- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.9
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Cases settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Set up
- Get started
- How-to guides
- Configure APM agents with central config
- Control access to APM data
- Create an alert
- Create custom links
- Filter data
- Find transaction latency and failure correlations
- Identify deployment details for APM agents
- Integrate with machine learning
- Observe Lambda functions
- Query your data
- Storage Explorer
- Track deployments with annotations
- Users and privileges
- Settings
- REST API
- Troubleshooting
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Add comment
- Create case
- Delete cases
- Delete comments
- Find case activity
- Find cases
- Find connectors
- Get alerts
- Get case activity
- Get case
- Get case status
- Get cases by alert
- Get comments
- Get configuration
- Get reporters
- Get tags
- Push case
- Set configuration
- Update cases
- Update comment
- Update configuration
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Kibana 8.9.2
- Kibana 8.9.1
- Kibana 8.9.0
- Kibana 8.8.2
- Kibana 8.8.1
- Kibana 8.8.0
- Kibana 8.7.1
- Kibana 8.7.0
- Kibana 8.6.1
- Kibana 8.6.0
- Kibana 8.5.2
- Kibana 8.5.1
- Kibana 8.5.0
- Kibana 8.4.3
- Kibana 8.4.2
- Kibana 8.4.1
- Kibana 8.4.0
- Kibana 8.3.3
- Kibana 8.3.2
- Kibana 8.3.1
- Kibana 8.3.0
- Kibana 8.2.3
- Kibana 8.2.2
- Kibana 8.2.1
- Kibana 8.2.0
- Kibana 8.1.3
- Kibana 8.1.2
- Kibana 8.1.1
- Kibana 8.1.0
- Kibana 8.0.0
- Kibana 8.0.0-rc2
- Kibana 8.0.0-rc1
- Kibana 8.0.0-beta1
- Kibana 8.0.0-alpha2
- Kibana 8.0.0-alpha1
- Developer guide
Alerting set up
editAlerting set up
editKibana alerting features are automatically enabled, but might require some additional configuration.
Prerequisites
editIf you are using an on-premises Elastic Stack deployment:
-
In the
kibana.yml
configuration file, add thexpack.encryptedSavedObjects.encryptionKey
setting. -
For emails to have a footer with a link back to Kibana, set the
server.publicBaseUrl
configuration setting.
If you are using an on-premises Elastic Stack deployment with security:
- If you are unable to access Kibana alerting features, ensure that you have not explicitly disabled API keys.
The alerting framework uses queries that require the
search.allow_expensive_queries
setting to be true
. See the scripts
documentation.
Production considerations and scaling guidance
editWhen relying on alerting and actions as mission critical services, make sure you follow the alerting production considerations.
For more information on the scalability of alerting features, go to Scaling guidance.
Security
editIf you want to use the alerting features in a Kibana app, you must have the
appropriate feature privileges. For example, to create rules in
Stack Management > Rules, you must have all
privileges for the
Management > Stack Rules feature. To add rule actions and test
connectors, you must also have read
privileges for the Actions and Connectors
feature. To change rule settings, you must have all
privileges for the
Rules Settings privilege or all
privileges for the appropriate sub-feature
such as flapping detection. For more information on configuring roles that
provide access to features, go to Feature privileges.
For details about the prerequisites for each API, refer to Alerting APIs.
Restrict actions
editFor security reasons you may wish to limit the extent to which Kibana can connect to external services. Action settings allows you to disable certain Connectors and allowlist the hostnames that Kibana can connect with.
Space isolation
editRules and connectors are isolated to the Kibana space in which they were created. A rule or connector created in one space will not be visible in another.
Authorization
editRules are authorized using an API key. Its credentials are used to run all background tasks associated with the rule, including condition checks like Elasticsearch queries and triggered actions.
If you create or edit a rule in Kibana, an API key is created that captures a snapshot of your privileges at the time of the edit. The following actions regenerate the API key in Kibana:
- Creating a rule
- Updating a rule
When you disable a rule, it retains the associated API key which is reused when the rule is enabled. If the API key is missing when you enable the rule (for example, in the case of imported rules), it generates a new key that has your security privileges.
You can update an API key manually in Stack Management > Rules or in the rule details page by selecting Update API key in the actions menu.
If you manage your rules by using Kibana APIs, they support support both key- and token-based authentication as described in Authentication. To use key-based authentication, create API keys and use them in the header of your API calls as described in API Keys. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently associated with the rule and used when it runs.
If a rule requires certain privileges, such as index privileges, to run and a user without those privileges updates the rule, the rule will no longer function. Conversely, if a user with greater or administrator privileges modifies the rule, it will begin running with increased privileges. The same behavior occurs when you change the API key in the header of your API calls.
Cross-cluster search
editIf you want to use alerting rules with cross-cluster search, you must configure privileges for CCS and Kibana.
On this page