Loading

Kibana settings YAML samples (local fixtures)

These {settings} inclusions mirror files used to stress-test automated settings rendering.

Some descriptions use links and anchors that target the real Kibana reference pages, not this local aggregate page; the builder rewrites or validates many of them, but diagnostics can still reference those external paths.

Alerting and actions are enabled by default in Kibana, but require you to configure the following:

  1. Set up Kibana to work with Elastic Stack Elastic Stack security features.
  2. Set up TLS encryption between Kibana and Elasticsearch.
  3. If you are using an on-premises Elastic Stack deployment, specify a value for xpack.encryptedSavedObjects.encryptionKey.

General settings

xpack.encryptedSavedObjects.encryptionKey

Supported on:

A string of 32 or more characters used to encrypt sensitive properties on alerting rules and actions before they're stored in Elasticsearch. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties.

Kibana offers a CLI tool to help generate this encryption key.

If not set, Kibana will generate a random key on startup, but all alerting and action functions will be blocked. Generated keys are not allowed for alerting and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerting and actions in high-availability deployments of Kibana will behave unexpectedly if the key isn't the same on all instances of Kibana.

Although the key can be specified in clear text in kibana.yml, it's recommended to store this key securely in the Kibana Keystore. Be sure to back up the encryption key value somewhere safe, as your alerting rules and actions will cease to function due to decryption failures should you lose it. If you want to rotate the encryption key, be sure to follow the instructions on encryption key rotation.

Datatype: string

Action settings

xpack.actions.allowedHosts

Supported on:

A list of hostnames that Kibana is allowed to connect to when built-in actions are triggered. It defaults to ["*"], allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list [] can be used to block built-in actions from making any external connections.

Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default ["*"] setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.

Datatype: string

xpack.actions.customHostSettings

Supported on:

A list of custom host settings to override existing global settings.

Each entry in the list must have a url property, to associate a connection type (mail or https), hostname and port with the remaining options in the entry.

The settings in xpack.actions.customHostSettings can be used to override the global option xpack.actions.ssl.verificationMode and provide customized TLS settings on a per-server basis. Set xpack.actions.ssl.verificationMode to the value to be used by default for all servers, then add an entry in xpack.actions.customHostSettings for every server that requires customized settings.

Datatype: string

Default: an empty list

In the following example, two custom host settings are defined. The first provides a custom host setting for mail server mail.example.com using port 465 that supplies server certificate authentication data from both a file and inline, and requires TLS for the connection. The second provides a custom host setting for https server webhook.example.com which turns off server certificate authentication, that will allow Kibana to connect to the server if it's using a self-signed certificate. The individual properties that can be used in the settings are documented below.

xpack.actions.customHostSettings:
    - url: smtp://mail.example.com:465
      ssl:
        verificationMode: 'full'
        certificateAuthoritiesFiles: [ 'one.crt' ]
        certificateAuthoritiesData: |
            -----BEGIN CERTIFICATE-----
            MIIDTD...
            CwUAMD...
            ... multiple lines of certificate data ...
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIIDTD...
            CwUAMD...
            ... multiple lines of certificate data ...
            -----END CERTIFICATE-----
        smtp:
          requireTLS: true
    - url: <EXAMPLE_WEBHOOK_URL>
      ssl:
        verificationMode: 'none'
xpack.actions.customHostSettings[n].url

Supported on:

A URL associated with this custom host setting. Should be in the form of protocol://hostname:port, where protocol is https or smtp. If the port is not provided, 443 is used for https and 25 is used for smtp. The smtp URLs are used for the Email actions that use this server, and the https URLs are used for actions which use https to connect to services.

Entries with https URLs can use the ssl options, and entries with smtp URLs can use both the ssl and smtp options.

No other URL values should be part of this URL, including paths, query strings, and authentication information. When an http or smtp request is made as part of running an action, only the protocol, hostname, and port of the URL for that request are used to look up these configuration values.

Datatype: string

xpack.actions.customHostSettings[n].smtp.ignoreTLS

Supported on:

A boolean value indicating that TLS must not be used for this connection. The options smtp.ignoreTLS and smtp.requireTLS can not both be set to true.

Datatype: bool

Default: false

xpack.actions.customHostSettings[n].smtp.requireTLS

Supported on:

A boolean value indicating that TLS must be used for this connection. The options smtp.ignoreTLS and smtp.requireTLS can not both be set to true.

Datatype: bool

Default: false

xpack.actions.customHostSettings[n].ssl.verificationMode

Supported on:

Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to the host server. Valid values are full, certificate, and none. Use full to perform hostname verification, certificate to skip hostname verification, and none to skip verification. Default: full. Equivalent Kibana setting. Overrides the general xpack.actions.ssl.verificationMode configuration for requests made for this hostname/port.

Datatype: enum

Default: full

Options:

  • full
  • certificate
  • none
xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesFiles

Supported on:

A file name or list of file names of PEM-encoded certificate files to use to validate the server.

Datatype: string

xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesData

Supported on:

The contents of one or more PEM-encoded certificate files in multiline format. This configuration can be used for environments where the files cannot be made available.

Datatype: string

xpack.actions.email.domain_allowlist

Supported on:

A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.

Datatype: string

Warning

This feature is available in Kibana 7.17.4 and 8.3.0 onwards but is not supported in Kibana 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly.

xpack.actions.email.recipient_allowlist

Supported on:

A list of allowed email recipient patterns (to, cc, or bcc) that can be used with email connectors. If you attempt to send an email to a recipient that does not match the allowed patterns, the action will fail. The failure message indicates that the email is not allowed.

Datatype: string

Warning

This setting cannot be used with xpack.actions.email.domain_allowlist.

For example:

xpack.actions.email.recipient_allowlist: ["admin-*@company.org", "sales-*@example.com"]

Only "to", "cc", or "bcc" email addresses that match the listed patterns will be accepted. For example, "admin-network@company.org" or "sales-north@example.com".

xpack.actions.email.maximum_body_length

Supported on:

The maximum length of an email body in bytes. Values longer than this length will be truncated. The default is 25MB, the maximum is 25MB.

Datatype: int

Default: 25000000 (25MB)

xpack.actions.email.services.ses.host

Supported on:

The SMTP endpoint for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.

Datatype: string

Default: email-smtp.us-east-1.amazonaws.com

Warning

This setting alone is insufficient for overriding system defaults for the SES SMTP endpoint. You must also configure the xpack.actions.email.services.ses.port setting.

xpack.actions.email.services.ses.port

Supported on:

The port number for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.

Datatype: int

Default: 465

xpack.actions.email.services.enabled

Supported on:

An array of strings indicating all email services that are enabled. Available options are elastic-cloud, google-mail, microsoft-outlook, amazon-ses, microsoft-exchange, and other. If the array is empty, no email services are enabled. The default value is ["*"], which enables all email services.

Datatype: string

Default: ["*"]

xpack.actions.enableFooterInEmail

Supported on:

A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions.

Datatype: bool

Default: true

xpack.actions.enabledActionTypes

Supported on:

A list of action types that are enabled. It defaults to ["*"], enabling all types. The names for built-in Kibana action types are prefixed with a . and include: .email, .index, .jira, .opsgenie, .pagerduty, .resilient, .server-log, .servicenow, .servicenow-itom, .servicenow-sir, .slack, .swimlane, .teams, .tines, .torq, .xmatters, .gen-ai, .bedrock, .gemini, .d3security, and .webhook. An empty list [] will disable all action types.

Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in Kibana and will not function.

Datatype: string

Default: ["*"]

Important

Preconfigured connectors are not affected by this setting.

xpack.actions.microsoftExchangeUrl

Supported on:

The URL for the Microsoft Azure Active Directory endpoint to use for MS Exchange email authentication.

Datatype: string

Default: https://login.microsoftonline.com

xpack.actions.microsoftGraphApiUrl

Supported on:

The URL for the Microsoft Graph API endpoint to use for MS Exchange email authentication.

Datatype: string

Default: https://graph.microsoft.com/v1.0

xpack.actions.microsoftGraphApiScope

Supported on:

The URL for the Microsoft Graph API scope endpoint to use for MS Exchange email authentication.

Datatype: string

Default: https://graph.microsoft.com/.default

xpack.actions.proxyUrl

Supported on:

Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.

Proxies may be used to proxy http or https requests through a proxy using the http or https protocol. Kibana only uses proxies in "CONNECT" mode (sometimes referred to as "tunneling" TCP mode, compared to HTTP mode). That is, Kibana will always make requests through a proxy using the HTTP CONNECT method.

If your proxy is using the https protocol (vs the http protocol), the setting xpack.actions.ssl.proxyVerificationMode: none will likely be needed, unless your proxy's certificates are signed using a publicly available certificate authority.

There is currently no support for using basic authentication with a proxy (authentication for the proxy itself, not the URL being requested through the proxy).

Datatype: string

To help diagnose problems using a proxy, you can use the curl command with options to use your proxy, and log debug information, with the following command, replacing the proxy and target URLs as appropriate. This will force the request to be made to the proxy in tunneling mode, and display some of the interaction between the client and the proxy.

curl --verbose --proxytunnel --proxy http://localhost:8080 <EXAMPLE_URL>
xpack.actions.proxyBypassHosts

Supported on:

Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.

By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings xpack.actions.proxyBypassHosts and xpack.actions.proxyOnlyHosts cannot be used at the same time.

Datatype: string

For example:

xpack.actions.proxyBypassHosts: [ "events.pagerduty.com" ]

If applicable, include the subdomain in the hostname.

xpack.actions.proxyOnlyHosts

Supported on:

Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.

By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used. The settings xpack.actions.proxyBypassHosts and xpack.actions.proxyOnlyHosts cannot be used at the same time.

Datatype: string

For example:

xpack.actions.proxyOnlyHosts: [ "events.pagerduty.com" ]

If applicable, include the subdomain in the hostname.

xpack.actions.proxyHeaders

Supported on:

Specifies HTTP headers for the proxy, if using a proxy for actions.

Datatype: string

Default: {}

xpack.actions.ssl.proxyVerificationMode

Supported on:

Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server.

Use full to perform hostname verification, certificate to skip hostname verification, and none to skip verification.

Equivalent Kibana setting

Datatype: enum

Default: full

Options:

  • full
  • certificate
  • none
xpack.actions.ssl.verificationMode

Supported on:

Controls the verification for the server certificate that Elastic Maps Server receives when making an outbound SSL/TLS connection for actions. Valid values are full, certificate, and none. Use full to perform hostname verification, certificate to skip hostname verification, and none to skip verification.

Equivalent Kibana setting

This setting can be overridden for specific URLs by using the setting xpack.actions.customHostSettings[n].ssl.verificationMode (described above) to a different value.

Datatype: enum

Default: full

Options:

  • full
  • certificate
  • none
xpack.actions.maxResponseContentLength

Supported on:

Specifies the max number of bytes of the http response for requests to external resources.

Datatype: int

Default: 1000000 (1MB)

xpack.actions.responseTimeout

Supported on:

Specifies the time allowed for requests to external resources. Requests that take longer are canceled. The time is formatted as a number and a time unit (ms, s, m, h, d, w, M, or Y). For example, 20m, 24h, 7d, 1w. Default: 60s.

Datatype: string

xpack.actions.run.maxAttempts

Supported on:

Specifies the maximum number of times an action can be attempted to run.

Datatype: int

Options:

  • minimum 1 and maximum 10
xpack.actions.run.connectorTypeOverrides

Supported on:

Overrides the configs under xpack.actions.run for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.

Datatype: string

For example:

xpack.actions.run:
    maxAttempts: 1
    connectorTypeOverrides:
        - id: '.server-log'
          maxAttempts: 5
xpack.actions.queued.max

Supported on:

Specifies the maximum number of actions that can be queued. It is available in Elastic Cloud 8.11.0 and later versions.

Datatype: int

Default: 1000000

Preconfigured connector settings

These settings vary depending on which type of preconfigured connector you're adding.

For example:

xpack.actions.preconfigured:
  my-server-log:
    name: preconfigured-server-log-connector-type
    actionTypeId: .server-log

For more examples, go to Preconfigured connectors.

xpack.actions.preconfiguredAlertHistoryEsIndex

Supported on:

Enables a preconfigured alert history Elasticsearch Index connector.

Datatype: bool

Default: false

xpack.actions.preconfigured

Supported on:

Specifies configuration details that are specific to the type of preconfigured connector.

Datatype: string

xpack.actions.preconfigured.<connector-id>.actionTypeId

Supported on:

The type of preconfigured connector.

Datatype: enum

Options:

  • .email
  • .index
  • .opsgenie
  • .server-log
  • .resilient
  • .slack
  • .webhook
xpack.actions.preconfigured.<connector-id>.config

Supported on:

The configuration details, which are specific to the type of preconfigured connector.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.apiProvider

Supported on:

For a OpenAI connector, specifies the OpenAI API provider.

