Configure reporting in Kibanaedit

To enable users to manually and automatically generate reports, install the reporting packages, grant users access to the reporting features, and secure the reporting endpoints.

Install the reporting packagesedit

Make sure the Kibana server operating system has the appropriate packages installed for the distribution.

If you are using RHEL operating systems, install the following packages:

  • ipa-gothic-fonts
  • xorg-x11-fonts-100dpi
  • xorg-x11-fonts-75dpi
  • xorg-x11-utils
  • xorg-x11-fonts-cyrillic
  • xorg-x11-fonts-Type1
  • xorg-x11-fonts-misc
  • fontconfig
  • freetype

If you are using Ubuntu/Debian systems, install the following packages:

  • fonts-liberation
  • libfontconfig1

If the system is missing dependencies, Reporting fails in a non-deterministic way. Kibana runs a self-test at server startup, and if it encounters errors, logs them in the Console. The error message does not include information about why Chromium failed to run. The most common error message is Error: connect ECONNREFUSED, which indicates that Kibana could not connect to the Chromium process.

To troubleshoot the problem, start the Kibana server with environment variables that tell Chromium to print verbose logs. For more information, refer to Puppeteer debug logs.

Grant users access to reportingedit

When security is enabled, you grant users access to generate reports with Kibana application privileges, which allow you to create custom roles that control the spaces and applications where users generate reports.

  1. Enable application privileges in Reporting. To enable, turn off the default user access control features in kibana.yml:

    xpack.reporting.roles.enabled: false

    If you use the default settings, you can still create a custom role that grants reporting privileges. The default role is reporting_user. This behavior is being deprecated and does not allow application-level access controls for reporting features, and does not allow API keys or authentication tokens to authorize report generation. Refer to reporting security settings for information and caveats about the deprecated access control features.

  2. Create the reporting role.

    1. Open the main menu, then click Stack Management.
    2. Click Roles > Create role.
  3. Specify the role settings.

    1. Enter the Role name. For example, custom_reporting_user.
    2. Specify the Indices and Privileges.

      Access to data is an index-level privilege. For each index that contains the data you want to include in reports, add a line, then give each index read and view_index_metadata privileges.

      For more information, refer to Security privileges.

  4. Add the Kibana privileges.

    1. Click Add Kibana privilege.
    2. Select one or more Spaces.
    3. Click Customize, then click Analytics.
    4. Next to the applications you want to grant reporting privileges, click All.

      If the Reporting option is unavailable, contact your administrator, or enable the option in kibana.yml.

    5. Click Add Kibana privilege.
  5. Click Create role.
  6. Assign the reporting role to a user.

    1. Open the main menu, then click Stack Management.
    2. Click Users, then click the user you want to assign the reporting role to.
    3. From the Roles dropdown, select custom_reporting_user.
    4. Click Update user.

Granting the privilege to generate reports also grants the user the privilege to view their reports in Stack Management > Reporting. Users can only access their own reports.

Grant access with the role APIedit

With Kibana application privileges enabled in Reporting, you can also use the role API to grant access to the reporting features. Grant custom reporting roles to users in combination with other roles that grant read access to the data in Elasticsearch, and at least read access in the applications where users can generate reports.

POST /_security/role/custom_reporting_user
  metadata: {},
  elasticsearch: { cluster: [], indices: [], run_as: [] },
  kibana: [
      base: [],
      feature: {
        dashboard: [
        discover: ['generate_report'], 
        canvas: ['generate_report'], 
        visualize: ['generate_report'], 
      spaces: ['*'],

Grants access to generate PNG and PDF reports in Dashboard.

Grants access to download CSV files from saved search panels in Dashboard.

Grants access to generate CSV reports from saved searches in Discover.

Grants access to generate PDF reports in Canvas.

Grants access to generate PNG and PDF reports in Visualize Library.

Grant access using an external provideredit

If you are using an external identity provider, such as LDAP or Active Directory, you can assign roles to individual users or groups of users. Role mappings are configured in config/role_mapping.yml.

For example, assign the kibana_admin and reporting_user roles to the Bill Murray user:

  - "cn=Bill Murray,dc=example,dc=com"
  - "cn=Bill Murray,dc=example,dc=com"

Secure the reporting endpointsedit

To automatically generate reports with Watcher, you must configure Watcher to trust the Kibana server certificate.

  1. Enable Elastic Stack security features on your Elasticsearch cluster. For more information, see Getting started with security.
  2. Configure TLS/SSL encryption for the Kibana server. For more information, see Encrypt TLS communications in Kibana.
  3. Specify the Kibana server CA certificate chain in elasticsearch.yml:

    If you are using your own CA to sign the Kibana server certificate, then you need to specify the CA certificate chain in Elasticsearch to properly establish trust in TLS connections between Watcher and Kibana. If your CA certificate chain is contained in a PKCS #12 trust store, specify it like so:

    xpack.http.ssl.truststore.path: "/path/to/your/truststore.p12"
    xpack.http.ssl.truststore.type: "PKCS12"
    xpack.http.ssl.truststore.password: "optional decryption password"

    Otherwise, if your CA certificate chain is in PEM format, specify it like so:

    xpack.http.ssl.certificate_authorities: ["/path/to/your/cacert1.pem", "/path/to/your/cacert2.pem"]

    For more information, see the Watcher HTTP TLS/SSL Settings.

  4. Add one or more users who have access to the reporting features.

    Once you’ve enabled SSL for Kibana, all requests to the reporting endpoints must include valid credentials.