Elastic Cloud Kibana settings

Supported Kibana settings

The following Kibana settings can be configured using the Edit user settings option when editing your Elastic Cloud Hosted deployment configuration. Settings not listed on this page are not supported on Elastic Cloud Hosted.

General

Use these settings to configure general features available in Kibana.

General settings

execution_context.enabled

Supported on:

Propagate request-specific metadata to Elasticsearch server by way of the x-opaque-id header.

Datatype: bool

Content Security Policy (CSP) settings

csp.form_action

Add sources for the Content Security Policy form-action directive.

Datatype: string

Default: 'self'

csp.report_only.form_action

Add sources for the Content Security Policy form-action directive in reporting mode.

Datatype: string

Deprecation details

Use csp.form_action instead.

csp.report_only.connect_src

Add sources for the Content Security Policy connect-src directive in reporting mode.

Datatype: string

Elasticsearch connection settings

elasticsearch.compression

Supported on:

Specifies whether Kibana should use compression for communications with Elasticsearch.

Datatype: bool

Default: false

elasticsearch.maxSockets

Supported on:

The maximum number of sockets that can be used for communications with Elasticsearch.

Datatype: int

Default: 800

Logging settings

logging.root.level

Supported on:

Level at which a log record should be logged. Supported levels are: all, fatal, error, warn, info, debug, trace, off. Levels are ordered from all (highest) to off and a log record will be logged it its level is higher than or equal to the level of its logger, otherwise the log record is ignored. Use this value to change the overall log level.

Datatype: enum

Default: info

Options:

all
fatal
error
warn
info
debug
trace
off

Tip

Set to all to log all events, including system usage information and all requests. Set to off to silence all logs. You can also use the logging cli commands to set log level to verbose or silence all logs.

The following example shows a valid verbose logging.root configuration:

		logging:
  appenders:
    console_appender:
      type: console
      layout:
        type: pattern
        highlight: true
  root:
    appenders: [console_appender]
    level: all
		
	

Map settings

map.includeElasticMapsService

Supported on:

Set to false to disable connections to Elastic Maps Service. When includeElasticMapsService is turned off, only tile layer configured by map.tilemap.url is available in Maps.

Datatype: bool

Default: true

map.tilemap.options.attribution

Supported on:

The map attribution string. Provide attributions in markdown and use \| to delimit attributions, for example: "[attribution 1](https://www.attribution1)\|[attribution 2](https://www.attribution2)".

Datatype: string

Default: "© [Elastic Maps Service](https://www.elastic.co/elastic-maps-service)"

map.tilemap.options.maxZoom

Supported on:

The maximum zoom level.

Datatype: int

Default: 10

map.tilemap.options.minZoom

Supported on:

The minimum zoom level.

Datatype: int

Default: 1

map.tilemap.options.subdomains

Supported on:

An array of subdomains used by the tile service. Specify the position of the subdomain the URL with the token {{s}}.

Datatype: string

map.tilemap.url

Supported on:

The URL to the service that Kibana uses as the default basemap in maps and vega maps. By default, Kibana sets a basemap from the Elastic Maps Service, but users can point to their own Tile Map Service. For example: "https://tiles.elastic.co/v2/default/{{z}}/{x}/{{y}}.png?elastic_tile_service_tos=agree&my_app_name=kibana"

Datatype: string

Migrations settings

migrations.batchSize

Supported on:

Defines the number of documents migrated at a time. The higher the value, the faster the Saved Objects migration process performs at the cost of higher memory consumption. If upgrade migrations results in Kibana crashing with an out of memory exception or fails due to an Elasticsearch circuit_breaking_exception, use a smaller batchSize value to reduce the memory pressure.

Datatype: int

Default: 1000

migrations.discardUnknownObjects

Supported on:

Discard saved objects with unknown types during a migration. Must be set to the target version, for example: 8.4.0. Default: undefined.

