Kibana Settings source file

Sample source file for automated configuration reference.

---
# This is a demo file for testing purposes only
# See https://github.com/elastic/kibana/pull/191787 for more information
collection: Configure Kibana
product: Kibana
settings:
  - setting: xpack.encryptedSavedObjects.encryptionKey
    description:
      - "A string of 32 or more characters used to encrypt sensitive properties on alerting rules and actions before they're stored in {es}. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties."
      - "Kibana offers a [CLI tool](http://www.example.com) to help generate this encryption key."
      - "If not set, Kibana will generate a random key on startup, but all alerting and action functions will be blocked. Generated keys are not allowed for alerting and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerting and actions in high-availability deployments of Kibana will behave unexpectedly if the key isn't the same on all instances of Kibana."
      - "Although the key can be specified in clear text in `kibana.yml`, it's recommended to store this key securely in the [Kibana Keystore](http://www.example.com). Be sure to back up the encryption key value somewhere safe, as your alerting rules and actions will cease to function due to decryption failures should you lose it.  If you want to rotate the encryption key, be sure to follow the instructions on [encryption key rotation](http://www.example.com)."
    default: true
    type: static
    options:
      - yes
      - no
      - maybe
    platforms:
      - self-managed

  - setting: xpack.actions.allowedHosts
    description:
      - 'A list of hostnames that Kibana is allowed to connect to when built-in actions are triggered. It defaults to `["*"]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections.'
      - 'Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default `["*"]` setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.'
    default: '["*"]'
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.customHostSettings
    description:
      - "A list of custom host settings to override existing global settings. Default: an empty list."
      - "Each entry in the list must have a `url` property, to associate a connection type (mail or https), hostname and port with the remaining options in the entry."
      - "The settings in `xpack.actions.customHostSettings` can be used to override the global option `xpack.actions.ssl.verificationMode` and provide customized TLS settings on a per-server basis. Set `xpack.actions.ssl.verificationMode` to the value to be used by default for all servers, then add an entry in `xpack.actions.customHostSettings` for every server that requires customized settings."
    example: example-xpack.actions.customHostSettings.asciidoc
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.customHostSettings[n].url
    description:
      - "A URL associated with this custom host setting.  Should be in the form of `protocol://hostname:port`, where `protocol` is `https` or `smtp`.  If the port is not provided, 443 is used for `https` and 25 is used for `smtp`.  The `smtp` URLs are used for the Email actions that use this server, and the `https` URLs are used for actions which use `https` to connect to services."
      - "Entries with `https` URLs can use the `ssl` options, and entries with `smtp` URLs can use both the `ssl` and `smtp` options."
      - "No other URL values should be part of this URL, including paths, query strings, and authentication information.  When an http or smtp request is made as part of running an action, only the protocol, hostname, and port of the URL for that request are used to look up these configuration values."
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.customHostSettings[n].smtp.ignoreTLS
    description:
      - "A boolean value indicating that TLS must not be used for this connection. The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true."
    default: false
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.customHostSettings[n].smtp.requireTLS
    description:
      - "A boolean value indicating that TLS must be used for this connection. The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true."
    default: false
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.customHostSettings[n].ssl.rejectUnauthorized
    description:
      - "A boolean value indicating whether to bypass server certificate validation."
      - "Overrides the general `xpack.actions.rejectUnauthorized` configuration for requests made for this hostname/port."
    deprecated: 8.0.0
    deprecated_guidance: "Use [`xpack.actions.customHostSettings.ssl.verificationMode`](http://www.example.com) instead."

  - setting: action-config-custom-host-verification-mode
    description:
      - "Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to the host server. Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification."
    options:
     - full
     - certificate
     - none
    default: full
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesFiles
    description:
      - "A file name or list of file names of PEM-encoded certificate files to use to validate the server."

  - setting: xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesData
    description:
      - The contents of one or more PEM-encoded certificate files in multiline format. This configuration can be used for environments where the files cannot be made available.
    platforms:
      - self-managed
      - cloud

  - setting: xpack.actions.email.domain_allowlist
    description:
      - "A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed."
    warning: "This feature is available in Kibana 7.17.4 and 8.3.0 onwards but is not supported in Kibana 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly."
    platforms:
      - self-managed
      - cloud