diff --git a/docs/en/ingest-management/fleet/fleet-settings.asciidoc b/docs/en/ingest-management/fleet/fleet-settings.asciidoc
index 24f0913fb6..cbc4291619 100644
--- a/docs/en/ingest-management/fleet/fleet-settings.asciidoc
+++ b/docs/en/ingest-management/fleet/fleet-settings.asciidoc
@@ -5,23 +5,17 @@ NOTE: The settings described here are configurable through the {fleet} UI. Refer
 {kibana-ref}/fleet-settings-kb.html[{fleet} settings in {kib}] for a list of
 settings that you can configure in the `kibana.yml` configuration file.
 
-Configure {fleet} settings to apply global settings to all {agent}s enrolled in
-{fleet}:
+On the *Settings* tab in *Fleet*, you can configure global settings available
+to all {agent}s enrolled in {fleet}. This includes {fleet-server} hosts and
+output settings.
 
-. In {kib}, open the main menu, then click *Management > {fleet} > Settings*.
+[discrete]
+[[fleet-server-hosts-setting]]
+== {fleet-server} host settings
 
-. Under *{fleet-server} hosts*, click *Edit hosts* and specify one or more
-host URLs:
-+
---
-[cols="2*<a"]
-|===
-|
-[id="fleet-server-hosts-setting"]
-*{fleet-server} hosts*
-
-| The URLs your {agent}s will use to connect to a {fleet-server}. This setting
-is required. On self-managed clusters, you must specify one or more URLs.
+Click *Edit hosts* and specify the host URLs your {agent}s will use to connect
+to a {fleet-server}. This setting is required. On self-managed clusters, you
+must specify one or more URLs.
 
 On {ecloud}, this field is populated automatically. If you are using
 Azure Private Link, GCP Private Service Connect, or AWS PrivateLink
@@ -44,12 +38,10 @@ to find the actual port that's used.
 IMPORTANT: The exposed ports must be open for ingress and egress in the firewall and
 networking rules on the host to allow {agent}s to communicate with {fleet-server}.
 
-Specify multiple URLs to scale out your deployment and provide automatic
-failover.
-
-If multiple URLs exist, {fleet} shows the first provided URL for enrollment
-purposes. Enrolled {agent}s will connect to the URLs in round robin order until
-they connect successfully. 
+Specify multiple URLs (click *Add row*) to scale out your deployment and provide
+automatic failover. If multiple URLs exist, {fleet} shows the first provided URL
+for enrollment purposes. Enrolled {agent}s will connect to the URLs in round
+robin order until they connect successfully. 
 
 When a {fleet-server} is added or removed from the list, all agent policies
 are updated automatically.
@@ -60,37 +52,38 @@ are updated automatically.
 * `https://abae718c1276457893b1096929e0f557.fleet.eu-west-1.aws.qa.cld.elstc.co:443`
 * `https://[2001:db8::1]:8220`
 
-|===
---
+[discrete]
+[[output-settings]]
+== Output settings
+
+Add or edit output settings to specify where {agent}s send data. {agent}s
+use the default output if you don't select an output in the agent policy.
 
-. Under *Outputs*, click the *Edit* icon in the *Action* column to modify
-output settings, as needed.
-+
 NOTE: The Elastic Cloud internal output is locked and cannot be edited. This
 output is used for internal routing to reduce external network charges when
 using the Elastic Cloud agent policy. It also provides visibility for
 troubleshooting on {ece}.
-+
---
-[cols="2*<a"]
-|===
-|
-[id="es-output-name-setting"]
-*Name*
 
-| The name of the output. 
+To add or edit an output:
 
-// =============================================================================
+. Click *Add output* or *Edit*.
 
-|
-[id="es-output-type-setting"]
-*Type*
+. Set the output name and type.
 
