The Alerting feature is automatically enabled in Kibana, but might require some additional configuration.

Prerequisitesedit

If you are using an on-premises Elastic Stack deployment:

If you are using an on-premises Elastic Stack deployment with security:

The Alerting framework uses queries that require the search.allow_expensive_queries setting to be true. See the scripts documentation.

Production considerations and scaling guidanceedit

When relying on alerting and actions as mission critical services, make sure you follow the Alerting production considerations.

See Scaling guidance for more information on the scalability of Kibana alerting.

Securityedit

To access alerting in a space, a user must have access to one of the following features:

See feature privileges for more information on configuring roles that provide access to these features. Also note that a user will need read privileges for the Actions and Connectors feature to attach actions to a rule or to edit a rule that has an action attached to it.

Restrict actionsedit

For security reasons you may wish to limit the extent to which Kibana can connect to external services. Action settings allows you to disable certain Connectors and allowlist the hostnames that Kibana can connect with.

Space isolationedit

Rules and connectors are isolated to the Kibana space in which they were created. A rule or connector created in one space will not be visible in another.

Authorizationedit

Rules are authorized using an API key associated with the last user to edit the rule. This API key captures a snapshot of the user’s privileges at the time of edit and is subsequently used to run all background tasks associated with the rule, including condition checks, like Elasticsearch queries, and action executions. The following rule actions will re-generate the API key: