mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 17:59:23 -04:00
283 lines
17 KiB
Text
283 lines
17 KiB
Text
[[alert-action-settings-kb]]
|
|
== Alerting and action settings in {kib}
|
|
++++
|
|
<titleabbrev>Alerting and action settings</titleabbrev>
|
|
++++
|
|
|
|
:frontmatter-description: Learn about the settings that affect {kib} {alert-features}.
|
|
:frontmatter-tags-products: [kibana, alerting]
|
|
:frontmatter-tags-content-type: [reference]
|
|
:frontmatter-tags-user-goals: [configure]
|
|
|
|
Alerting and actions are enabled by default in {kib}, but require you to configure the following:
|
|
|
|
. <<using-kibana-with-security,Set up {kib} to work with {stack} {security-features}>>.
|
|
. <<configuring-tls-kib-es,Set up TLS encryption between {kib} and {es}>>.
|
|
. If you are using an *on-premises* Elastic Stack deployment, <<general-alert-action-settings,specify a value for `xpack.encryptedSavedObjects.encryptionKey`>>.
|
|
|
|
You can configure the following settings in the `kibana.yml` file.
|
|
|
|
[float]
|
|
[[general-alert-action-settings]]
|
|
=== General settings
|
|
|
|
`xpack.encryptedSavedObjects.encryptionKey`::
|
|
A string of 32 or more characters used to encrypt sensitive properties on alerting rules and actions before they're stored in {es}. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties.
|
|
+
|
|
{kib} offers a <<kibana-encryption-keys, CLI tool>> to help generate this encryption key.
|
|
+
|
|
If not set, {kib} will generate a random key on startup, but all alerting and action functions will be blocked. Generated keys are not allowed for alerting and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerting and actions in high-availability deployments of {kib} will behave unexpectedly if the key isn't the same on all instances of {kib}.
|
|
+
|
|
Although the key can be specified in clear text in `kibana.yml`, it's recommended to store this key securely in the <<secure-settings,{kib} Keystore>>.
|
|
Be sure to back up the encryption key value somewhere safe, as your alerting rules and actions will cease to function due to decryption failures should you lose it. If you want to rotate the encryption key, be sure to follow the instructions on <<encryption-key-rotation, encryption key rotation>>.
|
|
|
|
[float]
|
|
[[action-settings]]
|
|
=== Action settings
|
|
|
|
`xpack.actions.allowedHosts` {ess-icon}::
|
|
A list of hostnames that {kib} is allowed to connect to when built-in actions are triggered. It defaults to `[*]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections.
|
|
+
|
|
Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default `[*]` setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.
|
|
|
|
`xpack.actions.customHostSettings` {ess-icon}::
|
|
A list of custom host settings to override existing global settings.
|
|
Default: an empty list.
|
|
+
|
|
Each entry in the list must have a `url` property, to associate a connection
|
|
type (mail or https), hostname and port with the remaining options in the
|
|
entry.
|
|
+
|
|
In the following example, two custom host settings
|
|
are defined. The first provides a custom host setting for mail server
|
|
`mail.example.com` using port 465 that supplies server certificate authentication
|
|
data from both a file and inline, and requires TLS for the
|
|
connection. The second provides a custom host setting for https server
|
|
`webhook.example.com` which turns off server certificate authentication,
|
|
that will allow Kibana to connect to the server if it's using a self-signed
|
|
certificate. The individual properties that can be used in the settings are
|
|
documented below.
|
|
+
|
|
[source,yaml]
|
|
--
|
|
xpack.actions.customHostSettings:
|
|
- url: smtp://mail.example.com:465
|
|
ssl:
|
|
verificationMode: 'full'
|
|
certificateAuthoritiesFiles: [ 'one.crt' ]
|
|
certificateAuthoritiesData: |
|
|
-----BEGIN CERTIFICATE-----
|
|
... multiple lines of certificate data here ...
|
|
-----END CERTIFICATE-----
|
|
smtp:
|
|
requireTLS: true
|
|
- url: https://webhook.example.com
|
|
ssl:
|
|
verificationMode: 'none'
|
|
--
|
|
+
|
|
The settings in `xpack.actions.customHostSettings` can be used to override the
|
|
global option `xpack.actions.ssl.verificationMode` and provide customized TLS
|
|
settings on a per-server basis. Set `xpack.actions.ssl.verificationMode` to the
|
|
value to be used by default for all servers, then add an entry in
|
|
`xpack.actions.customHostSettings` for every server that requires customized
|
|
settings.
|
|
|
|
`xpack.actions.customHostSettings[n].url` {ess-icon}::
|
|
A URL associated with this custom host setting. Should be in the form of
|
|
`protocol://hostname:port`, where `protocol` is `https` or `smtp`. If the
|
|
port is not provided, 443 is used for `https` and 25 is used for
|
|
`smtp`. The `smtp` URLs are used for the Email actions that use this
|
|
server, and the `https` URLs are used for actions which use `https` to
|
|
connect to services.
|
|
+
|
|
Entries with `https` URLs can use the `ssl` options, and entries with `smtp`
|
|
URLs can use both the `ssl` and `smtp` options.
