Alerting Set up
editAlerting Set up
editThe Alerting feature is automatically enabled in Kibana, but might require some additional configuration.
Prerequisites
editIf you are using an on-premises Elastic Stack deployment:
-
In the kibana.yml configuration file, add the
xpack.encryptedSavedObjects.encryptionKey
setting. -
For emails to have a footer with a link back to Kibana, set the
server.publicBaseUrl
configuration setting.
If you are using an on-premises Elastic Stack deployment with security:
- You must enable Transport Layer Security (TLS) for communication between Elasticsearch and Kibana. Kibana alerting uses API keys to secure background rule checks and actions, and API keys require TLS on the HTTP interface. A proxy will not suffice.
- If you have enabled TLS and are still unable to access Alerting, ensure that you have not explicitly disabled API keys.
Production considerations and scaling guidance
editWhen relying on alerting and actions as mission critical services, make sure you follow the Alerting production considerations.
See Scaling guidance for more information on the scalability of Kibana alerting.
Security
editTo access alerting in a space, a user must have access to one of the following features:
See feature privileges for more information on configuring roles that provide access to these features.
Also note that a user will need read
privileges for the Actions and Connectors feature to attach actions to a rule or to edit a rule that has an action attached to it.
Restrict actions
editFor security reasons you may wish to limit the extent to which Kibana can connect to external services. Action settings allows you to disable certain Connectors and allowlist the hostnames that Kibana can connect with.
Space isolation
editRules and connectors are isolated to the Kibana space in which they were created. A rule or connector created in one space will not be visible in another.
Authorization
editRules, including all background detection and the actions they generate are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges at that moment in time. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.