IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Alerting set up

edit

Alerting set up

edit

Kibana alerting features are automatically enabled, but might require some additional configuration.

Prerequisites

edit

If you are using an on-premises Elastic Stack deployment:

In the kibana.yml configuration file, add the xpack.encryptedSavedObjects.encryptionKey setting.
For emails to have a footer with a link back to Kibana, set the server.publicBaseUrl configuration setting.

If you are using an on-premises Elastic Stack deployment with security:

If you are unable to access Kibana alerting features, ensure that you have not explicitly disabled API keys.

The alerting framework uses queries that require the search.allow_expensive_queries setting to be true. See the scripts documentation.

Production considerations and scaling guidance

edit

When relying on alerting and actions as mission critical services, make sure you follow the alerting production considerations.

For more information on the scalability of alerting features, go to Scaling guidance.

Security

edit

If you want to use the alerting features in a Kibana app, you must have the appropriate feature privileges. For example, to create rules in Stack Management > Rules, you must have all privileges for the Management > Stack Rules feature. To attach actions to the rule, you must also have read privileges for the Actions and Connectors feature. For more information on configuring roles that provide access to features, go to Feature privileges.

For details about the prerequisites for each API, refer to Alerting APIs.

Restrict actions

edit

For security reasons you may wish to limit the extent to which Kibana can connect to external services. Action settings allows you to disable certain Connectors and allowlist the hostnames that Kibana can connect with.

Space isolation

edit

Rules and connectors are isolated to the Kibana space in which they were created. A rule or connector created in one space will not be visible in another.

Authorization

edit

Rules are authorized using an API key associated with the last user to edit the rule. This API key captures a snapshot of the user’s privileges at the time of the edit. They are subsequently used to run all background tasks associated with the rule, including condition checks like Elasticsearch queries and triggered actions. The following rule actions will re-generate the API key:

Creating a rule
Updating a rule

When you disable a rule, it retains the associated API key which is re-used when the rule is enabled. If the API key is missing when you enable the rule (for example, in the case of imported rules), it generates a new key that has your security privileges.

You can update an API key manually in Stack Management > Rules or in the rule details page by selecting Update API key in the actions menu.

If a rule requires certain privileges, such as index privileges, to run, and a user without those privileges updates the rule, the rule will no longer function. Conversely, if a user with greater or administrator privileges modifies the rule, it will begin running with increased privileges.

Cross-cluster search

edit

If you want to use alerting rules with cross-cluster search, you must configure privileges for CCS and Kibana.

« Alerting Create and manage rules »