|
|
+
|
|
No other URL values should be part of this URL, including paths,
|
|
query strings, and authentication information. When an http or smtp request
|
|
is made as part of running an action, only the protocol, hostname, and
|
|
port of the URL for that request are used to look up these configuration
|
|
values.
|
|
|
|
`xpack.actions.customHostSettings[n].smtp.ignoreTLS` {ess-icon}::
|
|
A boolean value indicating that TLS must not be used for this connection.
|
|
The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
|
|
Default: `false`.
|
|
|
|
`xpack.actions.customHostSettings[n].smtp.requireTLS` {ess-icon}::
|
|
A boolean value indicating that TLS must be used for this connection.
|
|
The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
|
|
Default: `false`.
|
|
|
|
`xpack.actions.customHostSettings[n].ssl.rejectUnauthorized`::
|
|
deprecated:[8.0.0] Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.ssl.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
|
|
Overrides the general `xpack.actions.rejectUnauthorized` configuration
|
|
for requests made for this hostname/port.
|
|
|
|
[[action-config-custom-host-verification-mode]] `xpack.actions.customHostSettings[n].ssl.verificationMode` {ess-icon}::
|
|
Controls the verification of the server certificate that {kib} receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`.
|
|
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. Overrides the general `xpack.actions.ssl.verificationMode` configuration
|
|
for requests made for this hostname/port.
|
|
|
|
`xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesFiles`::
|
|
A file name or list of file names of PEM-encoded certificate files to use
|
|
to validate the server.
|
|
|
|
`xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesData` {ess-icon}::
|
|
The contents of a PEM-encoded certificate file, or multiple files appended
|
|
into a single string. This configuration can be used for environments where
|
|
the files cannot be made available.
|
|
|
|
[[action-config-email-domain-allowlist]] `xpack.actions.email.domain_allowlist` {ess-icon}::
|
|
A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.
|
|
+
|
|
WARNING: This feature is available in {kib} 7.17.4 and 8.3.0 onwards but is not supported in {kib} 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly.
|
|
|
|
`xpack.actions.enableFooterInEmail` {ess-icon}::
|
|
A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions. Default: true.
|
|
|
|
`xpack.actions.enabledActionTypes` {ess-icon}::
|
|
A list of action types that are enabled. It defaults to `[*]`, enabling all types. The names for built-in {kib} action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, .`servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.tines`, `.torq`, `.xmatters`, `.gen-ai`, and `.webhook`. An empty list `[]` will disable all action types.
|
|
+
|
|
Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in {kib} and will not function.
|
|
|
|
`xpack.actions.preconfiguredAlertHistoryEsIndex` {ess-icon}::
|
|
Enables a preconfigured alert history {es} <<index-action-type, Index>> connector. Default: `false`.
|
|
|
|
`xpack.actions.preconfigured`::
|
|
Specifies preconfigured connector IDs and configs. Default: {}.
|
|
|
|
`xpack.actions.proxyUrl` {ess-icon}::
|
|
Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.
|
|
+
|
|
Proxies may be used to proxy http or https requests through a proxy using the http or https protocol. Kibana only uses proxies in "CONNECT" mode (sometimes referred to as "tunneling" TCP mode, compared to HTTP mode). That is, Kibana will always make requests through a proxy using the HTTP `CONNECT` method.
|
|
+
|
|
If your proxy is using the https protocol (vs the http protocol), the setting `xpack.actions.ssl.proxyVerificationMode: none` will likely be needed, unless your proxy's certificates are signed using a publicly available certificate authority.
|
|
+
|
|
There is currently no support for using basic authentication with a proxy (authentication for the proxy itself, not the URL being requested through the proxy).
|
|
+
|
|
To help diagnose problems using a proxy, you can use the `curl` command with options to use your proxy, and log debug information, with the following command, replacing the proxy and target URLs as appropriate. This will force the request to be made to the
|
|
proxy in tunneling mode, and display some of the interaction between the client and the proxy.
|
|
+
|
|
[source,sh]
|
|
--
|
|
curl --verbose --proxytunnel --proxy http://localhost:8080 http://example.com
|
|
--
|
|
|
|
`xpack.actions.proxyBypassHosts` {ess-icon}::
|
|
Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings. By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
|
|
|
|
`xpack.actions.proxyOnlyHosts` {ess-icon}::
|
|
Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings. By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
|
|
|
|
`xpack.actions.proxyHeaders` {ess-icon}::
|
|
Specifies HTTP headers for the proxy, if using a proxy for actions. Default: {}.
|
|
|
|
`xpack.actions.proxyRejectUnauthorizedCertificates` {ess-icon}::
|
|
deprecated:[8.0.0] Use <<action-config-proxy-verification-mode,`xpack.actions.ssl.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.
|
|
|
|
[[action-config-proxy-verification-mode]]`xpack.actions.ssl.proxyVerificationMode` {ess-icon}::
|
|
Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`.