Datatype: enum

Options:

  • OpenAI
  • Azure OpenAI
xpack.actions.preconfigured.<connector-id>.config.apiUrl

Supported on:

A configuration URL that varies by connector:

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure the hostname in the URL is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.config.appId

Supported on:

An application ID that varies by connector:

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.clientId

Supported on:

A client identifier that varies by connector:

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.configUrl

Supported on:

For an xMatters connector with basic authentication, specifies the request URL for the Elastic Alerts trigger in xMatters.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.createCommentJson

Supported on:

For a Case Management webhook connector, specifies a stringified JSON payload with Mustache variables that is sent to the create comment URL to create a case comment. The required variable is case.description.

Datatype: string

Note

The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

xpack.actions.preconfigured.<connector-id>.config.createCommentMethod

Supported on:

For a Case Management webhook connector, specifies the REST API HTTP request method to create a case comment in the third-party system.

Datatype: string

Default: put

Options:

  • post
  • put
  • patch
xpack.actions.preconfigured.<connector-id>.config.createCommentUrl

Supported on:

For a Case Management webhook connector, specifies a REST API URL string to create a case comment by ID in the third-party system.

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure the hostname in the URL is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.config.createIncidentJson

Supported on:

For a Case Management webhook connector, specifies a stringified JSON payload with Mustache variables that is sent to the create case URL to create a case. Required variables are case.title and case.description.

Datatype: string

Note

The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

xpack.actions.preconfigured.<connector-id>.config.createIncidentMethod

Supported on:

For a Case Management webhook connector, specifies the REST API HTTP request method to create a case in the third-party system.

Datatype: string

Default: post

Options:

  • post
  • put
  • patch
xpack.actions.preconfigured.<connector-id>.config.createIncidentUrl

Supported on:

For a Case Management webhook connector, specifies a REST API URL string to create a case in the third-party system.

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure the hostname in the URL is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.config.createIncidentResponseKey

Supported on:

For a Case Management webhook connector, specifies a string from the response body of the create case method that corresponds to the external service identifier.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.defaultModel

Supported on:

The default model to use for requests, which varies by connector:

  • For an Amazon Bedrock connector, current support is for the Anthropic Claude models.
    • Applies to (serverless: ga) Defaults to us.anthropic.claude-sonnet-4-5-20250929-v1:0.
    • Applies to (stack: ga 9.2+) Defaults to us.anthropic.claude-sonnet-4-5-20250929-v1:0.
    • Applies to (stack: ga =9.1) Defaults to us.anthropic.claude-3-7-sonnet-20250219-v1:0.
    • Applies to (stack: ga =9.0) Defaults to anthropic.claude-3-5-sonnet-20240620-v1:0.
  • For a Google Gemini connector, current support is for the Gemini models.
    • Applies to (serverless: ga) Defaults to gemini-2.5-pro.
    • Applies to (stack: ga 9.1+) Defaults to gemini-2.5-pro.
    • Applies to (stack: ga =9.0) Defaults to gemini-1.5-pro-002.
  • For a OpenAI connector, it is optional and applicable only when xpack.actions.preconfigured.<connector-id>.config.apiProvider is OpenAI.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.executionTimeField

Supported on:

For an index connector, a field that indicates when the document was indexed.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.from

Supported on:

For an email connector, specifies the from address for all emails sent by the connector. It must be specified in user@host-name format.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.getIncidentResponseExternalTitleKey

Supported on:

For a Case Management webhook connector, specifies a string from the response body of the get case method that corresponds to the external service title.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.getIncidentUrl

Supported on:

For a Case Management webhook connector, specifies a REST API URL string with an external service ID Mustache variable to get the case from the third-party system.

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure the hostname in the URL is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.config.hasAuth

Supported on:

For an email, webhook, or Case Management webhook connector, specifies whether a user and password are required inside the secrets configuration.

Datatype: bool

Default: true

xpack.actions.preconfigured.<connector-id>.config.headers

Supported on:

For a webhook or Case Management webhook connector, specifies a set of key-value pairs sent as headers with the request.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.host

Supported on:

For an email connector, specifies the host name of the service provider.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.index

Supported on:

For an index connector, specifies the Elasticsearch index.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.isOAuth

Supported on:

For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies whether to use basic or OAuth authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.jwtKeyId

Supported on:

For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies the key ID assigned to the JWT verifier map of your OAuth application. It is required when xpack.actions.preconfigured.<connector-id>.config.isOAuth is true.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings

Supported on:

For a Swimlane connector, specifies field mappings.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.alertIdConfig

Supported on:

For a Swimlane connector, field mapping for the alert identifier. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.caseIdConfig

Supported on:

For a Swimlane connector, field mapping for the case identifier. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.caseNameConfig

Supported on:

For a Swimlane connector, field mapping for the case name. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.commentsConfig

Supported on:

For a Swimlane connector, field mapping for the case comments. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.descriptionConfig

Supported on:

For a Swimlane connector, field mapping for the case description. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.ruleNameConfig

Supported on:

For a Swimlane connector, field mapping for the rule name. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.mappings.severityConfig

Supported on:

For a Swimlane connector, specifies a field mapping for the severity. You must provide fieldtype, id, key, and name values.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.method

Supported on:

For a webhook connector, specifies the HTTP request method, either post or put. Defaults to post.

Datatype: enum

Default: post

Options:

  • post
  • put
xpack.actions.preconfigured.<connector-id>.config.orgId

Supported on:

For an IBM Resilient connector, specifies the IBM Resilient organization identifier.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.port

Supported on:

For an email connector, specifies the port to connect to on the service provider.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.projectKey

Supported on:

For a Jira connector, specifies the Jira project key.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.secure

Supported on:

For an email connector, specifies whether the connection will use TLS when connecting to the service provider. If not true, the connection will initially connect over TCP then attempt to switch to TLS via the SMTP STARTTLS command.

Datatype: bool

xpack.actions.preconfigured.<connector-id>.config.service

Supported on:

For an email connector, specifies the name of the email service. For example, elastic_cloud, exchange_server, gmail, other, outlook365, or ses.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.tenantId

Supported on:

For an email connector, specifies a GUID format value that corresponds to a tenant ID, which is a part of OAuth 2.0 client credentials authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.updateIncidentJson

Supported on:

For a Case Management webhook connector, specifies a stringified JSON payload with Mustache variables that is sent to the update case URL to update a case. Required variables are case.title and case.description.

Datatype: string

Note

The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

xpack.actions.preconfigured.<connector-id>.config.updateIncidentMethod

Supported on:

For a Case Management webhook connector, specifies the REST API HTTP request method to update the case in the third-party system.

Datatype: enum

Default: put

Options:

  • post
  • put
  • patch
xpack.actions.preconfigured.<connector-id>.config.updateIncidentUrl

Supported on:

For a Case Management webhook connector, specifies the REST API URL to update the case by ID in the third-party system.

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure the hostname in the URL is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.config.url

Supported on:

A configuration URL that varies by connector:

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure this hostname is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.config.userIdentifierValue

Supported on:

For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies the user identifier. It is required when xpack.actions.preconfigured.<connector-id>.config.isOAuth is true.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.usesBasic

Supported on:

For an xMatters connector, specifies whether it uses HTTP basic authentication.

Datatype: bool

Default: true

xpack.actions.preconfigured.<connector-id>.config.usesTableApi

Supported on:

For a ServiceNow ITSM or ServiceNow SIR connector, specifies whether the connector uses the Table API or the Import Set API. If set to false, the Elastic application should be installed in ServiceNow.

Datatype: bool

xpack.actions.preconfigured.<connector-id>.config.viewIncidentUrl

Supported on:

For a Case Management webhook connector, specifies a URL string with either the external service ID or external service title Mustache variable to view a case in the external system.

Datatype: string

xpack.actions.preconfigured.<connector-id>.config.webhookIntegrationUrl

Supported on:

For a Torq connector, specifies the endpoint URL of the Elastic Security integration in Torq.

Datatype: string

xpack.actions.preconfigured.<connector-id>.name

Supported on:

The name of the preconfigured connector.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets

Supported on:

Sensitive configuration details, such as username, password, and keys, which are specific to the connector type.

Datatype: string

Tip

Sensitive properties, such as passwords, should be stored in the Kibana keystore.

xpack.actions.preconfigured.<connector-id>.secrets.accessKey

Supported on:

For an Amazon Bedrock connector, specifies the AWS access key for authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.apikey

Supported on:

An API key secret that varies by connector.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.credentialsJson

Supported on:

A credentials secret that varies by connector:

  • For a Google Gemini connector, specifies the GCP service account credentials JSON file for authentication.
  • For a OpenAI connector, specifies the OpenAI or Azure OpenAI API key for authentication.
  • For an Opsgenie connector, specifies the Opsgenie API authentication key for HTTP basic authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.apiKeyId

Supported on:

For an IBM Resilient connector, specifies the authentication key ID for HTTP basic authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.apiKeySecret

Supported on:

For an IBM Resilient connector, specifies the authentication key secret for HTTP basic authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.apiToken

Supported on:

For a Jira or Swimlane connector, specifies the API authentication token for HTTP basic authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.clientSecret

Supported on:

A client secret that varies by connector:

  • For an email connector, specifies the client secret that you generated for your app in the app registration portal. It is required when the email service is exchange_server, which uses OAuth 2.0 client credentials authentication.
  • For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies the client secret assigned to the OAuth application. It is required when xpack.actions.preconfigured.<connector-id>.config.isOAuth is true.

Datatype: string

Note

The client secret must be URL-encoded.

xpack.actions.preconfigured.<connector-id>.secrets.email

Supported on:

An email address that varies by connector:

  • For a Jira connector, specifies the account email for HTTP basic authentication.
  • For a Tines connector, specifies the email used to sign in to Tines.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.password

Supported on:

A password secret that varies by connector:

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.privateKey

Supported on:

For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies the RSA private key. It is required when xpack.actions.preconfigured.<connector-id>.config.isOAuth is true.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.privateKeyPassword

Supported on:

For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies the password for the RSA private key.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.routingKey

Supported on:

For a PagerDuty connector, specifies the 32 character PagerDuty Integration Key for an integration on a service, also referred to as the routing key.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.secret

Supported on:

For an Amazon Bedrock connector, specifies the AWS secret for authentication.

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.secretsUrl

Supported on:

For an xMatters connector with URL authentication, specifies the request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is used only when xpack.actions.preconfigured.<connector-id>.config.usesBasic is false.

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure this hostname is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.secrets.token

Supported on:

A token secret that varies by connector:

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.user

Supported on:

A user name secret that varies by connector:

Datatype: string

xpack.actions.preconfigured.<connector-id>.secrets.webhookUrl

Supported on:

A URL that varies by connector:

Datatype: string

Note

If you are using the xpack.actions.allowedHosts setting, make sure the hostname is added to the allowed hosts.

xpack.actions.preconfigured.<connector-id>.secrets.username

Supported on:

For a ServiceNow ITSM, ServiceNow SIR, or ServiceNow ITOM connector, specifies a user name that is required when xpack.actions.preconfigured.<connector-id>.config.isOAuth is false.

Datatype: string

xpack.actions.webhook.ssl.pfx.enabled

Supported on:

Disable PFX file support for SSL client authentication. When set to false, the application will not accept PFX certificate files and will require separate certificate and private key files instead. Only applies to the Webhook connector.

Datatype: bool

Default: true

Alerting settings

xpack.alerting.cancelAlertsOnRuleTimeout

Supported on:

Specifies whether to skip writing alerts and scheduling actions if rule processing was cancelled due to a timeout. This setting can be overridden by individual rule types.

Datatype: bool

Default: true

xpack.alerting.rules.maxScheduledPerMinute

Supported on:

Specifies the maximum number of rules to run per minute.

Datatype: int

Default: 32000

Note

In Serverless, the maximum number of rules to run per minute is set to 400 and can't be configured.

xpack.alerting.rules.minimumScheduleInterval.value

Supported on:

Specifies the minimum schedule interval for rules. This minimum is applied to all rules created or updated after you set this value. The time is formatted as a number and a time unit (s, m, h, or d). For example, 20m, 24h, 7d. This duration cannot exceed 1d.

Datatype: string

Default: 1m

xpack.alerting.rules.minimumScheduleInterval.enforce

Supported on:

Specifies the behavior when a new or changed rule has a schedule interval less than the value defined in xpack.alerting.rules.minimumScheduleInterval.value. If false, rules with schedules less than the interval will be created but warnings will be logged. If true, rules with schedules less than the interval cannot be created.

Datatype: bool

Default: false

xpack.alerting.rules.run.actions.max

Supported on:

Specifies the maximum number of actions that a rule can generate each time detection checks run.

Datatype: int

xpack.alerting.rules.run.alerts.max

Supported on:

Specifies the maximum number of alerts that a rule can generate each time detection checks run.

