Elasticsearch Connections

Elasticsearch connections expose a cluster’s SQL API (POST /_sql?format=json) to agents. Supported on Elasticsearch 6.3+ — the SQL endpoint is part of the free basic tier on 8.x.

Recommended: Create and manage connections via the web UI at https://ui.cloud.firetiger.com/settings/connections

Connection Parameters

Required Parameters

Parameter Type Description
url string Cluster base URL — must use https:// (e.g., https://es.example.com:9200)

The fireshell network proxy drops plain HTTP egress, so an http:// URL will pass create-time validation but fail at runtime with no auth applied. Front a plain Elasticsearch cluster with a TLS terminator (nginx, xpack.security, etc.) before connecting.

Optional Parameters

Parameter Type Description Default
tls_skip_verify bool Skip TLS certificate verification false

Use tls_skip_verify only for self-signed clusters in a trusted network.

Authentication

Set exactly one of the following — auth is required at create time, even for unsecured local clusters (use none explicitly).

Basic Auth 

"basic": {
  "username": "elastic",
  "password": "<password>"
}

API Key

A pre-created Elasticsearch API key. The server renders it as Authorization: ApiKey <token> — Elasticsearch routes API-key credentials through a different auth realm than Bearer tokens, so this branch is distinct from a generic Bearer.

"api_key": {
  "token": "<api-key>"
}

Reference: Create API key API.

No Authentication

For local or development clusters with security disabled (xpack.security.enabled=false).

"none": {}

Example Connection 

{
  "display_name": "Production ES",
  "description": "Production Elasticsearch logs cluster (8.x).\n\nIndices:\n- logs-app-*: application logs (timestamp, service, level, message)\n- logs-access-*: NGINX access logs (timestamp, remote_addr, request, status)",
  "connection_details": {
    "elasticsearch": {
      "url": "https://es.example.com:9200",
      "api_key": { "token": "<api-key>" }
    }
  }
}

Description Field

Elasticsearch SQL exposes indices as tables. List the indices (or index patterns) agents should query, plus the relevant fields and types — agents otherwise spend several round trips on DESCRIBE.

Best Practices

  • Use API keys, not user passwords — keys can be scoped to specific indices and rotated independently
  • Scope API keys to read-only — the SQL endpoint only needs read and view_index_metadata on the target indices
  • Keep tls_skip_verify: false in production — only enable for self-signed dev clusters
This site uses Just the Docs, a documentation theme for Jekyll.