|
|
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
|
|
|
|
`xpack.actions.rejectUnauthorized` {ess-icon}::
|
|
deprecated:[8.0.0] Use <<action-config-verification-mode,`xpack.actions.ssl.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`.
|
|
+
|
|
As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
|
|
`xpack.actions.customHostSettings` to set SSL options for specific servers.
|
|
|
|
[[action-config-verification-mode]] `xpack.actions.ssl.verificationMode` {ess-icon}::
|
|
Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`.
|
|
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
|
|
+
|
|
This setting can be overridden for specific URLs by using the setting
|
|
`xpack.actions.customHostSettings[n].ssl.verificationMode` (described above) to a different value.
|
|
|
|
`xpack.actions.maxResponseContentLength` {ess-icon}::
|
|
Specifies the max number of bytes of the http response for requests to external resources. Default: 1000000 (1MB).
|
|
|
|
`xpack.actions.responseTimeout` {ess-icon}::
|
|
Specifies the time allowed for requests to external resources. Requests that take longer are aborted. The time is formatted as:
|
|
+
|
|
`<count>[ms,s,m,h,d,w,M,Y]`
|
|
+
|
|
For example, `20m`, `24h`, `7d`, `1w`. Default: `60s`.
|
|
|
|
`xpack.actions.run.maxAttempts` {ess-icon}::
|
|
Specifies the maximum number of times an action can be attempted to run. Can be minimum 1 and maximum 10.
|
|
|
|
`xpack.actions.run.connectorTypeOverrides` {ess-icon}::
|
|
Overrides the configs under `xpack.actions.run` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects. For example:
|
|
+
|
|
[source,yaml]
|
|
--
|
|
xpack.actions.run:
|
|
maxAttempts: 1
|
|
connectorTypeOverrides:
|
|
- id: '.server-log'
|
|
maxAttempts: 5
|
|
--
|
|
|
|
[float]
|
|
[[alert-settings]]
|
|
=== Alerting settings
|
|
|
|
`xpack.alerting.maxEphemeralActionsPerAlert` {ess-icon}::
|
|
deprecated:[8.8.0]
|
|
Sets the number of actions that will run ephemerally. To use this, enable
|
|
ephemeral tasks in task manager first with
|
|
<<task-manager-settings,`xpack.task_manager.ephemeral_tasks.enabled`>>
|
|
|
|
`xpack.alerting.cancelAlertsOnRuleTimeout` {ess-icon}::
|
|
Specifies whether to skip writing alerts and scheduling actions if rule
|
|
processing was cancelled due to a timeout. Default: `true`. This setting can be
|
|
overridden by individual rule types.
|
|
|
|
`xpack.alerting.rules.minimumScheduleInterval.value` {ess-icon}::
|
|
Specifies the minimum schedule interval for rules. This minimum is applied to all rules created or updated after you set this value. The time is formatted as:
|
|
+
|
|
`<count>[s,m,h,d]`
|
|
+
|
|
For example, `20m`, `24h`, `7d`. This duration cannot exceed `1d`. Default: `1m`.
|
|
|
|
`xpack.alerting.rules.minimumScheduleInterval.enforce` {ess-icon}::
|
|
Specifies the behavior when a new or changed rule has a schedule interval less than the value defined in `xpack.alerting.rules.minimumScheduleInterval.value`. If `false`, rules with schedules less than the interval will be created but warnings will be logged. If `true`, rules with schedules less than the interval cannot be created. Default: `false`.
|
|
|
|
`xpack.alerting.rules.run.actions.max` {ess-icon}::
|
|
Specifies the maximum number of actions that a rule can generate each time detection checks run.
|
|
|
|
`xpack.alerting.rules.run.alerts.max` {ess-icon}::
|
|
Specifies the maximum number of alerts that a rule can generate each time detection checks run. Default: 1000.
|
|
|
|
`xpack.alerting.rules.run.timeout` {ess-icon}::
|
|
Specifies the default timeout for tasks associated with all types of rules. The time is formatted as:
|
|
+
|
|
`<count>[ms,s,m,h,d,w,M,Y]`
|
|
+
|
|
For example, `20m`, `24h`, `7d`, `1w`. Default: `5m`.
|
|
|
|
`xpack.alerting.rules.run.ruleTypeOverrides` {ess-icon}::
|
|
Overrides the configs under `xpack.alerting.rules.run` for the rule type with the given ID. List the rule identifier and its settings in an array of objects. For example:
|
|
+
|
|
[source,yaml]
|
|
--
|
|
xpack.alerting.rules.run:
|
|
timeout: '5m'
|
|
ruleTypeOverrides:
|
|
- id: '.index-threshold'
|
|
timeout: '15m'
|
|
--
|
|
|
|
`xpack.alerting.rules.run.actions.connectorTypeOverrides` {ess-icon}::
|
|
Overrides the configs under `xpack.alerting.rules.run.actions` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects. For example:
|
|
+
|
|
[source,yaml]
|
|
--
|
|
xpack.alerting.rules.run:
|
|
actions:
|
|
max: 10
|
|
connectorTypeOverrides:
|
|
- id: '.server-log'
|
|
max: 5
|
|
--
|