Datatype: int

Default: 1000

Warning

The exact number of alerts your cluster can safely handle depends on your cluster configuration and workload. While it is technically possible to increase this value above 1000, doing so is not recommended and not supported. Increasing this limit can significantly affect Kibana and Elasticsearch performance and memory usage. Carefully evaluate the impact on your deployment before making this change.

xpack.alerting.rules.run.timeout

Supported on:

Specifies the default timeout for tasks associated with all types of rules. The time is formatted as a number and a time unit (ms, s, m, h, d, w, M, or Y). For example, 20m, 24h, 7d, 1w. Default: 5m.

Datatype: string

xpack.alerting.rules.run.ruleTypeOverrides

Supported on:

Overrides the configs under xpack.alerting.rules.run for the rule type with the given ID. List the rule identifier and its settings in an array of objects.

Datatype: string

For example:

xpack.alerting.rules.run:
    timeout: '5m'
    ruleTypeOverrides:
        - id: '.index-threshold'
          timeout: '15m'
xpack.alerting.rules.run.actions.connectorTypeOverrides

Supported on:

Overrides the configs under xpack.alerting.rules.run.actions for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.

Datatype: string

For example:

xpack.alerting.rules.run:
    actions:
        max: 10
        connectorTypeOverrides:
            - id: '.server-log'
              max: 5

By default, Fleet is enabled. To use Fleet, you also need to configure Kibana and Elasticsearch hosts.

Many Fleet settings can also be configured directly through the Fleet UI. See Fleet UI settings for details.

Go to the Fleet docs for more information about Fleet.

General Fleet settings

xpack.fleet.agents.enabled

Supported on:

Set to true (default) to enable Fleet.

Datatype: bool

Default: true

xpack.fleet.isAirGapped

Supported on:

Set to true to indicate Fleet is running in an air-gapped environment. Refer to Air-gapped environments for details. Enabling this flag helps Fleet skip needless requests and improve the user experience for air-gapped environments.

Datatype: bool

Default: false

xpack.fleet.createArtifactsBulkBatchSize

Supported on:

Allow to configure batch size for creating and updating Fleet user artifacts. Examples include creation of Trusted Applications and Endpoint Exceptions in Security. It is available in Elastic Cloud 8.9.0 and later versions.

Datatype: int

Elastic Package Manager settings

xpack.fleet.registryUrl

Supported on:

The address to use to reach the Elastic Package Manager registry.

Datatype: string

xpack.fleet.registryProxyUrl

Supported on:

The proxy address to use to reach the Elastic Package Manager registry if an internet connection is not directly available. Refer to Air-gapped environments for details.

Datatype: string

xpack.fleet.packageVerification.gpgKeyPath

Supported on:

The path on disk to the GPG key used to verify Elastic Package Manager packages. If the Elastic public key is ever reissued as a security precaution, you can use this setting to specify the new key.

Datatype: string

Fleet settings

Note

The xpack.fleet.agents.elasticsearch.* settings are intended for a quickstart setup. For more advanced use cases, use the xpack.fleet.outputs setting to preconfigure outputs.

xpack.fleet.agents.fleet_server.hosts

Supported on:

Hostnames used by Elastic Agent for accessing Fleet Server.

If configured in your kibana.yml, this setting is grayed out and unavailable in the Fleet UI. To make this setting editable in the UI, do not configure it in the configuration file.

Datatype: string

xpack.fleet.agents.elasticsearch.hosts

Supported on:

Hostnames used by Elastic Agent for accessing Elasticsearch.

Datatype: string

xpack.fleet.agents.elasticsearch.ca_sha256

Supported on:

Hash pin used for certificate verification. The pin is a base64-encoded string of the SHA-256 fingerprint.

Datatype: string

Preconfiguration settings (for advanced use cases)

Use these settings to pre-define integrations, agent policies, and Fleet Server hosts or proxies that you want Fleet to load up by default.

Note

These settings are not supported to pre-configure the Endpoint and Cloud Security integration.

xpack.fleet.packages

Supported on:

List of integrations that are installed when the Fleet app starts up for the first time.

Datatype: string

xpack.fleet.packages:
  - name: apache
    version: 0.5.0

xpack.fleet.agentPolicies:
  - name: Preconfigured Policy
    id: preconfigured-policy
    namespace: test
    package_policies:
      - package:
          name: system
        name: System Integration
        namespace: test
        id: preconfigured-system
        inputs:
          system-system/metrics:
            enabled: true
            vars:
              '[system.hostfs]': home/test
            streams:
              '[system.core]':
                enabled: true
                vars:
                  period: 20s
          system-winlog:
            enabled: false
xpack.fleet.packages[n].name

Supported on:

Required. Name of the integration from the package registry.

Datatype: string

xpack.fleet.packages[n].version

Supported on:

Required.Either an exact semantic version, or the keyword latest to fetch the latest integration version.

Datatype: string

xpack.fleet.agentPolicies

Supported on:

List of agent policies that are configured when the Fleet app starts.

Datatype: string

xpack.fleet.agentPolicies[n].id

Supported on:

Required. Unique ID for this policy. The ID may be a number or string.

Datatype: string

xpack.fleet.agentPolicies[n].name

Supported on:

Required. Name of the agent policy.

Datatype: string

xpack.fleet.agentPolicies[n].description

Supported on:

Optional. Text description of this policy.

Datatype: string

xpack.fleet.agentPolicies[n].namespace

Supported on:

Optional. String identifying this policy's namespace.

Datatype: string

xpack.fleet.agentPolicies[n].monitoring_enabled

Supported on:

Optional. List of keywords that specify the monitoring data to collect. Valid values include ['logs'], ['metrics'], and ['logs', 'metrics'].

Datatype: string

xpack.fleet.agentPolicies[n].keep_monitoring_alive

Supported on:

Optional. If true, monitoring will be enabled, but logs/metrics collection will be disabled. Use this if you want to keep agent's monitoring server alive even when logs/metrics aren't being collected.

Datatype: bool

xpack.fleet.agentPolicies[n].is_managed

Supported on:

Optional. If true, this policy is not editable by the user and can only be changed by updating the Kibana config.

Datatype: bool

xpack.fleet.agentPolicies[n].is_default

Supported on:

Optional. If true, this policy is the default agent policy.

Datatype: bool

Deprecation details

Deprecated in 8.1.0.

xpack.fleet.agentPolicies[n].is_default_fleet_server

Supported on:

Optional. If true, this policy is the default Fleet Server agent policy.

Datatype: bool

Deprecation details

Deprecated in 8.1.0.

xpack.fleet.agentPolicies[n].data_output_id

Supported on:

Optional. ID of the output to send data. (Need to be identical to monitoring_output_id)

Datatype: string

xpack.fleet.agentPolicies[n].monitoring_output_id

Supported on:

Optional. ID of the output to send monitoring data. (Need to be identical to data_output_id)

Datatype: string

xpack.fleet.agentPolicies[n].fleet_server_host_id

Supported on:

Optional. ID of the fleet server.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies

Supported on:

Optional. List of integration policies to add to this policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].id

Supported on:

Unique ID of the integration policy. The ID may be a number or string.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].name

Supported on:

Name of the integration policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].package

Supported on:

Integration that this policy configures.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].package.name

Supported on:

Name of the integration associated with this policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].description

Supported on:

Text string describing this integration policy.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].namespace

Supported on:

String identifying this policy's namespace.

Datatype: string

xpack.fleet.agentPolicies[n].package_policies[n].inputs

Supported on:

Map of input for the integration. Follows the same schema as the package policy API inputs, with the exception that any object in vars can be passed frozen: true in order to prevent that specific var from being edited by the user.

Datatype: string

xpack.fleet.outputs

Supported on:

List of outputs that are configured when the Fleet app starts.

Certain types of outputs have additional required and optional settings. Refer to Output settings in the Fleet and Elastic Agent Guide for the full list of settings for each output type.

If configured in your kibana.yml, output settings are grayed out and unavailable in the Fleet UI. To make these settings editable in the UI, do not configure them in the configuration file.

Datatype: string

Note

The xpack.fleet.outputs settings are intended for advanced configurations such as having multiple outputs. We recommend not enabling the xpack.fleet.agents.elasticsearch.host settings when using xpack.fleet.outputs.

xpack.fleet.outputs:
  - id: my-logstash-output-with-a-secret
    name: preconfigured logstash output with a secret
    type:  logstash
    hosts: ["localhost:9999"]
    ssl:
      certificate: xxxxxxxxxx
    secrets:
      ssl:
        key: securekey
xpack.fleet.outputs[n].id

Supported on:

Required. Unique ID for this output. The ID should be a string.

Datatype: string

xpack.fleet.outputs[n].name

Supported on:

Required. Name of the output.

Datatype: string

xpack.fleet.outputs[n].type

Supported on:

Required. Type of Output.

Datatype: enum

Options:

  • elasticsearch
  • logstash
  • kafka
  • remote_elasticsearch
xpack.fleet.outputs[n].hosts

Supported on:

Optional.Array that contains the list of host for that output.

Datatype: string

xpack.fleet.outputs[n].is_default

Supported on:

Optional. If true, the output specified in xpack.fleet.outputs will be the one used to send agent data unless there is another one configured specifically for the agent policy.

Datatype: bool

xpack.fleet.outputs[n].is_default_monitoring

Supported on:

Optional. If true, the output specified in xpack.fleet.outputs will be the one used to send agent monitoring data unless there is another one configured specifically for the agent policy.

Datatype: bool

xpack.fleet.outputs[n].is_internal

Supported on:

Optional. If true, the output specified in xpack.fleet.outputs will not appear in the UI, and can only be managed via kibana.yml or the Fleet API.

Datatype: bool

xpack.fleet.outputs[n].config

Supported on:

Optional. Extra config for that output.

Datatype: string

xpack.fleet.outputs[n].proxy_id

Supported on:

Optional. Unique ID of a proxy to access the output.

Datatype: string

xpack.fleet.outputs[n].ssl

Supported on:

Optional. Set to enable authentication using the Secure Sockets Layer (SSL) protocol.

Datatype: string

xpack.fleet.outputs[n].ssl.certificate

Supported on:

The SSL certificate that Elastic Agents use to authenticate with the output. Include the full contents of the certificate here.

Datatype: string

xpack.fleet.outputs[n].ssl.certificate_authorities

Supported on:

Certificate authority (CA) used to issue the certificate.

Datatype: string

xpack.fleet.outputs[n].secrets

Supported on:

Include here any values for preconfigured outputs that should be stored as secrets. A secret value is replaced in the kibana.yml settings file with a reference, with the original value stored externally as a secure hash. Note that this type of secret storage requires all configured Fleet Servers to be on version 8.12.0 or later.

Datatype: string

xpack.fleet.outputs[n].secrets.key

Supported on:

The private certificate key that Elastic Agents use to authenticate with the output.

Datatype: string

xpack.fleet.fleetServerHosts

Supported on:

List of Fleet Server hosts that are configured when the Fleet app starts.

Datatype: string

xpack.fleet.fleetServerHosts[n].id

Supported on:

Required. Unique ID for the host server.

Datatype: string

xpack.fleet.fleetServerHosts[n].name

Supported on:

Required. Name of the host server.

Datatype: string

xpack.fleet.fleetServerHosts[n].host_urls

Supported on:

Required. Array of one or more host URLs that Elastic Agents will use to connect to Fleet Server.

Datatype: string

xpack.fleet.fleetServerHosts[n].is_default

Supported on:

Optional. Whether or not this host should be the default to use for Fleet Server.

Datatype: bool

xpack.fleet.fleetServerHosts[n].is_internal

Supported on:

Optional. If true the host will not appear in the UI, and can only be managed through kibana.yml or the Fleet API.

Datatype: bool

xpack.fleet.fleetServerHosts[n].proxy_id

Supported on:

Optional. Unique ID of the proxy to access the Fleet Server host.

Datatype: string

xpack.fleet.proxy

Supported on:

List of proxies to access Fleet Server that are configured when the Fleet app starts.

Datatype: string

xpack.fleet.proxy[n].id

Supported on:

Required. Unique ID of the proxy to access the Fleet Server host.

Datatype: string

xpack.fleet.proxy[n].name

Supported on:

Required. Name of the proxy to access the Fleet Server host.

Datatype: string

xpack.fleet.proxy[n].url

Supported on:

Required. URL that Elastic Agents use to connect to the proxy to access Fleet Server.

Datatype: string

xpack.fleet.proxy[n].proxy_headers

Supported on:

Optional. Map of headers to use with the proxy.

Datatype: string

xpack.fleet.proxy[n].proxy_headers.key

Supported on:

Key to use for the proxy header.

Datatype: string

xpack.fleet.proxy[n].proxy_headers.value

Supported on:

Value to use for the proxy header.

