to this new big feature, within the NetEye Extension Packs project we have provided new Read More
Say you're using the SIEM Module in NetEye and are deploying the Elasticsearch Agent to your clients. You'd surely like to know if those agents are still sending data and are still connected to the Elastic Fleet server. I had Read More
The Fleet Management feature was automatically enabled with NetEye release 4.30, and with the current 4.31 version all the Elastic Stack packages will be upgraded to major version 8. These two milestones will permit us to centrally manage log ingestion Read More