Skip to content
This repository has been archived by the owner on Mar 15, 2021. It is now read-only.

Latest commit

 

History

History
56 lines (41 loc) · 2.85 KB

alert-action-settings.asciidoc

File metadata and controls

56 lines (41 loc) · 2.85 KB
Raw

Alerting and action settings in {kib}

Alerting and action settings

Alerts and actions are enabled by default in {kib}, but require you configure the following in order to use them:

You can configure the following settings in the kibana.yml file.

General settings

xpack.encryptedSavedObjects.encryptionKey

A string of 32 or more characters used to encrypt sensitive properties on alerts and actions before they’re stored in {es}. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties.

If not set, {kib} will generate a random key on startup, but all alert and action functions will be blocked. Generated keys are not allowed for alerts and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerts and actions in high-availability deployments of {kib} will behave unexpectedly if the key isn’t the same on all instances of {kib}.

Although the key can be specified in clear text in kibana.yml, it’s recommended to store this key securely in the {kib} Keystore.

Action settings

xpack.actions.whitelistedHosts

A list of hostnames that {kib} is allowed to connect to when built-in actions are triggered. It defaults to [], allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly whitelisted. An empty list [] can be used to block built-in actions from making any external connections.

Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically whitelisted. If you are not using the default [] setting, you must ensure that the corresponding endpoints are whitelisted as well.

xpack.actions.enabledActionTypes

A list of action types that are enabled. It defaults to [*], enabling all types. The names for built-in {kib} action types are prefixed with a . and include: .server-log, .slack, .email, .index, .pagerduty, and .webhook. An empty list [] will disable all action types.

Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in {kib} and will not function.

Alert settings

You do not need to configure any additional settings to use alerting in {kib}.