Datatype: string

xpack.fleet.proxy[n].certificate_authorities

Supported on:

Optional. Certificate authority (CA) used to issue the certificate.

Datatype: string

xpack.fleet.proxy[n].certificate

Supported on:

Optional. The name of the certificate used to authenticate the proxy.

Datatype: string

xpack.fleet.proxy[n].certificate_key

Supported on:

Optional. The certificate key used to authenticate the proxy.

Datatype: string

xpack.fleet.enableExperimental

Supported on:

List of experimental feature flag to enable in Fleet. It is available in Elastic Cloud 8.6.0 and later versions. From 9.3.0 onwards, use xpack.fleet.experimentalFeatures to explicitly enable or disable experimental features.

Datatype: string

Deprecation details

From 9.3.0 onwards, use xpack.fleet.experimentalFeatures to explicitly enable or disable experimental features.

xpack.fleet.experimentalFeatures

Supported on:

Set experimental feature flags to true or false to enable or disable them, respectively.

Datatype: string

Note

Experimental features should not be enabled in production environments. The features in this section are experimental and may be changed or removed completely in future releases. Elastic will make a best effort to fix any issues, but experimental features are not supported to the same level as generally available (GA) features.

xpack.fleet.experimentalFeatures:
  useSpaceAwareness: false
  enableAgentPrivilegeLevelChange: true
xpack.fleet.enableManagedLogsAndMetricsDataviews

Supported on:

Set to true (default), to enable the automatic creation of global logs-* and metrics-* data views.

Datatype: bool

Default: true

xpack.fleet.autoUpgrades.taskInterval

Supported on:

Configure the interval of the automatic upgrade task for Fleet-managed Elastic Agents. Defaults to 30m.

Datatype: string

Default: 30m

xpack.fleet.autoUpgrades.retryDelays

Supported on:

Configure the retry delays of the automatic upgrade task for Fleet-managed Elastic Agents. The array's length indicates the maximum number of retries. Defaults to ['30m', '1h', '2h', '4h', '8h', '16h', '24h'].

Datatype: string

Default: ['30m', '1h', '2h', '4h', '8h', '16h', '24h']

xpack.fleet.integrationRollbackTTL

Supported on:

Configure the time-to-live (TTL) for integration rollback availability. This setting controls how long the rollback option remains available after an integration is upgraded. The value must be specified in a duration format (for example, 7d, 14d, 168h, or 1w). Defaults to 7d (7 days). For more information, refer to Roll back an integration.

Datatype: string

Default: 7d

xpack.fleet.fleetPolicyRevisionsCleanup.max_revisions

Supported on:

The maximum number of revisions to maintain for a Fleet agent policy. Defaults to 10.

Datatype: int

Default: 10

xpack.fleet.fleetPolicyRevisionsCleanup.interval

Supported on:

The time interval for performing cleanups of Fleet agent policy revisions. The value must be specified in a duration format (for example, 30m, 1h, 1d). Defaults to 1h (1 hour).

Datatype: string

Default: 1h

xpack.fleet.fleetPolicyRevisionsCleanup.max_policies_per_run

Supported on:

The maximum number of Fleet agent policies to clean up revisions from per interval. Defaults to 100.

Datatype: int

Default: 100

Use these settings to configure general features available in Kibana.

General settings

console.ui.enabled

Supported on:

Toggling this causes the server to regenerate assets on the next startup, which may cause a delay before pages start being served. Set to false to disable Console.

Datatype: bool

Default: true

execution_context.enabled

Supported on:

Propagate request-specific metadata to Elasticsearch server by way of the x-opaque-id header. It is available in Elastic Cloud 8.1.0 and later versions.

Datatype: bool

newsfeed.enabled

Supported on:

Controls whether to enable the newsfeed system for the Kibana UI notification center. Set to false to disable the newsfeed system.

Datatype: bool

Default: true

node.roles

Supported on:

Indicates which roles to configure the Kibana process with, which will effectively run Kibana in different modes. Valid options are background_tasks and ui, or * to select all roles.

Datatype: string

Default: *

notifications.connectors.default.email

Supported on:

Choose the default email connector for user notifications. As of 8.6.0, Kibana is shipping with a new notification mechanism that will send email notifications for various user actions, e.g. assigning a Case to a user. To enable notifications, an email connector must be preconfigured in the system via kibana.yml, and the notifications plugin must be configured to point to the ID of that connector.

Datatype: string

ops.interval

Supported on:

Set the interval in milliseconds to sample system and process performance metrics. The minimum value is 100.

Datatype: int

Default: 5000

ops.cGroupOverrides.cpuPath

Supported on:

Override for cgroup cpu path when mounted in a manner that is inconsistent with /proc/self/cgroup.

Datatype: string

ops.cGroupOverrides.cpuAcctPath

Supported on:

Override for cgroup cpuacct path when mounted in a manner that is inconsistent with /proc/self/cgroup.

Datatype: string

path.data

Supported on:

The path where Kibana stores persistent data not saved in Elasticsearch.

Datatype: string

Default: data

permissionsPolicy.report_to

Supported on:

Add sources for the Permissions Policy report-to directive.

Datatype: string

pid.file

Supported on:

Specifies the path where Kibana creates the process ID file.

Datatype: string

status.allowAnonymous

Supported on:

If authentication is enabled, setting this to true enables unauthenticated users to access the Kibana server status API and status page.

Datatype: bool

Default: false

Content Security Policy (CSP) settings

csp.script_src

Supported on:

Add sources for the Content Security Policy script-src directive.

Datatype: string

csp.disableUnsafeEval

Supported on:

Set this to false to add the unsafe-eval source expression to the script-src directive.

When csp.disableUnsafeEval is set to true, Kibana will use a custom version of the Handlebars template library. Handlebars is used in various locations in the Kibana frontend where custom templates can be supplied by the user when for instance setting up a visualisation. If you experience any issues rendering Handlebars templates, please set this setting to false and open an issue in the Kibana GitHub repository.

Datatype: bool

Default: true

Deprecation details

Deprecated in 8.7.0. Use csp.script_src: ['unsafe-eval'] instead if you wish to enable unsafe-eval. This config option will have no effect in a future version.

csp.worker_src

Supported on:

Add sources for the Content Security Policy worker-src directive.

Datatype: string

csp.style_src

Supported on:

Add sources for the Content Security Policy style-src directive.

Datatype: string

csp.connect_src

Supported on:

Add sources for the Content Security Policy connect-src directive.

Datatype: string

csp.default_src

Supported on:

Add sources for the Content Security Policy default-src directive.

Datatype: string

csp.font_src

Supported on:

Add sources for the Content Security Policy font-src directive.

Datatype: string

csp.frame_src

Supported on:

Add sources for the Content Security Policy frame-src directive.

Datatype: string

csp.img_src

Supported on:

Add sources for the Content Security Policy img-src directive.

Datatype: string

csp.object_src

Supported on:

Add sources for the Content Security Policy object-src directive.

Datatype: string

csp.frame_ancestors

Supported on:

Add sources for the Content Security Policy frame-ancestors directive.

Datatype: string

Note

The frame-ancestors directive can also be configured by using server.securityResponseHeaders.disableEmbedding. In that case, that takes precedence and any values in csp.frame_ancestors are ignored.

csp.report_only.form_action

Supported on:

Add sources for the Content Security Policy form-action directive in reporting mode.

Datatype: string

csp.report_only.object_src

Supported on:

Add sources for the Content Security Policy object-src directive in reporting mode.

Datatype: string

Deprecation details

This setting is deprecated in favor of csp.object_src.

csp.report_uri

Supported on:

Add sources for the Content Security Policy report-uri directive.

Datatype: string

csp.report_to

Supported on:

Add sources for the Content Security Policy report-to directive.

Datatype: string

csp.strict

Supported on:

Blocks Kibana access to any browser that does not enforce even rudimentary CSP rules. In practice, this disables support for older, less safe browsers like Internet Explorer.

Datatype: bool

Default: true

csp.warnLegacyBrowsers

Supported on:

Shows a warning message after loading Kibana to any browser that does not enforce even rudimentary CSP rules, though Kibana is still accessible. This configuration is effectively ignored when csp.strict is enabled.

Datatype: bool

Default: true

Elasticsearch connection settings

elasticsearch.customHeaders

Supported on:

Header names and values to send to Elasticsearch. Any custom headers cannot be overwritten by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.

Datatype: string

Default: {}

elasticsearch.hosts

Supported on:

The URLs of the Elasticsearch instances to use for all your queries. All nodes listed here must be on the same cluster.

To enable SSL/TLS for outbound connections to Elasticsearch, use the https protocol in this setting.

Datatype: string

Default: [ "http://localhost:9200" ]

elasticsearch.publicBaseUrl

Supported on:

The URL through which Elasticsearch is publicly accessible, if any. This will be shown to users in Kibana when they need connection details for your Elasticsearch cluster.

Datatype: string

elasticsearch.pingTimeout

Supported on:

Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of the elasticsearch.requestTimeout setting.

Datatype: int

elasticsearch.requestHeadersWhitelist

Supported on:

List of Kibana client-side headers to send to Elasticsearch. To send no client-side headers, set this value to [] (an empty list). Removing the authorization header from being whitelisted means that you cannot use basic authentication in Kibana.

Datatype: string

Default: [ 'authorization', 'es-client-authentication' ]

elasticsearch.requestTimeout

Supported on:

Time in milliseconds to wait for responses from the back end or Elasticsearch. This value must be a positive integer.

Datatype: int

Default: 30000

elasticsearch.shardTimeout

Supported on:

Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

Datatype: int

Default: 30000

elasticsearch.compression

Supported on:

Specifies whether Kibana should use compression for communications with Elasticsearch. It is available in Elastic Cloud 8.3.0 and later versions.

Datatype: bool

Default: false

elasticsearch.sniffInterval

Supported on:

Time in milliseconds between requests to check Elasticsearch for an updated list of nodes.

Datatype: string

Default: false

elasticsearch.sniffOnStart

Supported on:

Attempt to find other Elasticsearch nodes on startup.

Datatype: bool

Default: false

elasticsearch.sniffOnConnectionFault

Supported on:

Update the list of Elasticsearch nodes immediately following a connection fault.

Datatype: bool

Default: false

elasticsearch.maxSockets

Supported on:

The maximum number of sockets that can be used for communications with Elasticsearch. It is available in Elastic Cloud 8.2.0 and later versions.

Datatype: int

Default: Infinity

elasticsearch.maxResponseSize

Supported on:

Either false or a byteSize value. When set, responses from Elasticsearch with a size higher than the defined limit will be rejected. This is intended to be used as a circuit-breaker mechanism to avoid memory errors in case of unexpectedly high responses coming from Elasticsearch.

Datatype: string

Default: false

elasticsearch.maxIdleSockets

Supported on:

The maximum number of idle sockets to keep open between Kibana and Elasticsearch. If more sockets become idle, they will be closed.

Datatype: int

Default: 256

elasticsearch.idleSocketTimeout

Supported on:

The timeout for idle sockets kept open between Kibana and Elasticsearch. If the socket is idle for longer than this timeout, it will be closed. If you have a transparent proxy between Kibana and Elasticsearch be sure to set this value lower than or equal to the proxy's timeout.

Datatype: string

Default: 60s

elasticsearch.username

Supported on:

If your Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.

Datatype: string

elasticsearch.password

Supported on:

If your Elasticsearch is protected with basic authentication, this setting provides the password that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.

Datatype: string

elasticsearch.serviceAccountToken

Supported on:

If your Elasticsearch is protected with basic authentication, this token provides the credentials that the Kibana server uses to perform maintenance on the Kibana index at startup. This setting is an alternative to elasticsearch.username and elasticsearch.password.

Datatype: string

Elasticsearch SSL settings

elasticsearch.ssl.alwaysPresentCertificate

Supported on:

Controls Kibana behavior in regard to presenting a client certificate when requested by Elasticsearch. This setting applies to all outbound SSL/TLS connections to Elasticsearch, including requests that are proxied for end users.

Datatype: bool

Default: false

Warning

When Elasticsearch uses certificates to authenticate end users with a PKI realm and elasticsearch.ssl.alwaysPresentCertificate is true, proxied requests may be executed as the identity that is tied to the Kibana server.

elasticsearch.ssl.certificate

Supported on:

Path to a PEM-encoded X.509 client certificate. This is used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting to take effect, the xpack.security.http.ssl.client_authentication setting in Elasticsearch must be also be set to "required" or "optional" to request a client certificate from Kibana.

Datatype: string

Note

This setting cannot be used in conjunction with elasticsearch.ssl.keystore.path.

elasticsearch.ssl.key

Supported on:

Path to the corresponding private key for the PEM-encoded X.509 client certificate specified via elasticsearch.ssl.certificate. These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting to take effect, the xpack.security.http.ssl.client_authentication setting in Elasticsearch must be also be set to "required" or "optional" to request a client certificate from Kibana.

