In our R&D environment, we frequently create and destroy Windows and Linux servers, which we enroll into Fleet using the Elastic Agent. Each server group is assigned a randomly generated name that users receive upon deployment, and we want to link the enrolled agents to their respective groups for easier log filtering.
I've tried using the --tag option during the enrollment process, but from what I understand, Fleet UI tags don’t appear in the Discover page when viewing logs. I couldn’t find a way to link these tags from the Fleet UI to the logs in Discover.
Adding a picture of how we see the tags in the fleet page:
Since we need to keep our agents fleet-managed, what would be the best approach to assign groups to agents and make those groups available for log filtering?
Would it be possible to use custom metadata, labels, or another method to achieve this? Any guidance would be greatly appreciated!
You would need to have a different agent policy for each group, then you can add a custom field in each policy with information that can be used for filtering.
In the settings for each policy you have an option to add custom fields, but this depends on the version of the stack you are, I think this is possible since 8.15.X
The challenge is that I don’t know the group names in advance—they are randomly generated. Creating a separate policy for each group wouldn’t be practical, as we often have 300+ groups, which would become difficult to manage.
Each environment consists of three consistent servers: two Ubuntu servers and one Windows server. To streamline deployment, I’ve created three policies (aside from the Fleet policy) based on server type:
Ubuntu Server 1 → First Ubuntu Policy
Ubuntu Server 2 → Second Ubuntu Policy
Windows Server → First Windows Policy
Every new group follows the same structure but with different group names. For example:
Group foo:
Ubuntu-1 → First Ubuntu Policy
Ubuntu-2 → Second Ubuntu Policy
Windows-1 → First Windows Policy
Group bar:
Ubuntu-1 → First Ubuntu Policy
Ubuntu-2 → Second Ubuntu Policy
Windows-1 → First Windows Policy
Instead of creating a new policy per group, my idea was to assign the group name as a label or metadata field to the agent during enrollment, so I can later filter logs based on that group. Is there a way to achieve this within Fleet-managed agents?
Thinking better I think you may not need one policy per group, maybe you could just use the same policies, but in the custom field uses an environment variable.
This environment variable would need to exist on every machine and be a system level variable that the elastic agent process would have access.
I have attempted a similar approach but haven't had success.
During the deployment process, I add an environment variable named "environment" to each machine, setting it to the appropriate group name. Additionally, I modify the custom field settings in the policy. However, the logs are not displaying completely.
If I remove the custom field, the logs return to Elastic, but without the custom field applied.
You would need to check in the Agent logs to see if there is any issue.
Also, I would not test this globally, but create a new policy and test with just a couple of agents.
After adding the environment variable, did you restart the agents? If you didn't restart it, they may not know about the existence of the variable, so they may not work correctly.
I found the issue—setting the environment variable in /etc/environment, declaring it at runtime, or exporting it before running the enrollment didn’t work for me. What did work was adding the environment variable directly in the service configuration file on my Ubuntu machine:
This ensured the service correctly picked up the environment variable, and logs started shipping properly. I discovered this by checking the service settings in /etc/systemd/system/elastic-agent.service, where I found the EnvironmentFile directive pointing to the above path.
On Windows, however, simply setting the environment variable globally worked without needing to modify the service configuration.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