-| The output type. {es} is the only output type currently supported by
-{fleet}-managed {agent}s.
+. Specify settings for the output type you selected:
++
+* <<es-output-settings>>
+* <<ls-output-settings>>
 
-// =============================================================================
 
+[discrete]
+[[es-output-settings]]
+=== {es} output settings
+
+Specify these settings to send data over a secure connection to {es}.
+
+[cols="2*<a"]
+|===
 |
 [id="es-output-hosts-setting"]
 *Hosts*
@@ -128,13 +121,112 @@ normally. To learn more about trusted fingerprints, refer to the
 [id="es-output-advanced-yaml-setting"]
 *Advanced YAML configuration*
 
-| YAML settings that will be added to the {es} output section
-of each policy. This setting allows you to specify global output settings for
-all {agent}s enrolled in {fleet}. Make sure you specify valid YAML. The UI does
-not currently provide validation.
+| YAML settings that will be added to the {es} output section of each policy
+that uses this output. Make sure you specify valid YAML. The UI does not
+currently provide validation.
+
+// =============================================================================
+
+|
+[id="es-agent-integrations-output"]
+*Make this output the default for agent integrations*
+
+| When this setting is on, {agent}s use this output to send data if no other
+output is set in the agent policy.
 
+// =============================================================================
+
+|
+[id="es-agent-monitoring-output"]
+*Make this output the default for agent monitoring*
+
+| When this setting is on, {agent}s use this output to send agent monitoring
+data if no other output is set in the agent policy.
 |===
---
 
-. Save and apply the settings.
+[discrete]
+[[ls-output-settings]]
+=== {ls} output settings
+
+beta[]
+
+Specify these settings to send data over a secure connection to {ls}. You must
+also configure a {ls} pipeline that reads encrypted data from {agent}s and sends
+the data to {es}. Follow the in-product steps to configure the {ls} pipeline.
+
+To learn how to generate certificates, refer to <<secure-logstash-connections>>.
+
+[cols="2*<a"]
+|===
+|
+[id="ls-logstash-hosts"]
+*{ls} hosts*
+
+| The addresses your {agent}s will use to connect to {ls}. Use the format
+`host:port`. Click *add* row to specify additional {ls} addresses.
+
+*Examples:*
+
+* `192.0.2.0:5044`
+* `mylogstashhost:5044`
+
+// =============================================================================
+
+|
+[id="ls-server-ssl-certificate-authorities-setting"]
+*Server SSL certificate authorities*
+
+| The CA certificate to use to connect to {ls}. This is the CA used to generate
+the certificate and key for {ls}. Copy and paste in the full contents for the CA
+certificate.
+
+This setting is optional.
+
+// =============================================================================
+
+|
+[id="ls-client-ssl-certificate-setting"]
+*Client SSL certificate*
+
+| The certificate generated for the client. Copy and paste in the full contents
+of the certificate.
+
+// =============================================================================
+
+|
+[id="ls-client-ssl-certificate-key-setting"]
+*Client SSL certificate key*
+
+| The private key generated for the client. This must be in pkcs8 key.
+Copy and paste in the full contents of the certificate key.
+
+// =============================================================================
+
+|
+[id="ls-output-advanced-yaml-setting"]
+*Advanced YAML configuration*
+
+| YAML settings that will be added to the {ls} output section of each policy
+that uses this output. Make sure you specify valid YAML. The UI does not
+currently provide validation.
+
+// =============================================================================
+
+|
+[id="ls-agent-integrations-output"]
+*Make this output the default for agent integrations*
+
+| When this setting is on, {agent}s use this output to send data if no other
+output is set in the agent policy.
+
+// =============================================================================
+
+|
+[id="ls-agent-monitoring-output"]
+*Make this output the default for agent monitoring*
+
+| When this setting is on, {agent}s use this output to send agent monitoring
+data if no other output is set in the agent policy.
+
+|===
 
diff --git a/docs/en/ingest-management/fleet/fleet.asciidoc b/docs/en/ingest-management/fleet/fleet.asciidoc
index 8688626011..11b4696e61 100644
--- a/docs/en/ingest-management/fleet/fleet.asciidoc
+++ b/docs/en/ingest-management/fleet/fleet.asciidoc
@@ -33,8 +33,8 @@ describes the main management actions you can perform in {fleet}:
 | Component  | Management actions
 
 |<<fleet-settings>>
-|Configure global settings for all {agent}s managed by {fleet}, including
-{fleet-server} hosts and {es} output settings.
+|Configure global settings available to all {agent}s managed by {fleet},
+including {fleet-server} hosts and output settings.
 