Datatype: string

Note

This setting cannot be used in conjunction with elasticsearch.ssl.keystore.path.

elasticsearch.ssl.certificateAuthorities

Supported on:

Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates, which make up a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch.

In addition to this setting, trusted certificates may be specified via elasticsearch.ssl.keystore.path and/or elasticsearch.ssl.truststore.path.

Datatype: string

elasticsearch.ssl.keyPassphrase

Supported on:

The password that decrypts the private key that is specified via elasticsearch.ssl.key. This value is optional, as the key may not be encrypted.

Datatype: string

elasticsearch.ssl.keystore.path

Supported on:

Path to a PKCS#12 keystore that contains an X.509 client certificate and it's corresponding private key. These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting, you must also set the xpack.security.http.ssl.client_authentication setting in Elasticsearch to "required" or "optional" to request a client certificate from Kibana.

If the keystore contains any additional certificates, they are used as a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch. In addition to this setting, trusted certificates may be specified via elasticsearch.ssl.certificateAuthorities and/or elasticsearch.ssl.truststore.path.

Datatype: string

Note

This setting cannot be used in conjunction with elasticsearch.ssl.certificate or elasticsearch.ssl.key.

elasticsearch.ssl.keystore.password

Supported on:

The password that decrypts the keystore specified via elasticsearch.ssl.keystore.path. If the keystore has no password, leave this as blank. If the keystore has an empty password, set this to "".

Datatype: string

elasticsearch.ssl.truststore.path

Supported on:

Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates, which make up a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch.

In addition to this setting, trusted certificates may be specified via elasticsearch.ssl.certificateAuthorities and/or elasticsearch.ssl.keystore.path.

Datatype: string

elasticsearch.ssl.truststore.password

Supported on:

The password that decrypts the trust store specified via elasticsearch.ssl.truststore.path. If the trust store has no password, leave this as blank. If the trust store has an empty password, set this to "".

Datatype: string

elasticsearch.ssl.verificationMode

Supported on:

Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to Elasticsearch. Valid values are "full", "certificate", and "none". Using "full" performs hostname verification, using "certificate" skips hostname verification, and using "none" skips verification entirely.

Datatype: enum

Default: full

Options:

  • full
  • certificate
  • none

Logging settings

logging.root

Supported on:

The root logger is a dedicated logger and is pre-configured. The root logger logs at info level by default. If any other logging configuration is specified, root must also be explicitly configured.

Datatype: string

logging.root.appenders

Supported on:

A list of logging appenders to forward the root level logger instance to. By default root is configured with the default appender that logs to stdout with a pattern layout. This is the configuration that all custom loggers will use unless they're re-configured explicitly. You can override the default behavior by configuring a different appender to apply to root.

Datatype: string

logging.root.level

Supported on:

Level at which a log record should be logged. Supported levels are: all, fatal, error, warn, info, debug, trace, off. Levels are ordered from all (highest) to off and a log record will be logged it its level is higher than or equal to the level of its logger, otherwise the log record is ignored. Use this value to change the overall log level.

Datatype: enum

Default: info

Options:

  • all
  • fatal
  • error
  • warn
  • info
  • debug
  • trace
  • off
Tip

Set to all to log all events, including system usage information and all requests. Set to off to silence all logs. You can also use the logging cli commands to set log level to verbose or silence all logs.

The following example shows a valid verbose logging.root configuration:

logging:
  appenders:
    console_appender:
      type: console
      layout:
        type: pattern
        highlight: true
  root:
    appenders: [console_appender]
    level: all
logging.loggers[]

Supported on:

Allows you to customize a specific logger instance.

Datatype: string

logging.appenders[]

Supported on:

Appenders define how and where log messages are displayed (eg. stdout or console) and stored (eg. file on the disk).

Datatype: string

Map settings

map.includeElasticMapsService

Supported on:

Set to false to disable connections to Elastic Maps Service. When includeElasticMapsService is turned off, only tile layer configured by map.tilemap.url is available in Maps.

Datatype: bool

Default: true

map.emsUrl

Supported on:

Specifies the URL of a self hosted hosted Elastic Maps Service

Datatype: string

map.tilemap.options.attribution

Supported on:

The map attribution string. Provide attributions in markdown and use \| to delimit attributions, for example: "[attribution 1](https://www.attribution1)\|[attribution 2](https://www.attribution2)".

Datatype: string

Default: "© [Elastic Maps Service](https://www.elastic.co/elastic-maps-service)"

map.tilemap.options.maxZoom

Supported on:

The maximum zoom level.

Datatype: int

Default: 10

map.tilemap.options.minZoom

Supported on:

The minimum zoom level.

Datatype: int

Default: 1

map.tilemap.options.subdomains

Supported on:

An array of subdomains used by the tile service. Specify the position of the subdomain the URL with the token {{s}}.

Datatype: string

map.tilemap.url

Supported on:

The URL to the service that Kibana uses as the default basemap in maps and vega maps. By default, Kibana sets a basemap from the Elastic Maps Service, but users can point to their own Tile Map Service. For example: "https://tiles.elastic.co/v2/default/{{z}}/{{x}}/{{y}}.png?elastic_tile_service_tos=agree&my_app_name=kibana"

Datatype: string

Migrations settings

migrations.batchSize

Supported on:

Defines the number of documents migrated at a time. The higher the value, the faster the Saved Objects migration process performs at the cost of higher memory consumption. If upgrade migrations results in Kibana crashing with an out of memory exception or fails due to an Elasticsearch circuit_breaking_exception, use a smaller batchSize value to reduce the memory pressure.

Datatype: int

Default: 1000

migrations.discardUnknownObjects

Supported on:

Discard saved objects with unknown types during a migration. Must be set to the target version, for example: 8.4.0. Default: undefined. It is available in Elastic Cloud 8.4.0 and later versions.

Datatype: string

migrations.discardCorruptObjects

Supported on:

Discard corrupt saved objects, as well as those that cause transform errors during a migration. Must be set to the target version, for example: 8.4.0. Default: undefined. It is available in Elastic Cloud 8.4.0 and later versions.

Datatype: string

migrations.maxBatchSizeBytes

Supported on:

Defines the maximum payload size for indexing batches of upgraded saved objects to avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch. This value should be lower than or equal to your Elasticsearch cluster's http.max_content_length configuration option.

Datatype: string

Default: 100mb

migrations.retryAttempts

Supported on:

The number of times migrations retry temporary failures, such as a network timeout, 503 status code, or snapshot_in_progress_exception. When upgrade migrations frequently fail after exhausting all retry attempts with a message such as Unable to complete the [...] step after 15 attempts, terminating., increase the setting value.

Datatype: int

Default: 15

migrations.useCumulativeLogger

Supported on:

Skip logging migration progress unless there are any errors. Set to false when troubleshooting migration issues and not automatically shown.

Datatype: bool

Default: true

Saved Objects settings

savedObjects.maxImportExportSize

Supported on:

The maximum count of saved objects that can be imported or exported. This setting exists to prevent the Kibana server from running out of memory when handling large numbers of saved objects. It is recommended to only raise this setting if you are confident your server can hold this many objects in memory.

Datatype: int

Default: 10000

savedObjects.maxImportPayloadBytes

Supported on:

The maximum byte size of a saved objects import that the Kibana server will accept. This setting exists to prevent the Kibana server from running out of memory when handling a large import payload. Note that this setting overrides the more general server.maxPayload for saved object imports only.

Datatype: int

Default: 26214400

Search and autocomplete settings

data.autocomplete.valueSuggestions.terminateAfter

Supported on:

Specifies the max number of documents loaded by each shard to generate autocomplete suggestions. Allowed values are between 1 and 10000000.

Datatype: int

Default: 100000

data.autocomplete.valueSuggestions.timeout

Supported on:

Specifies the time in milliseconds to wait for autocomplete suggestions from Elasticsearch. Allowed values are between 1 and 1200000.

Datatype: int

Default: 1000

unifiedSearch.autocomplete.valueSuggestions.timeout

Supported on:

Time in milliseconds to wait for autocomplete suggestions from Elasticsearch. This value must be a whole number greater than zero.

Datatype: int

Default: 1000

unifiedSearch.autocomplete.valueSuggestions.terminateAfter

Supported on:

Maximum number of documents loaded by each shard to generate autocomplete suggestions. This value must be a whole number greater than zero.

Datatype: int

Default: 100000

Note

To reload the logging settings, send a SIGHUP signal to Kibana. For more logging configuration options, see the Configure Logging in Kibana guide.

Server settings

server.basePath

Supported on:

Enables you to specify a path to mount Kibana at if you are running behind a proxy. Use the server.rewriteBasePath setting to tell Kibana if it should remove the basePath from requests it receives, and to prevent a deprecation warning at startup. This setting cannot end in a slash (/).

Datatype: string

server.publicBaseUrl

Supported on:

The publicly available URL that end-users access Kibana at. Must include the protocol, hostname, port (if different than the defaults for http and https, 80 and 443 respectively), and the server.basePath (when that setting is configured explicitly). This setting cannot end in a slash (/).

Datatype: string

server.host

Supported on:

This setting specifies the host of the back end server. To allow remote users to connect, set the value to the IP address or DNS name of the Kibana server. Use 0.0.0.0 to make Kibana listen on all IPs (public and private).

Datatype: string

Default: "localhost"

server.keepaliveTimeout

Supported on:

The number of milliseconds to wait for additional data before restarting the server.socketTimeout counter.

Datatype: int

Default: 120000

server.maxPayload

Supported on:

The maximum payload size in bytes for incoming server requests.

Datatype: int

Default: 1048576

server.name

Supported on:

A human-readable display name that identifies this Kibana instance.

Datatype: string

Default: "your-hostname"

server.port

Supported on:

Kibana is served by a back end server. This setting specifies the port to use.

Datatype: int

Default: 5601

server.protocol

Supported on:

The HTTP protocol to use, either http1 or http2. Set to http1 to opt out of HTTP/2 support when TLS is enabled. Use of http1 may impact browser loading performance especially for dashboards with many panels. Default is http2 if TLS is enabled, otherwise http1.

Datatype: enum

Options:

  • http1
  • http2
Note

By default, enabling http2 requires a valid h2c configuration, meaning that TLS must be enabled via server.ssl.enabled and server.ssl.supportedProtocols, if specified, must contain at least TLSv1.2 or TLSv1.3. Strict validation of the h2c setup can be disabled by adding server.http2.allowUnsecure: true to the configuration.

server.shutdownTimeout

Supported on:

Sets the grace period for Kibana to attempt to resolve any ongoing HTTP requests after receiving a SIGTERM/SIGINT signal, and before shutting down. Any new HTTP requests received during this period are rejected, because the incoming socket is closed without further processing.

Datatype: string

Default: 30s

server.socketTimeout

Supported on:

The number of milliseconds to wait before closing an inactive socket.

Datatype: int

Default: 120000

server.payloadTimeout

Supported on:

Sets the maximum time allowed for the client to transmit the request payload (body) before giving up and responding with a Request Timeout (408) error response.

Datatype: int

Default: 20000

server.customResponseHeaders

Supported on:

Header names and values to send on all responses to the client from the Kibana server.

Datatype: string

Default: {}

server.requestId.allowFromAnyIp

Supported on:

Sets whether or not the X-Opaque-Id header should be trusted from any IP address for identifying requests in logs and forwarded to Elasticsearch.

Datatype: bool

server.requestId.ipAllowlist

Supported on:

A list of IPv4 and IPv6 address which the X-Opaque-Id header should be trusted from. Normally this would be set to the IP addresses of the load balancers or reverse-proxy that end users use to access Kibana. If any are set, server.requestId.allowFromAnyIp must also be set to false.

Datatype: string

server.rewriteBasePath

Supported on:

Specifies whether Kibana should rewrite requests that are prefixed with server.basePath or require that they are rewritten by your reverse proxy.

Datatype: bool

Default: false

server.uuid

Supported on:

The unique identifier for this Kibana instance. It must be a valid UUIDv4. It gets automatically generated on the first startup if not specified and persisted in the data path.

Datatype: string

Server compression settings

server.compression.enabled

Supported on:

Set to false to disable HTTP compression for all responses.

Datatype: bool

Default: true

server.compression.referrerWhitelist

Supported on:

Specifies an array of trusted hostnames, such as the Kibana host, or a reverse proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request Referer header. This setting may not be used when server.compression.enabled is set to false.

Datatype: string

server.compression.brotli.enabled

Supported on:

Set to true to enable brotli (br) compression format. Browsers not supporting brotli compression will fallback to using gzip instead. This setting may not be used when server.compression.enabled is set to false. It is available in Elastic Cloud 8.6.0 and later versions.

Datatype: bool

Default: false

Server CORS settings

server.cors.enabled

Supported on:

Set to true to allow cross-origin API calls.

