Alerting and action settings in Kibana

edit

Alerting and action settings in Kibana

edit

Alerts and actions are enabled by default in Kibana, but require you configure the following in order to use them:

You can configure the following settings in the kibana.yml file.

General settings

edit

xpack.encryptedSavedObjects.encryptionKey

A string of 32 or more characters used to encrypt sensitive properties on alerts and actions before they’re stored in Elasticsearch. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties.

If not set, Kibana will generate a random key on startup, but all alert and action functions will be blocked. Generated keys are not allowed for alerts and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerts and actions in high-availability deployments of Kibana will behave unexpectedly if the key isn’t the same on all instances of Kibana.

Although the key can be specified in clear text in kibana.yml, it’s recommended to store this key securely in the Kibana Keystore. Be sure to back up the encryption key value somewhere safe, as your alerts and actions will cease to function due to decryption failures should you lose it. If you want to rotate the encryption key, be sure to follow the instructions on encryption key rotation.

Action settings

edit

xpack.actions.enabled

Feature toggle that enables Actions in Kibana. If false, all features dependent on Actions are disabled, including the Observability and Security apps. Defaults to true.

xpack.actions.allowedHosts logo cloud

A list of hostnames that Kibana is allowed to connect to when built-in actions are triggered. It defaults to [*], allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list [] can be used to block built-in actions from making any external connections.

Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default [*] setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.

xpack.actions.enabledActionTypes logo cloud

A list of action types that are enabled. It defaults to [*], enabling all types. The names for built-in Kibana action types are prefixed with a . and include: .server-log, .slack, .email, .index, .pagerduty, and .webhook. An empty list [] will disable all action types.

Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in Kibana and will not function.

xpack.actions.preconfigured

Specifies preconfigured action IDs and configs. Defaults to {}.

xpack.actions.proxyUrl logo cloud

Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.

xpack.actions.proxyHeaders logo cloud

Specifies HTTP headers for the proxy, if using a proxy for actions. Defaults to {}.

xpack.actions. proxyRejectUnauthorizedCertificates logo cloud

Set to false to bypass certificate validation for the proxy, if using a proxy for actions. Defaults to true.

xpack.actions.rejectUnauthorized logo cloud

Set to false to bypass certificate validation for actions. Defaults to true.

As an alternative to setting both xpack.actions.proxyRejectUnauthorizedCertificates and xpack.actions.rejectUnauthorized, you can point the OS level environment variable NODE_EXTRA_CA_CERTS to a file that contains the root CAs needed to trust certificates.

Alert settings

edit

You do not need to configure any additional settings to use alerting in Kibana.