 |<<manage-agents>>
 |Enroll, unenroll, upgrade, and view {agent} status and logs.
diff --git a/docs/en/ingest-management/images/add-logstash-output.png b/docs/en/ingest-management/images/add-logstash-output.png
new file mode 100644
index 0000000000..39eaf6e533
Binary files /dev/null and b/docs/en/ingest-management/images/add-logstash-output.png differ
diff --git a/docs/en/ingest-management/images/agent-output-settings.png b/docs/en/ingest-management/images/agent-output-settings.png
new file mode 100644
index 0000000000..e9b2347106
Binary files /dev/null and b/docs/en/ingest-management/images/agent-output-settings.png differ
diff --git a/docs/en/ingest-management/images/ca-certs.png b/docs/en/ingest-management/images/ca-certs.png
new file mode 100644
index 0000000000..a3c63403a2
Binary files /dev/null and b/docs/en/ingest-management/images/ca-certs.png differ
diff --git a/docs/en/ingest-management/images/client-certs.png b/docs/en/ingest-management/images/client-certs.png
new file mode 100644
index 0000000000..c71b91d0bb
Binary files /dev/null and b/docs/en/ingest-management/images/client-certs.png differ
diff --git a/docs/en/ingest-management/images/logstash-certs.png b/docs/en/ingest-management/images/logstash-certs.png
new file mode 100644
index 0000000000..e3568606f6
Binary files /dev/null and b/docs/en/ingest-management/images/logstash-certs.png differ
diff --git a/docs/en/ingest-management/images/logstash-output-certs.png b/docs/en/ingest-management/images/logstash-output-certs.png
new file mode 100644
index 0000000000..7bfc7f2bb2
Binary files /dev/null and b/docs/en/ingest-management/images/logstash-output-certs.png differ
diff --git a/docs/en/ingest-management/security/logstash-certificates.asciidoc b/docs/en/ingest-management/security/logstash-certificates.asciidoc
index 4065851a93..97ce4f813e 100644
--- a/docs/en/ingest-management/security/logstash-certificates.asciidoc
+++ b/docs/en/ingest-management/security/logstash-certificates.asciidoc
@@ -1,7 +1,280 @@
 [[secure-logstash-connections]]
-= Configure SSL/TLS for {ls}
+= Configure SSL/TLS for the {ls} output
 
-coming[8.2.0]
+beta[]
 