Datatype: bool

Default: false

server.cors.allowCredentials

Supported on:

Set to true to allow browser code to access response body whenever request performed with user credentials.

Datatype: bool

Default: false

server.cors.allowOrigin

Supported on:

List of origins permitted to access resources. You must specify explicit hostnames and not use server.cors.allowOrigin: ["*"] when server.cors.allowCredentials: true.

Datatype: string

Default: ["*"]

Server rate limiter settings

server.rateLimiter.enabled

Supported on:

Enables rate-limiting of requests to the Kibana server based on Node.js' Event Loop Utilization. If the average event loop utilization for the specified term exceeds the configured threshold, the server will respond with a 429 Too Many Requests status code.

This functionality should be used carefully as it may impact the server's availability. The configuration options vary per environment, so it is recommended to enable this option in a testing environment first, adjust the rate-limiter configuration, and then roll it out to production.

Datatype: bool

Default: false

server.rateLimiter.elu

Supported on:

The Event Loop Utilization (ELU) threshold for rate-limiting requests to the Kibana server. The ELU is a value between 0 and 1, representing the average event loop utilization over the specified term. If the average ELU exceeds this threshold, the server will respond with a 429 Too Many Requests status code.

In a multi-instance environment with autoscaling, this value is usually between 0.6 and 0.8 to give the autoscaler enough time to react. This value can be higher in a single-instance environment but should not exceed 1.0. In general, the lower the value, the more aggressive the rate limiting. And the highest possible option should be used to prevent the Kibana server from being terminated.

Datatype: float

server.rateLimiter.term

Supported on:

This value is one of short, medium, or long, representing the term over which the average event loop utilization is calculated. It uses exponential moving averages (EMA) to smooth out the utilization values. Each term corresponds to 15s, 30s, and 60s, respectively.

The term value also changes the way the rate limiter sees the trend in the load:

  • short: elu.short > server.rateLimiter.term;
  • medium: elu.short > server.rateLimiter.elu AND elu.medium > server.rateLimiter.elu;
  • long: elu.short > server.rateLimiter.elu AND elu.medium > server.rateLimiter.elu AND elu.long > server.rateLimiter.elu.

This behavior prevents requests from being throttled if the load starts decreasing. In general, the shorter the term, the more aggressive the rate limiting. In the multi-instance environment, the medium term makes the most sense as it gives the Kibana server enough time to spin up a new instance and prevents the existing instances from being terminated.

Datatype: enum

Options:

  • short
  • medium
  • long

Server security response headers

server.securityResponseHeaders.strictTransportSecurity

Supported on:

Controls whether the Strict-Transport-Security header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or null. To disable, set to null.

Datatype: string

Default: null

server.securityResponseHeaders.xContentTypeOptions

Supported on:

Controls whether the X-Content-Type-Options header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are nosniff or null. To disable, set to null.

Datatype: string

Default: "nosniff"

server.securityResponseHeaders.referrerPolicy

Supported on:

Controls whether the Referrer-Policy header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url, or null. To disable, set to null.

Datatype: string

Default: "strict-origin-when-cross-origin"

server.securityResponseHeaders.permissionsPolicy

Supported on:

Controls whether the Permissions-Policy header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or null. Refer to the Permissions-Policy documentation for defined directives, values, and text format. To disable, set to null.

Datatype: string

Default: camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()

server.securityResponseHeaders.permissionsPolicyReportOnly

Supported on:

Controls whether the Permissions-Policy-Report-Only header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or null. Refer to the Permissions-Policy documentation for defined directives, values, and text format.

Datatype: string

server.securityResponseHeaders.disableEmbedding

Supported on:

Controls whether the Content-Security-Policy and X-Frame-Options headers are configured to disable embedding Kibana in other webpages using iframes. When set to true, secure headers are used to disable embedding, which adds the frame-ancestors: 'self' directive to the Content-Security-Policy response header and adds the X-Frame-Options: SAMEORIGIN response header.

Datatype: bool

Default: false

server.securityResponseHeaders.crossOriginOpenerPolicy

Supported on:

Controls whether the Cross-Origin-Opener-Policy header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are unsafe-none, same-origin-allow-popups, same-origin, or null. To disable, set to null. It is available in Elastic Cloud 8.7.0 and later versions.

Datatype: enum

Default: "same-origin"

Options:

  • unsafe-none
  • same-origin-allow-popups
  • same-origin
  • null

Server SSL settings

server.ssl.certificate

Supported on:

Path to a PEM-encoded X.509 server certificate. This is used by Kibana to establish trust when receiving inbound SSL/TLS connections from users.

Datatype: string

Note

This setting cannot be used in conjunction with server.ssl.keystore.path.

server.ssl.key

Supported on:

Path to the corresponding private key for the PEM-encoded X.509 server certificate specified via server.ssl.certificate. This is used by Kibana to establish trust when receiving inbound SSL/TLS connections from users.

Datatype: string

Note

This setting cannot be used in conjunction with server.ssl.keystore.path.

server.ssl.certificateAuthorities

Supported on:

Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates which make up a trusted certificate chain for Kibana. This chain is used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. If PKI authentication is enabled, this chain is also used by Kibana to verify client certificates from end users.

In addition to this setting, trusted certificates may be specified via server.ssl.keystore.path and/or server.ssl.truststore.path.

Datatype: string

server.ssl.cipherSuites

Supported on:

Details on the format, and the valid options, are available via the OpenSSL cipher list format documentation.

Datatype: string

Default: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA

server.ssl.clientAuthentication

Supported on:

Controls the behavior in Kibana for requesting a certificate from client connections. Valid values are "required", "optional", and "none". Using "required" will refuse to establish the connection unless a client presents a certificate, using "optional" will allow a client to present a certificate if it has one, and using "none" will prevent a client from presenting a certificate.

Datatype: enum

Default: "none"

Options:

  • required
  • optional
  • none
server.ssl.enabled

Supported on:

Enables SSL/TLS for inbound connections to Kibana. When set to true, a certificate and its corresponding private key must be provided. These can be specified via server.ssl.keystore.path or the combination of server.ssl.certificate and server.ssl.key.

Datatype: bool

Default: false

server.ssl.keyPassphrase

Supported on:

The password that decrypts the private key that is specified via server.ssl.key. This value is optional, as the key may not be encrypted.

Datatype: string

server.ssl.keystore.path

Supported on:

Path to a PKCS#12 keystore that contains an X.509 server certificate and its corresponding private key. If the keystore contains any additional certificates, those will be used as a trusted certificate chain for Kibana. All of these are used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. The certificate chain is also used by Kibana to verify client certificates from end users when PKI authentication is enabled.

In addition to this setting, trusted certificates may be specified via server.ssl.certificateAuthorities and/or server.ssl.truststore.path.

Datatype: string

Note

This setting cannot be used in conjunction with server.ssl.certificate or server.ssl.key.

server.ssl.keystore.password

Supported on:

The password that will be used to decrypt the keystore specified via server.ssl.keystore.path. If the keystore has no password, leave this unset. If the keystore has an empty password, set this to "".

Datatype: string

server.ssl.truststore.path

Supported on:

Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates which make up a trusted certificate chain for Kibana. This chain is used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. If PKI authentication is enabled, this chain is also used by Kibana to verify client certificates from end users.

In addition to this setting, trusted certificates may be specified via server.ssl.certificateAuthorities and/or server.ssl.keystore.path.

Datatype: string

server.ssl.truststore.password

Supported on:

The password that will be used to decrypt the trust store specified via server.ssl.truststore.path. If the trust store has no password, leave this unset. If the trust store has an empty password, set this to "".

Datatype: string

server.ssl.redirectHttpFromPort

Supported on:

Kibana binds to this port and redirects all http requests to https over the port configured as server.port.

Datatype: int

server.ssl.supportedProtocols

Supported on:

An array of supported protocols with versions. Valid protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. Enabling TLSv1.1 would require both setting the --tls-min-1.1 option in the node.options configuration and adding TLSv1.1 to server.ssl.supportedProtocols. HTTP/2 requires the use of minimum TLSv1.2 for secure connections.

Datatype: string

Default: TLSv1.2, TLSv1.3

Server XSRF settings

server.xsrf.allowlist

Supported on:

It is not recommended to disable protections for arbitrary API endpoints. Instead, supply the kbn-xsrf header. The server.xsrf.allowlist setting requires the following format:

*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections.

It is available in Elastic Cloud 8.0.0 and later versions.

Datatype: string

Default: []

server.xsrf.disableProtection

Supported on:

Setting this to true will completely disable Cross-site request forgery protection in Kibana. This is not recommended.

Datatype: bool

Default: false

Telemetry settings

telemetry.allowChangingOptInStatus

Supported on:

When false, users cannot change the opt-in status through Advanced Settings, and Kibana only looks at the value of telemetry.optIn to determine whether to send telemetry data or not.

Datatype: bool

Default: true

telemetry.optIn

Supported on:

Set to false to stop sending any telemetry data to Elastic. Reporting your cluster statistics helps us improve your user experience. When false, the telemetry data is never sent to Elastic.

This setting can be changed at any time in Advanced Settings. To prevent users from changing it, set telemetry.allowChangingOptInStatus to false.

Datatype: bool

Default: true

UI and visualization settings

uiSettings.globalOverrides.hideAnnouncements

Supported on:

Set to true to stop showing messages and tours that highlight new features.

Datatype: bool

Default: false

uiSettings.globalOverrides.hideFeedback

Supported on:

Set to true to stop showing elements requesting user feedback.

Datatype: bool

Default: false

vis_type_table.legacyVisEnabled

Supported on:

Starting from version 7.11, a new datatable visualization is used. Set to true to enable the legacy version. In version 8.0 and later, the old implementation is removed and this setting is no longer supported.

Datatype: bool

vis_type_vega.enable

Supported on:

For 7.7 version and later, set to false to disable Vega vizualizations.

Datatype: bool

Default: true

vega.enableExternalUrls

Supported on:

Set to true to allow Vega vizualizations to use data from sources other than the linked Elasticsearch cluster. In version 8.0 and later, the vega.enableExternalUrls is not supported. Use vis_type_vega.enableExternalUrls instead.

Datatype: bool

Deprecation details

In version 8.0 and later, this setting is not supported. Use vis_type_vega.enableExternalUrls instead.

vis_type_vega.enableExternalUrls

Supported on:

Set this value to true to allow Vega to use any URL to access external data sources and images. When false, Vega can only get data from Elasticsearch.

Datatype: bool

Default: false

Feature and plugin settings

xpack.ccr.ui.enabled

Supported on:

Set this value to false to disable the Cross-Cluster Replication UI.

Datatype: bool

Default: true

xpack.discoverEnhanced.actions.exploreDataInContextMenu.enabled

Supported on:

Enables the Explore underlying data option that allows you to open Discover from a dashboard panel and view the panel data.

When you create visualizations using the Lens drag-and-drop editor, you can use the toolbar to open and explore your data in Discover. For more information, check out Explore the data in Discover.

Datatype: bool

Default: false

xpack.discoverEnhanced.actions.exploreDataInChart.enabled

Supported on:

Enables you to view the underlying documents in a data series from a dashboard panel.

Datatype: bool

Default: false

xpack.ilm.ui.enabled

Supported on:

Set this value to false to disable the Index Lifecycle Policies UI.

Datatype: bool

Default: true

xpack.index_management.ui.enabled

Supported on:

Set this value to false to disable the Index Management UI.

Datatype: bool

Default: true

xpack.license_management.ui.enabled

Supported on:

Set this value to false to disable the License Management UI.

Datatype: bool

Default: true

xpack.remote_clusters.ui.enabled

Supported on:

Set this value to false to disable the Remote Clusters UI.

Datatype: bool

Default: true

xpack.rollup.ui.enabled

Supported on:

Set this value to false to disable the Rollup Jobs UI.

Datatype: bool

Default: true

Deprecation details

Rollups are deprecated and will be removed in a future version. Use downsampling instead.

xpack.securitySolution.maxUploadResponseActionFileBytes

Supported on:

Allow to configure the max file upload size for use with the Upload File Response action available with the Defend Integration. To learn more, check Endpoint Response actions. It is available in Elastic Cloud 8.9.0 and later versions.

Datatype: string

xpack.securitySolution.disableEndpointRuleAutoInstall

Supported on:

Set to true to disable the automatic installation of Elastic Defend SIEM rules when a new Endpoint integration policy is created. Introduced with v9.2.4.

Datatype: bool

Default: false

xpack.snapshot_restore.ui.enabled

Supported on:

Set this value to false to disable the Snapshot and Restore UI.

Datatype: bool

Default: true

xpack.upgrade_assistant.ui.enabled

Supported on:

Set this value to false to disable the Upgrade Assistant UI.

Datatype: bool

Default: true

You do not need to configure any additional settings to use the logging features in Kibana. Logging is enabled by default and will log at info level using the pattern layout, which outputs logs to stdout.

