Security settings in Kibanaedit

You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.

General security settingsedit

xpack.security.enabled

By default, Kibana automatically detects whether to enable the security features based on the license and whether Elasticsearch security features are enabled.

Do not set this to false; it disables the login form, user and role management screens, and authorization using Kibana privileges. To disable security features entirely, see Elasticsearch security settings.

xpack.security.audit.enabled

Set to true to enable audit logging for security events. By default, it is set to false. For more details see Audit logs.

Authentication security settingsedit

You configure authentication settings in the xpack.security.authc namespace in kibana.yml.

For example:

xpack.security.authc:
    providers:
      basic.basic1: 
          order: 0 
          ...

      saml.saml1: 
          order: 1
          ...

      saml.saml2: 
          order: 2
          ...

      pki.realm3:
          order: 3
          ...
    ...

Specifies the type of authentication provider (for example, basic, token, saml, oidc, kerberos, pki) and the provider name. This setting is mandatory.

Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory.

Specifies the settings for the SAML authentication provider with a saml1 name.

Specifies the settings for the SAML authentication provider with a saml2 name.

The valid settings in the xpack.security.authc.providers namespace vary depending on the authentication provider type. For more information, refer to Authentication.

Valid settings for all authentication providersedit

xpack.security.authc.providers. <provider-type>.<provider-name>.enabled logo cloud

Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.

xpack.security.authc.providers. <provider-type>.<provider-name>.order logo cloud

Order of the provider in the authentication chain and on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.description logo cloud

Custom description of the provider entry displayed on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.hint logo cloud

Custom hint for the provider entry displayed on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.icon logo cloud

Custom icon for the provider entry displayed on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.showInSelector logo cloud

Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to false doesn’t remove the provider from the authentication chain.

You are unable to set this setting to false for basic and token authentication providers.

xpack.security.authc.providers. <provider-type>.<provider-name>.accessAgreement.message logo cloud

Access agreement text in Markdown format. For more information, refer to Access agreement.

SAML authentication provider settingsedit

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers. saml.<provider-name>.realm logo cloud

SAML realm in Elasticsearch that provider should use.

xpack.security.authc.providers. saml.<provider-name>.useRelayStateDeepLink logo cloud

Determines if the provider should treat the RelayState parameter as a deep link in Kibana during Identity Provider initiated log in. By default, this setting is set to false. The link specified in RelayState should be a relative, URL-encoded Kibana URL. For example, the /app/dashboards#/list link in RelayState parameter would look like this: RelayState=%2Fapp%2Fdashboards%23%2Flist.

OpenID Connect authentication provider settingsedit

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers. oidc.<provider-name>.realm logo cloud

OpenID Connect realm in Elasticsearch that the provider should use.

HTTP authentication settingsedit

There is a very limited set of cases when you’d want to change these settings. For more information, refer to HTTP authentication.

xpack.security.authc.http.enabled

Determines if HTTP authentication should be enabled. By default, this setting is set to true.

xpack.security.authc.http.autoSchemesEnabled

Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to true.

xpack.security.authc.http.schemes[]

List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to ['apikey'] to support HTTP authentication with ApiKey scheme.

Login user interface settingsedit

You can configure the following settings in the kibana.yml file.

xpack.security.loginAssistanceMessage logo cloud

Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.

xpack.security.loginHelp logo cloud

Adds a message accessible at the login UI with additional help information for the login process.

xpack.security.authc.selector.enabled logo cloud

Determines if the login selector UI should be enabled. By default, this setting is set to true if more than one authentication provider is configured.

Session and cookie security settingsedit

You can configure the following settings in the kibana.yml file.

xpack.security.cookieName

Sets the name of the cookie used for the session. The default value is "sid".

xpack.security.encryptionKey

An arbitrary string of 32 characters or more that is used to encrypt session information. Do not expose this key to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn’t the same for all instances of Kibana.

xpack.security.secureCookies

Sets the secure flag of the session cookie. The default value is false. It is automatically set to true if server.ssl.enabled is set to true. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).

xpack.security.sameSiteCookies logo cloud

Sets the SameSite attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are Strict, Lax, None. This is not set by default, which modern browsers will treat as Lax. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to None. Setting this value to None requires cookies to be sent over a secure connection by setting xpack.security.secureCookies: true`. Some old versions of IE11 do not support SameSite: None.

xpack.security.session.idleTimeout logo cloud

Ensures that user sessions will expire after a period of inactivity. This and xpack.security.session.lifespan are both highly recommended. By default, this setting is not set.