 To send data from {agent} to {ls} securely, you need to configure Transport
-Layer Security (TLS).
+Layer Security (TLS). Using TLS ensures that your {agent}s send encrypted data
+to trusted {ls} servers, and that your {ls} servers receive data from trusted
+{agent} clients.
+
+[discrete]
+[[secure-logstash-prereqs]]
+== Prerequisites
+
+* Make sure your https://www.elastic.co/subscriptions[subscription level]
+supports output to {ls}.
+
+* On Windows, add port 8220 for {fleet-server} and 5044 for Logstash to the
+inbound port rules in Windows Advanced Firewall.
+
+* If you are connecting to a self-managed {es} cluster, you need the CA
+certificate that was used to sign the certificates for the HTTP layer of {es}
+cluster. For more information, refer to the
+{ref}/configuring-stack-security.html[{es} security docs].
+
+[discrete]
+[[generate-logstash-certs]]
+== Generate custom certificates and private keys
+
+You can use whatever process you typically use to generate PEM-formatted
+certificates. The examples shown here use the `certutil` tool provided by {es}.
+
+TIP: The `certutil` tool is not available on {ecloud}, but you can still use it
+to generate certificates for {agent} to {ls} connections. Just
+https://www.elastic.co/downloads/elasticsearch[download an {es} package],
+extract it to a local directory, and run the `elasticsearch-certutil` command.
+There's no need to start {es}!
+
+. Generate a certificate authority (CA). Skip this step if you want to use an
+existing CA.
++
+--
+[source,shell]
+----
+./bin/elasticsearch-certutil ca --pem
+----
+
+This command creates a zip file that contains the CA certificate and key you'll
+use to sign the certificates. Extract the zip file:
+
+image::images/ca-certs.png[Screen capture of a folder called ca that contains two files: ca.crt and ca.key]
+--
+
+. Generate a client SSL certificate signed by your CA. For example:
++
+--
+[source,shell]
+----
+./bin/elasticsearch-certutil cert \
+  --name client \
+  --ca-cert /path/to/ca/ca.crt \
+  --ca-key /path/to/ca/ca.key \
+  --dns your.host.name.here \
+  --ip 192.0.2.1 \
+  --pem
+----
+
+Where `dns` and `ip` specify the valid host names and IP addresses where the generated certificates are valid.
+
+Extract the zip file:
+
+image::images/client-certs.png[Screen capture of a folder called client that contains two files: client.crt and client.key]
+--
+
+. Generate a {ls} SSL certificate signed by your CA. For example:
++
+--
+[source,shell]
+----
+./bin/elasticsearch-certutil cert \
+  --name logstash \
+  --ca-cert /path/to/ca/ca.crt \
+  --ca-key /path/to/ca/ca.key \
+  --dns your.host.name.here \
+  --ip 192.0.2.1 \
+  --pem
+----
+
+
+Extract the zip file:
+
+image::images/logstash-certs.png[Screen capture of a folder called logstash that contains two files: logstash.crt and logstash.key]
+--
+
+. Convert the {ls} key to pkcs8. For example, on Linux run:
++
+[source,shell]
+----
+openssl pkcs8 -inform PEM -in logstash.key -topk8 -nocrypt -outform PEM -out logstash.pkcs8.key
+----
+
+Store these files in a secure location.
+
+[discrete]
+[[configure-ls-ssl]]
+== Configure the {ls} pipeline
+
+TIP: If you've already created the {ls} `elastic-agent-pipeline.conf` pipeline
+and added it to `pipelines.yml`, skip to the example configurations and modify
+your pipeline configuration as needed.
+
+In your Logstash configuration directory, open the `pipelines.yml` file and
+add the following configuration. Replace the path to your file.
+
+[source,yaml]
+----
+- pipeline.id: elastic-agent-pipeline
+  path.config: "/etc/path/to/elastic-agent-pipeline.conf"
+----
+
+In the `elastic-agent-pipeline.conf` file, add the pipeline configuration. Note
+that the configuration needed for {ess} on {ecloud} is different from
+self-managed {es} clusters. If you copied the configuration shown in {fleet},
+adjust it as needed.
+
+{ess} example:
+
+[source,text]
+----
+input {
+  elastic_agent {
+    port => 5044
+    ssl => true
+    ssl_certificate_authorities => ["/path/to/ca.crt"]
+    ssl_certificate => "/path/to/logstash.crt"
+    ssl_key => "/path/to/logstash.pkcs8.key"
+    ssl_verify_mode => "force_peer"
+  }
+}
+
+output {
+  elasticsearch {
+    cloud_id => "xxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx=" <1>
+    api_key => "xxxx:xxxx" <2>
+    data_stream => true
+    ssl => true <3>
