Skip to content

Fix code examples in doc for running Elastic Agent unprivileged #4070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
+155 −13
Open

Fix code examples in doc for running Elastic Agent unprivileged #4070

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
93a26b7
Initial plan
Copilot Nov 25, 2025
da74d8a
Fix documentation for unprivileged mode with pre-existing user and group
Copilot Nov 25, 2025
f35413c
Clarify that --user/--group are optional on Linux/macOS
Copilot Nov 25, 2025
9cdf6d9
Add synchronized tabs and fix remaining examples
Copilot Nov 25, 2025
534d8e7
Add tabs to initial install example in unprivileged mode section
Copilot Nov 25, 2025
cf0133d
Specify PowerShell before Windows install example
Copilot Nov 25, 2025
8efec3b
Format note block with bullet points for better readability
Copilot Nov 25, 2025
f1f0c9e
Fix documentation for unprivileged mode with pre-existing user and group
Copilot Nov 25, 2025
cfee58d
Fix note formatting: proper backtick around --password parameter
Copilot Nov 25, 2025
1241718
Update reference/fleet/elastic-agent-unprivileged.md
vishaangelova Nov 28, 2025
f9da888
Remove nested bullet points, format as paragraphs under list items
Copilot Nov 28, 2025
74d4523
Merge branch 'main' into copilot/fix-docs-unprivileged-mode
vishaangelova Nov 28, 2025
072e1f4
Update reference/fleet/elastic-agent-unprivileged.md
vishaangelova Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 155 additions & 13 deletions reference/fleet/elastic-agent-unprivileged.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,29 +28,53 @@

To run {{agent}} without administrative privileges you use exactly the same commands that you use for {{agent}} otherwise, with one exception. When you run the [`elastic-agent install`](/reference/fleet/agent-command-reference.md#elastic-agent-install-command) command, add the `--unprivileged` flag. For example:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

```shell
elastic-agent install \
sudo elastic-agent install \
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
--unprivileged
```

::::

::::{tab-item} Windows
:sync: windows

From PowerShell:

```shell
elastic-agent install `
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 `
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== `
--unprivileged
```

::::

:::::

::::{important}
Note the following current restrictions for running {{agent}} in `unprivileged` mode:

* On Linux systems, after {{agent}} has been installed with the `--unprivileged` flag, all {{agent}} commands can be run without being the root user.

* The `sudo` option is still required for the `elastic-agent install` command. Only `root` can install new services. The installed service will not run as the root user.
The `sudo` option is still required for the `elastic-agent install` command. Only `root` can install new services. The installed service will not run as the root user.

Check notice on line 67 in reference/fleet/elastic-agent-unprivileged.md

View workflow job for this annotation

GitHub Actions / vale 

Elastic.FutureTense: 'will not' might be in future tense. Write in the present tense to describe the state of the product as it is now.

* Using `sudo` without specifying an alternate non-root user with `sudo -u` in a command may result in [an error](/troubleshoot/ingest/fleet/common-problems.md#agent-sudo-error) due to the agent not having the required privileges.
* Using `sudo -u elastic-agent-user` will run commands as the user running the {{agent}} service and will always work.
* For files that allow users in the `elastic-agent` group access, using an alternate user that has been added to that group will also work. There are still some commands that are only accessible to the `elastic-agent-user` that runs the service.

* For example, `elastic-agent inspect` requires you to prefix the command with `sudo -u elastic-agent-user`.
For example, `elastic-agent inspect` requires you to prefix the command with `sudo -u elastic-agent-user`.

```shell
sudo -u elastic-agent-user elastic-agent inspect
```
```shell
sudo -u elastic-agent-user elastic-agent inspect
```


::::
Expand Down Expand Up @@ -153,18 +177,56 @@

Change mode from privileged to unprivileged:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

```shell
sudo elastic-agent unprivileged
```

::::

::::{tab-item} Windows
:sync: windows

```shell
elastic-agent unprivileged
```

::::

:::::

Changing to `unprivileged` mode is prevented if the agent is currently enrolled in a policy that includes an integration that requires administrative access, such as the {{elastic-defend}} integration.

Change mode from unprivileged to privileged:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

```shell
sudo elastic-agent privileged
```

::::

::::{tab-item} Windows
:sync: windows

```shell
elastic-agent privileged
```

::::

:::::

When an agent is running in `unprivileged` mode, if it doesn’t have the right level of privilege to read a data source, you can also adjust the agent’s privileges by adding `elastic-agent-user` to the user group that has privileges to read the data source.

As background, when you run {{agent}} in `unprivileged` mode, one user and one group are created on the host. The same names are used for all operating systems:
Expand All @@ -188,24 +250,104 @@

In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account.

To install {{agent}} in `unprivileged` mode as a specific user, add the `--user` and `--password` parameters to the install command:
::::{note}
On Windows, the `--password` parameter is required when specifying a custom user account.

On Linux and macOS, the `--user` and `--group` parameters are optional:
* If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`).
* If you specify only `--group`, the agent runs unprivileged in the requested group using the default user.
::::

To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands:

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

To install with a specific user:

```shell
elastic-agent install --unprivileged --user="my.path\username" --password="mypassword"
sudo elastic-agent install --unprivileged --user="username"
```

To install {{agent}} in `unprivileged` mode as part of a specific group, add the `--group` and `--password` parameters to the install command:
To install with a specific group:

```shell
elastic-agent install --unprivileged --group="my.path\groupname" --password="mypassword"
sudo elastic-agent install --unprivileged --group="groupname"
```

Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group. For example:
To install with both a specific user and group:

```shell
elastic-agent unprivileged --user="my.path\username" --password="mypassword"
sudo elastic-agent install --unprivileged --user="username" --group="groupname"
```

::::

::::{tab-item} Windows
:sync: windows

To install as a specific user:

```shell
elastic-agent install --unprivileged --user="my.domain\username" --password="mypassword"
```

To install as part of a specific group:

```shell
elastic-agent install --unprivileged --group="my.domain\groupname"
```

To install with both a specific user and group:

```shell
elastic-agent install --unprivileged --user="my.domain\username" --password="mypassword" --group="my.domain\groupname"
```

::::

:::::

Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group.

:::::{tab-set}
:group: os

::::{tab-item} Linux/macOS
:sync: linux

To change to a specific user:

```shell
sudo elastic-agent unprivileged --user="username"
```

To change to a specific group:

```shell
sudo elastic-agent unprivileged --group="groupname"
```

::::

::::{tab-item} Windows
:sync: windows

To change to a specific user:

```shell
elastic-agent unprivileged --user="my.domain\username" --password="mypassword"
```

To change to a specific group:

```shell
elastic-agent unprivileged --group="my.path\groupname" --password="mypassword"
elastic-agent unprivileged --group="my.domain\groupname"
```

::::

:::::
Loading