However, if you are planning to ingest your logs using Elasticsearch or another tool, we recommend using the json layout, which produces logs in ECS format. In general, pattern layout is recommended when raw logs will be read by a human, and json layout when logs will be read by a machine.

Note

The logging configuration is validated against the predefined schema and if there are any issues with it, Kibana will fail to start with the detailed error message.

Kibana relies on three high-level entities to set the logging service: appenders, loggers, and root. These can be configured in the logging namespace in kibana.yml.

  • Appenders define where log messages are displayed (stdout or console) and their layout (pattern or json). They also allow you to specify if you want the logs stored and, if so, where (file on the disk).
  • Loggers define what logging settings, such as the level of verbosity and the appenders, to apply to a particular context. Each log entry context provides information about the service or plugin that emits it and any of its sub-parts, for example, metrics.ops or elasticsearch.query.
  • Root is a logger that applies to all the log entries in Kibana.

For details on audit logging settings, refer to the Kibana security settings.

Logging settings

The following table serves as a quick reference for different logging configuration keys. Note that these are not stand-alone settings and may require additional logging configuration. See the Configure Logging in Kibana guide and complete examples for common configuration use cases.

logging.appenders[].<appender-name>

Supported on:

Unique appender identifier.

Datatype: string

logging.appenders[].console

Supported on:

Appender to use for logging records to stdout. By default, uses the [%date][%level][%logger] %message %error pattern layout. To use a json, set the layout type to json.

Applies to (stack: ga 9.1) %error is present since Stack version 9.1.

Datatype: string

logging.appenders[].file

Supported on:

Allows you to specify a fileName to write log records to disk. To write all log records to file, add the file appender to root.appenders. If configured, you also need to specify logging.appenders.file.pathName.

Datatype: string

logging.appenders[].rolling-file

Supported on:

Similar to Log4j's RollingFileAppender, this appender will log to a file and rotate if following a rolling strategy when the configured policy triggers. There are currently two policies supported: size-limit and time-interval.

Datatype: string

logging.appenders[].<appender-name>.type

Supported on:

The appender type determines where the log messages are sent. Required.

Datatype: enum

Options:

  • console
  • file
  • rewrite
  • rolling-file
logging.appenders[].<appender-name>.fileName

Supported on:

Determines the filepath where the log messages are written to for file and rolling-file appender types. Required for appenders that write to file.

Datatype: string

logging.appenders[].<appender-name>.policy.type

Supported on:

Specify the triggering policy for when a rollover should occur for the rolling-file type appender.

Datatype: string

logging.appenders[].<appender-name>.policy.interval

Supported on:

Specify the time interval for rotating a log file for a time-interval type rolling-file appender.

Datatype: string

Default: 24h

logging.appenders[].<appender-name>.policy.size

Supported on:

Specify the size limit at which the policy should trigger a rollover for a size-limit type rolling-file appender.

Datatype: string

Default: 100mb

logging.appenders[].<appender-name>.policy.modulate

Supported on:

Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary.

Datatype: bool

Default: true

logging.appenders[].<appender-name>.strategy.type

Supported on:

Rolling file strategy type. Only numeric is currently supported.

Datatype: string

logging.appenders[].<appender-name>.strategy.pattern

Supported on:

The suffix to append to the file path when rolling. Must include %i.

Datatype: string

logging.appenders[].<appender-name>.strategy.max

Supported on:

The maximum number of files to keep. The maximum is 100.

Datatype: int

Default: 7

logging.appenders[].<appender-name>.layout.type

Supported on:

Determines how the log messages are displayed. Required.

Datatype: enum

Options:

  • pattern - Provides human-readable output.
  • json - Provides ECS-compliant output.
logging.appenders[].<appender-name>.layout.highlight

Supported on:

Optional boolean to highlight log messages in color. Applies to pattern layout only.

Datatype: bool

Default: false

logging.appenders[].<appender-name>.layout.pattern

Supported on:

Optional string pattern for placeholders that will be replaced with data from the actual log message. Applicable to pattern type layout only.

Datatype: string

logging.root.appenders[]

Supported on:

List of specific appenders to apply to root. Defaults to console with pattern layout.

Datatype: string

logging.root.level

Supported on:

Specify default verbosity for all log messages to fall back to if not specifically configured at the individual logger level. The all and off levels can be used only in configuration and are just handy shortcuts that allow you to log every log record or disable logging entirely or for a specific logger.

Datatype: enum

Default: info

Options:

  • all
  • fatal
  • error
  • warn
  • info
  • debug
  • trace
  • off
logging.loggers[].<logger>.name

Supported on:

Specific logger instance.

Datatype: string

logging.loggers[].<logger>.level

Supported on:

Specify verbosity of log messages for a logger context. Optional and inherits the verbosity of any ancestor logger, up to the root logger level.

Datatype: enum

Options:

  • all
  • fatal
  • error
  • warn
  • info
  • debug
  • trace
  • off
logging.loggers[].<logger>.appenders

Supported on:

Determines the appender to apply to a specific logger context as an array. Optional and falls back to the appender(s) of the root logger if not specified.

Datatype: string

deprecation.enable_http_debug_logs

Supported on:

Optional boolean to log debug messages when a deprecated API is called.

Datatype: bool

Default: false

By default, Stack Monitoring is enabled, but data collection is disabled. When you first start Kibana monitoring, you are prompted to enable data collection. If you are using Elastic Stack security features, you must be signed in as a user with the cluster:manage privilege to enable data collection. The built-in superuser role has this privilege and the built-in elastic user has this role.

You can adjust how monitoring data is collected from Kibana and displayed in Kibana by configuring settings in the kibana.yml file. There are also monitoring.ui.elasticsearch.* settings, which support the same values as Kibana configuration settings.

To control how data is collected from your Elasticsearch nodes, you configure xpack.monitoring.collection settings in elasticsearch.yml. To control how monitoring data is collected from Logstash, configure monitoring settings in logstash.yml.

For more information, check out Monitor a cluster.

General monitoring settings

monitoring.cluster_alerts.email_notifications.enabled

Supported on:

When enabled, sends email notifications for Watcher alerts to the specified email address.

Datatype: bool

Default: true

Deprecation details

Deprecated in 7.11.

monitoring.cluster_alerts.email_notifications.email_address

Supported on:

When enabled, specifies the email address where you want to receive cluster alert notifications.

Datatype: string

Deprecation details

Deprecated in 7.11.

monitoring.ui.ccs.enabled

Supported on:

Set to true (default) to enable cross-cluster search of your monitoring data. The remote_cluster_client role must exist on each node.

Datatype: bool

Default: true

monitoring.ui.elasticsearch.hosts

Supported on:

Specifies the location of the Elasticsearch cluster where your monitoring data is stored.

By default, this is the same as elasticsearch.hosts. This setting enables you to use a single Kibana instance to search and visualize data in your production cluster as well as monitor data sent to a dedicated monitoring cluster.

Datatype: string

monitoring.ui.elasticsearch.username

Supported on:

Specifies the username used by Kibana monitoring to establish a persistent connection in Kibana to the Elasticsearch monitoring cluster and to verify licensing status on the Elasticsearch monitoring cluster when using monitoring.ui.elasticsearch.hosts.

All other requests performed by Stack Monitoring to the monitoring Elasticsearch cluster uses the authenticated user's credentials, which must be the same on both the Elasticsearch monitoring cluster and the Elasticsearch production cluster.

If not set, Kibana uses the value of the elasticsearch.username setting.

Datatype: string

monitoring.ui.elasticsearch.password

Supported on:

Specifies the password used by Kibana monitoring to establish a persistent connection in Kibana to the Elasticsearch monitoring cluster and to verify licensing status on the Elasticsearch monitoring cluster when using monitoring.ui.elasticsearch.hosts.

All other requests performed by Stack Monitoring to the monitoring Elasticsearch cluster use the authenticated user's credentials, which must be the same on both the Elasticsearch monitoring cluster and the Elasticsearch production cluster.

If not set, Kibana uses the value of the elasticsearch.password setting.

Datatype: string

monitoring.ui.elasticsearch.serviceAccountToken

Supported on:

Specifies a service account token for the Elasticsearch cluster where your monitoring data is stored when using monitoring.ui.elasticsearch.hosts. This setting is an alternative to using monitoring.ui.elasticsearch.username and monitoring.ui.elasticsearch.password.

Datatype: string

monitoring.ui.elasticsearch.pingTimeout

Supported on:

Specifies the time in milliseconds to wait for Elasticsearch to respond to internal health checks. By default, it matches the elasticsearch.pingTimeout setting, which has a default value of 30000.

Datatype: int

Default: 30000

monitoring.ui.elasticsearch.ssl

Supported on:

Shares the same configuration as elasticsearch.ssl. These settings configure encrypted communication between Kibana and the monitoring cluster.

Datatype: string

Monitoring collection settings

These settings control how data is collected from Kibana.

monitoring.kibana.collection.enabled

Supported on:

Set to true (default) to enable data collection from the Kibana NodeJS server for Kibana dashboards to be featured in Stack Monitoring.

Datatype: bool

Default: true

monitoring.kibana.collection.interval

Supported on:

Specifies the number of milliseconds to wait in between data sampling on the Kibana NodeJS server for the metrics that are displayed in the Kibana dashboards. Defaults to 10000 (10 seconds).

Datatype: int

Default: 10000

Monitoring UI settings

These settings adjust how Stack Monitoring displays monitoring data. However, the defaults work best in most circumstances. For more information about configuring Kibana, see Setting Kibana server properties.

monitoring.ui.elasticsearch.logFetchCount

Supported on:

Specifies the number of log entries to display in Stack Monitoring. Defaults to 10. The maximum value is 50.

Datatype: int

Default: 10

monitoring.ui.enabled

Supported on:

Set to false to hide Stack Monitoring. The monitoring back-end continues to run as an agent for sending Kibana stats to the monitoring cluster. Defaults to true.

Datatype: bool

Default: true

monitoring.ui.logs.index

Supported on:

Specifies the name of the indices that are shown on the Logs page in Stack Monitoring. The default value is filebeat-*.

Datatype: string

Default: filebeat-*

monitoring.ui.metricbeat.index

Supported on:

Used as a workaround to avoid querying metricbeat-* indices which are now no longer queried.

Datatype: string

Default: metricbeat-*

Deprecation details

This setting was deprecated in 8.15.0.

monitoring.ui.max_bucket_size

Supported on:

Specifies the number of term buckets to return out of the overall terms list when performing terms aggregations to retrieve index and node metrics. For more information about the size parameter, see Terms Aggregation. Defaults to 10000.

Datatype: int

Default: 10000

monitoring.ui.min_interval_seconds

Supported on:

Specifies the minimum number of seconds that a time bucket in a chart can represent. Defaults to 10. If you modify the monitoring.ui.collection.interval in elasticsearch.yml, use the same value in this setting.

Datatype: int

Default: 10

monitoring.ui.kibana.reporting.stale_status_threshold_seconds

Supported on:

Specifies how many seconds can pass before the Kibana status reports are considered stale. Defaults to 120.

Datatype: int

Default: 120

Monitoring UI container settings

Stack Monitoring exposes the Cgroup statistics that we collect for you to make better decisions about your container performance, rather than guessing based on the overall machine performance. If you are not running your applications in a container, then Cgroup statistics are not useful.

monitoring.ui.container.elasticsearch.enabled

Supported on:

For Elasticsearch clusters that are running in containers, this setting changes the Node Listing to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the Node Overview page instead of the overall operating system's CPU utilization. Defaults to false.

Datatype: bool

Default: false

monitoring.ui.container.logstash.enabled

Supported on:

For Logstash nodes that are running in containers, this setting changes the Logstash Node Listing to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the Logstash node detail pages instead of the overall operating system's CPU utilization. Defaults to false.

Datatype: bool

Default: false

You do not need to configure any additional settings to use the Elastic Stack security features in Kibana. They are enabled by default.

Authentication security settings

You configure authentication settings in the xpack.security.authc namespace.

For example:

xpack.security.authc:
    providers:
      basic.basic1:
          order: 0
          ...

      saml.saml1:
          order: 1
          ...

      saml.saml2:
          order: 2
          ...

      pki.realm3:
          order: 3
          ...
    ...
  1. Specifies the type of authentication provider (for example, basic, token, saml, oidc, kerberos, pki) and the provider name. This setting is mandatory.
  2. Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory.
  3. Specifies the settings for the SAML authentication provider with a saml1 name.
  4. Specifies the settings for the SAML authentication provider with a saml2 name.

Valid settings for all authentication providers

The valid settings in the xpack.security.authc.providers namespace vary depending on the authentication provider type. For more information, refer to Authentication.

xpack.security.authc.providers.<provider-type>.<provider-name>.enabled

Supported on:

Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.

