With 7.14.0 Elasticsearch has started validating
agent.id using the
.fleet_final_pipeline-1 (see the PR), which greatly improves security.
While using Elastic-Agent to fetch information from servers, e.g. web-logs, we would like to make sure that the hostname of the web-server the agent runs on is trusted and has not been tampered with. This would allow us to confidently link events to servers without looking up the
agent.id. The certificate issued to the Elastic-Agent to converse with Fleet has
cn=<hostname> as the subject name, so there is a trusted source of this information (the signed certificate).
Is there a way to associate that certificate subject name with the API key given to the Elastic-Agent (in the same way the
agent.id is) so the
.fleet_final_pipeline-1 can check the
hostname or certificate subject name as well as just the