+  }
+}
+----
+<1> Use the `cloud_id` shown on your deployment page in {ecloud}.
+<2> In {fleet}, you can generate this API key when you add a {ls} output.
+<3> {ess} uses standard publicly trusted certificates, so there's no need
+specify other SSL settings here.
+
+Self-managed {es} cluster example:
+
+[source,text]
+----
+input {
+  elastic_agent {
+    port => 5044
+    ssl => true
+    ssl_certificate_authorities => ["/path/to/ca.crt"]
+    ssl_certificate => "/path/to/logstash.crt"
+    ssl_key => "/path/to/logstash.pkcs8.key"
+    ssl_verify_mode => "force_peer"
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => "https://xxxx:9200"
+    api_key => "xxxx:xxxx" 
+    data_stream => true
+    ssl => true
+    cacert => "/path/to/http_ca.crt" <1>
+  }
+}
+----
+<1> Use the certificate that was generated for {es}. 
+
+To learn more about the {ls} configuration, refer to:
+
+* {logstash-ref}/plugins-inputs-elastic_agent.html[{agent} input plugin]
+* {logstash-ref}/plugins-outputs-elasticsearch.html[{es} output plugin]
+* {logstash-ref}/ls-security.html[Secure your connection to {es}]
+
+When you're done configuring the pipeline, restart {ls}:
+
+[source,shell]
+----
+bin/logstash
+----
+
+[discrete]
+[[add-ls-output]]
+== Add a {ls} output to {fleet}
+
+This section describes how to add a Logstash output and configure SSL settings
+in {fleet}. If you're running {agent} standalone, refer to the
+<<logstash-output,Logstash output>> configuration docs.
+
+. In {kib}, go to *Fleet > Settings*.
+
+. Under *Outputs*, click *Add output*. If you've been following the {ls} steps
+in {fleet}, you might already be on this page.
+
+. Specify a name for the output.
+
+. For *Type*, select *Logstash*.
+
+. Under *Logstash hosts*, specify the host and port your agents will use to
+connect to {ls}. Use the format `host:port`.
+
+. In the *Server SSL certificate authorities* field, paste in the entire
+contents of the `ca.crt` file you <<generate-logstash-certs,generated earlier>>.
+
+. In the *Client SSL certificate* field, paste in the entire contents of the
+`client.crt` file you generated earlier.
+
+. In the *Client SSL certificate key* field, paste in the entire contents of the
+`client.key` file you generated earlier.
+
+[role="screenshot"]
+image::images/add-logstash-output.png[Screen capture of a folder called logstash that contains two files: logstash.crt and logstash.key]
+
+When you're done, save and apply the settings.
+
+[discrete]
+[[use-ls-output]]
+== Select the {ls} output in an agent policy
+
+{ls} is now listening for events from {agent}, but events are not streaming into
+{es} yet. You need to select the {ls} output in an agent policy. You can edit
+an existing policy or create a new one:
+
+. In {kib}, go to *Fleet > Agent policies* and either create a new agent policy
+or click an existing policy to edit it:
++
+* To change the output settings in a new policy, click *Create agent policy*
+and expand *Advanced options*.
+* To change the output settings in an existing policy, click the policy to edit
+it, then click *Settings*.
+
+. Set *Output for integrations* and (optionally) *Output for agent monitoring*
+to use the {ls} output you created earlier. You might need to scroll down to see
+these options
++
+[role="screenshot"]
+image::images/agent-output-settings.png[Screen capture showing the Logstash output policy selected in an agent policy]
+
+. Save your changes.
+
+Any {agent}s enrolled in the agent policy will begin sending data to {es} via
+{ls}. If you don't have any installed {agent}s enrolled in the agent policy, do
+that now.
+
+There might be a slight delay while the {agent}s update to the new policy
+and connect to {ls} over a secure connection.
+
+[discrete]
+[[test-ls-connection]]
+== Test the connection
+
+To make sure {ls} is sending data, run the following command from the host where
+{ls} is running:
+
+[source,shell]
+----
+curl -XGET localhost:9600/_node/stats/events
+----
+
+The request should return stats on the number of events in and out. If these
+values are 0, check the {agent} logs for problems.
+ 
+When data is streaming to {es}, go to *Observability* and click
+*Metrics* to view metrics about your system.
+
+//TODO: WE should add some troubleshooting advice like what to do if the
+//connection is refused. But maybe after beta drops.