Datatype: bool

xpack.security.authc.providers.<provider-type>.<provider-name>.order

Supported on:

Order of the provider in the authentication chain and on the Login Selector UI.

Datatype: int

xpack.security.authc.providers.<provider-type>.<provider-name>.description

Supported on:

Custom description of the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.hint

Supported on:

Custom hint for the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.icon

Supported on:

Custom icon for the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.origin

Supported on:

Specifies the origin(s) where the provider will appear to users in the Login Selector UI. Each origin must be a valid URI only containing an origin. By default, providers are not restricted to specific origins.

Datatype: string

For example:

xpack.security.authc:
  providers:
    basic.basic1:
      origin: [http://localhost:5601, http://127.0.0.1:5601]
      ...

    saml.saml1:
      origin: https://elastic.co
      ...
xpack.security.authc.providers.<provider-type>.<provider-name>.showInSelector

Supported on:

Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to false doesn't remove the provider from the authentication chain.

Datatype: bool

Note

You are unable to set this setting to false for basic and token authentication providers.

xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message

Supported on:

Access agreement text in Markdown format. For more information, refer to Access agreement.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.session.idleTimeout

Supported on:

Ensures that user sessions will expire after a period of inactivity. Setting this to 0 will prevent sessions from expiring because of inactivity. By default, this setting is equal to xpack.security.session.idleTimeout.

Datatype: string

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.authc.providers.<provider-type>.<provider-name>.session.lifespan

Supported on:

Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to 0, user sessions could stay active indefinitely. By default, this setting is equal to xpack.security.session.lifespan.

Datatype: string

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

SAML authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers.saml.<provider-name>.realm

Supported on:

SAML realm in Elasticsearch that provider should use.

Datatype: string

xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize

Supported on:

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

Datatype: string

Supported on:

Determines if the provider should treat the RelayState parameter as a deep link in Kibana during Identity Provider initiated log in. By default, this setting is set to false. The link specified in RelayState should be a relative, URL-encoded Kibana URL. For example, the /app/dashboards#/list link in RelayState parameter would look like this: RelayState=%2Fapp%2Fdashboards%23%2Flist.

Datatype: bool

Default: false

xpack.security.authc.saml.maxRedirectURLSize

Supported on:

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

Datatype: string

Discontinued SAML settings

The following settings are available in Elastic Cloud for all supported versions before 8.0:

xpack.security.authProviders

Supported on:

Set to saml to instruct Kibana to use SAML SSO as the authentication method.

Datatype: string

xpack.security.public.protocol

Supported on:

Set to HTTP or HTTPS. To access Kibana, HTTPS protocol is recommended.

Datatype: enum

Options:

  • http
  • https
xpack.security.public.hostname

Supported on:

Set to a fully qualified hostname to connect your users to the proxy server.

Datatype: string

xpack.security.public.port

Supported on:

The port number that connects your users to the proxy server (for example, 80 for HTTP or 443 for HTTPS).

Datatype: int

Supported on:

Specifies if Kibana should treat the RelayState parameter as a deep link when Identity Provider Initiated login flow is used.

Datatype: bool

server.xsrf.whitelist

Supported on:

Explicitly allows the SAML authentication URL within Kibana, so that the Kibana server doesn't reject external authentication messages that originate from your Identity Provider. This setting is renamed to server.xsrf.allowlist in version 8.0.0.

Datatype: string

OpenID Connect authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers.oidc.<provider-name>.realm

Supported on:

OpenID Connect realm in Elasticsearch that the provider should use.

Datatype: string

Anonymous authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

For more information, refer to Anonymous authentication.

Note

You can configure only one anonymous provider per Kibana instance.

xpack.security.authc.providers.anonymous.<provider-name>.credentials

Supported on:

Credentials that Kibana should use internally to authenticate anonymous requests to Elasticsearch.

Datatype: string

For example:

xpack.security.authc.providers.anonymous.anonymous1:
  credentials:
    username: "anonymous_service_account"
    password: "anonymous_service_account_password"

HTTP authentication settings

There is a very limited set of cases when you'd want to change these settings. For more information, refer to HTTP authentication.

xpack.security.authc.http.enabled

Supported on:

Determines if HTTP authentication should be enabled. By default, this setting is set to true.

Datatype: bool

Default: true

xpack.security.authc.http.autoSchemesEnabled

Supported on:

Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to true.

Datatype: bool

Default: true

xpack.security.authc.http.schemes[]

Supported on:

List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to ['apikey', 'bearer'] to support HTTP authentication with the ApiKey and Bearer schemes.

Datatype: string

Default: ['apikey', 'bearer']

Login user interface settings

xpack.security.loginAssistanceMessage

Supported on:

Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.

Datatype: string

xpack.security.loginHelp

Supported on:

Adds a message accessible at the login UI with additional help information for the login process.

Datatype: string

xpack.security.authc.selector.enabled

Supported on:

Determines if the login selector UI should be enabled. By default, this setting is set to true if more than one authentication provider is configured.

Datatype: bool

Configure a default access agreement

xpack.security.accessAgreement.message

Supported on:

This setting specifies the access agreement text in Markdown format that will be used as the default access agreement for all providers that do not specify a value for xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message. For more information, refer to Access agreement.

Datatype: string

xpack.security.cookieName

Supported on:

Sets the name of the cookie used for the session. The default value is "sid".

Datatype: string

Default: sid

xpack.security.encryptionKey

Supported on:

An arbitrary string of 32 characters or more that is used to encrypt session information. Do not expose this key to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn't the same for all instances of Kibana.

Datatype: string

xpack.security.secureCookies

Supported on:

Sets the secure flag of the session cookie. The default value is false. It is automatically set to true if server.ssl.enabled is set to true. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).

Datatype: bool

Default: false

xpack.security.sameSiteCookies

Supported on:

Sets the SameSite attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are Strict, Lax, None. This is not set by default, which modern browsers will treat as Lax. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to None. Setting this value to None requires cookies to be sent over a secure connection by setting xpack.security.secureCookies: true.

Datatype: enum

Options:

  • Strict
  • Lax
  • None
xpack.security.session.idleTimeout

Supported on:

Ensures that user sessions will expire after a period of inactivity. This and xpack.security.session.lifespan are both highly recommended. You can also specify this setting for every provider separately. If this is set to 0, then sessions will never expire due to inactivity. By default, this value is 3 days.

Datatype: string

Default: 3d

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.lifespan

Supported on:

Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to 0, user sessions could stay active indefinitely. This and xpack.security.session.idleTimeout are both highly recommended. You can also specify this setting for every provider separately. By default, this value is 30 days for on-prem installations, and 24 hours for Elastic Cloud installations.

Datatype: string

Default: 30d (on-prem), 24h (Elastic Cloud)

Tip

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.cleanupInterval

Supported on:

Sets the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.

Datatype: string

Default: 1h

Tip

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.concurrentSessions.maxSessions

Supported on:

Set the maximum number of sessions each user is allowed to have active at any given time. By default, no limit is applied. If set, the value of this option should be an integer between 1 and 1000. When the limit is exceeded, the oldest session is automatically invalidated. It is available in Elastic Cloud 8.7.0 and later versions.

Datatype: int

Encrypted saved objects settings

These settings control the encryption of saved objects with sensitive data. For more details, refer to Secure saved objects.

xpack.encryptedSavedObjects.encryptionKey

Supported on:

An arbitrary string of at least 32 characters that is used to encrypt sensitive properties of saved objects before they're stored in Elasticsearch. If not set, Kibana will generate a random key on startup, but certain features won't be available until you set the encryption key explicitly.

Datatype: string

xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys

Supported on:

An optional list of previously used encryption keys. Like xpack.encryptedSavedObjects.encryptionKey, these must be at least 32 characters in length. Kibana doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key.

Datatype: string

Audit logging settings

You can enable audit logging to support compliance, accountability, and security. When enabled, Kibana will capture:

  • Who performed an action
  • What action was performed
  • When the action occurred

For more details and a reference of audit events, refer to Audit logs.

xpack.security.audit.enabled

Supported on:

Set to true to enable audit logging. Default: false

Datatype: bool

Default: false

For example:

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: ./logs/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10
  layout:
    type: json
  1. This appender is the default and will be used if no appender.* config options are specified.
  2. Rotates log files every 24 hours.
  3. Keeps maximum of 10 log files before deleting older ones.
xpack.security.audit.appender

Supported on:

Optional. Specifies where audit logs should be written to and how they should be formatted. If no appender is specified, a default appender will be used (see above).

Datatype: string

xpack.security.audit.appender.type

Supported on:

Required. Specifies where audit logs should be written to. Allowed values are console, file, or rolling-file.

Refer to file appender and rolling file appender for appender specific settings.

Datatype: enum

Options:

  • console
  • file
  • rolling-file
xpack.security.audit.appender.layout.type

Supported on:

Required. Specifies how audit logs should be formatted. Allowed values are json or pattern.

Refer to pattern layout for layout specific settings.

Datatype: enum

Options:

  • json
  • pattern
Tip

We recommend using json format to allow ingesting Kibana audit logs into Elasticsearch using Filebeat.

File appender

The file appender writes to a file and can be configured using the following settings:

xpack.security.audit.appender.fileName

Supported on:

Required. Full file path the log file should be written to.

Datatype: string

Rolling file appender

The rolling-file appender writes to a file and rotates it using a rolling strategy, when a particular policy is triggered:

xpack.security.audit.appender.fileName

Supported on:

Required. Full file path the log file should be written to.

Datatype: string

xpack.security.audit.appender.policy.type

Supported on:

Specifies when a rollover should occur. Allowed values are size-limit and time-interval. Default: time-interval.

Refer to size limit policy and time interval policy for policy specific settings.

Datatype: enum

Default: time-interval

Options:

  • size-limit
  • time-interval
xpack.security.audit.appender.strategy.type

Supported on:

Specifies how the rollover should occur. Only allowed value is currently numeric. Default: numeric

Refer to numeric strategy for strategy specific settings.

Datatype: enum

Default: numeric

Options:

  • numeric

Size limit triggering policy

The size-limit triggering policy will rotate the file when it reaches a certain size:

xpack.security.audit.appender.policy.size

Supported on:

Maximum size the log file should reach before a rollover should be performed. Default: 100mb

Datatype: string

Default: 100mb

Time interval triggering policy

The time-interval triggering policy will rotate the file every given interval of time:

xpack.security.audit.appender.policy.interval

Supported on:

How often a rollover should occur. Default: 24h

Datatype: string

Default: 24h

xpack.security.audit.appender.policy.modulate

Supported on:

Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary. Default: true

Datatype: bool

Default: true

Numeric rolling strategy

The numeric rolling strategy will suffix the log file with a given pattern when rolling over, and will retain a fixed number of rolled files:

xpack.security.audit.appender.strategy.pattern

Supported on:

Suffix to append to the file name when rolling over. Must include %i. Default: -%i

Datatype: string

Default: -%i

xpack.security.audit.appender.strategy.max

Supported on:

Maximum number of files to keep. Once this number is reached, oldest files will be deleted. Default: 7

Datatype: int

Default: 7

Pattern layout

The pattern layout outputs a string, formatted using a pattern with special placeholders, which will be replaced with data from the actual log message:

xpack.security.audit.appender.layout.pattern

Supported on:

Optional. Specifies how the log line should be formatted. Default: [%date][%level][%logger]%meta %message

Datatype: string

Default: [%date][%level][%logger]%meta %message

xpack.security.audit.appender.layout.highlight

Supported on:

Optional. Set to true to enable highlighting log messages with colors.

Datatype: bool

Ignore filters

xpack.security.audit.ignore_filters[]

Supported on:

List of filters that determine which events should be excluded from the audit log. An event will get filtered out if at least one of the provided filters matches.

Datatype: string

For example:

xpack.security.audit.ignore_filters:
- actions: [http_request]
- categories: [database]
  types: [creation, change, deletion]
- spaces: [default]
- users: [elastic, kibana_system]
  1. Filters out HTTP request events
  2. Filters out any data write events
  3. Filters out events from the default space
  4. Filters out events from the elastic and kibana_system users
xpack.security.audit.ignore_filters[].actions[]

Supported on:

List of values matched against the event.action field of an audit event. Refer to Audit logs for a list of available events.

Datatype: string

xpack.security.audit.ignore_filters[].categories[]

Supported on:

List of values matched against the event.category field of an audit event. Refer to ECS categorization field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].outcomes[]

Supported on:

List of values matched against the event.outcome field of an audit event. Refer to ECS outcome field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].spaces[]

Supported on:

List of values matched against the kibana.space_id field of an audit event. This represents the space id in which the event took place.

Datatype: string

xpack.security.audit.ignore_filters[].types[]

Supported on:

List of values matched against the event.type field of an audit event. Refer to ECS type field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].users[]

Supported on:

List of values matched against the user.name field of an audit event. This represents the username associated with the audit event.

Datatype: string