The format is a string of <count>[ms|s|m|h|d|w|M|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.lifespan logo cloud

Ensures that user sessions will expire after the defined time period. This behavior also known as an "absolute timeout". If this is not set, user sessions could stay active indefinitely. This and xpack.security.session.idleTimeout are both highly recommended. By default, this setting is not set.

The format is a string of <count>[ms|s|m|h|d|w|M|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.cleanupInterval

Sets the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.

The format is a string of <count>[ms|s|m|h|d|w|M|Y] (e.g. 20m, 24h, 7d, 1w).

Encrypted saved objects settingsedit

These settings control the encryption of saved objects with sensitive data. For more details, refer to Secure saved objects.

In high-availability deployments, make sure you use the same encryption and decryption keys for all instances of Kibana. Although the keys can be specified in clear text in kibana.yml, it’s recommended to store them securely in the Kibana Keystore.

xpack.encryptedSavedObjects. encryptionKey

An arbitrary string of at least 32 characters that is used to encrypt sensitive properties of saved objects before they’re stored in Elasticsearch. If not set, Kibana will generate a random key on startup, but certain features won’t be available until you set the encryption key explicitly.

xpack.encryptedSavedObjects. keyRotation.decryptionOnlyKeys

An optional list of previously used encryption keys. Like xpack.encryptedSavedObjects.encryptionKey, these must be at least 32 characters in length. Kibana doesn’t use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don’t want to lose access to saved objects that were previously encrypted with a different key.

Audit logging settingsedit

You can enable audit logging to support compliance, accountability, and security. When enabled, Kibana will capture:

  • Who performed an action
  • What action was performed
  • When the action occurred

For more details and a reference of audit events, refer to Audit logs.

xpack.security.audit.enabled

Set to true to enable audit logging for security events. Default: false

ECS audit logging settingsedit

To enable the ECS audit logger, specify where you want to write the audit events using xpack.security.audit.appender.

xpack.security.audit.appender

Optional. Specifies where audit logs should be written to and how they should be formatted.

For example:

xpack.security.audit.appender:
  kind: file
  path: /path/to/audit.log
  layout:
    kind: json

xpack.security.audit.appender.kind

Required. Specifies where audit logs should be written to. Allowed values are console or file.

File appenderedit

The file appender can be configured using the following settings:

xpack.security.audit.appender.path

Required. Full file path the log file should be written to.

xpack.security.audit.appender.layout.kind

Required. Specifies how audit logs should be formatted. Allowed values are json or pattern.

Pattern layoutedit

The pattern layout can be configured using the following settings:

xpack.security.audit.appender.layout.highlight

Optional. Set to true to enable highlighting log messages with colors.

xpack.security.audit.appender.layout.pattern

Optional. Specifies how the log line should be formatted. Default: [%date][%level][%logger]%meta %message

Ignore filtersedit

xpack.security.audit.ignore_filters[]

List of filters that determine which events should be excluded from the audit log. An event will get filtered out if at least one of the provided filters matches.

For example:

xpack.security.audit.ignore_filters:
- actions: [http_request] 
- categories: [database]
  types: [creation, change, deletion] 

Filters out HTTP request events

Filters out any data write events

xpack.security.audit.ignore_filters[].actions[]

List of values matched against the event.action field of an audit event. Refer to Audit logs for a list of available events.

xpack.security.audit.ignore_filters[].categories[]

List of values matched against the event.category field of an audit event. Refer to ECS categorization field for allowed values.

xpack.security.audit.ignore_filters[].types[]

List of values matched against the event.type field of an audit event. Refer to ECS type field for allowed values.

xpack.security.audit.ignore_filters[].outcomes[]

List of values matched against the event.outcome field of an audit event. Refer to ECS outcome field for allowed values.