Datatype: string

migrations.discardCorruptObjects

Supported on:

Discard corrupt saved objects, as well as those that cause transform errors during a migration. Must be set to the target version, for example: 8.4.0. Default: undefined.

Datatype: string

Search and autocomplete settings

data.autocomplete.valueSuggestions.terminateAfter

Supported on:

Specifies the max number of documents loaded by each shard to generate autocomplete suggestions. Allowed values are between 1 and 10000000.

Datatype: int

Default: 100000

Note

Using this setting in Kibana 9.4.0 and 9.4.1 causes a startup failure due to a known regression. Migrate to unifiedSearch.autocomplete.valueSuggestions.terminateAfter or upgrade to a later version.

Deprecation details

Deprecated in 8.3.0. Use unifiedSearch.autocomplete.valueSuggestions.terminateAfter instead.

data.autocomplete.valueSuggestions.timeout

Supported on:

Specifies the time in milliseconds to wait for autocomplete suggestions from Elasticsearch. Allowed values are between 1 and 1200000.

Datatype: int

Default: 1000

Note

Using this setting in Kibana 9.4.0 and 9.4.1 causes a startup failure due to a known regression. Migrate to unifiedSearch.autocomplete.valueSuggestions.timeout or upgrade to a later version.

Deprecation details

Deprecated in 8.3.0. Use unifiedSearch.autocomplete.valueSuggestions.timeout instead.

unifiedSearch.autocomplete.valueSuggestions.timeout

Supported on:

Time in milliseconds to wait for autocomplete suggestions from Elasticsearch. This value must be a whole number greater than zero.

Datatype: int

Default: 1000

unifiedSearch.autocomplete.valueSuggestions.terminateAfter

Supported on:

Maximum number of documents loaded by each shard to generate autocomplete suggestions. This value must be a whole number greater than zero.

Datatype: int

Default: 100000

Note

To reload the logging settings, send a SIGHUP signal to Kibana. For more logging configuration options, see the Configure Logging in Kibana guide.

Server settings

server.maxPayload

Supported on:

The maximum payload size in bytes for incoming server requests. This option controls the maximum payload size Kibana can handle, rather than the incoming request size, which also limits the inflated size when compression is used.

Datatype: int

Default: 1048576

server.customResponseHeaders

Supported on:

Header names and values to send on all responses to the client from the Kibana server.

Datatype: string

Default: {}

Server compression settings

server.compression.brotli.enabled

Supported on:

Set to true to enable brotli (br) compression format. Browsers not supporting brotli compression will fallback to using gzip instead. This setting may not be used when server.compression.enabled is set to false.

Datatype: bool

Default: false

Server security response headers

server.securityResponseHeaders.strictTransportSecurity

Supported on:

Controls whether the Strict-Transport-Security header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or null. To disable, set to null.

Datatype: string

Default: null

server.securityResponseHeaders.xContentTypeOptions

Supported on:

Controls whether the X-Content-Type-Options header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are nosniff or null. To disable, set to null.

Datatype: string

Default: "nosniff"

server.securityResponseHeaders.referrerPolicy

Supported on:

Controls whether the Referrer-Policy header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url, or null. To disable, set to null.

Datatype: string

Default: "strict-origin-when-cross-origin"

server.securityResponseHeaders.permissionsPolicy

Supported on:

Controls whether the Permissions-Policy header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or null. Refer to the Permissions-Policy documentation for defined directives, values, and text format. To disable, set to null.

Datatype: string

Default: camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()

server.securityResponseHeaders.permissionsPolicyReportOnly

Supported on:

Controls whether the Permissions-Policy-Report-Only header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or null. Refer to the Permissions-Policy documentation for defined directives, values, and text format.

Datatype: string

server.securityResponseHeaders.disableEmbedding

Supported on:

Controls whether the Content-Security-Policy and X-Frame-Options headers are configured to disable embedding Kibana in other webpages using iframes. When set to true, secure headers are used to disable embedding, which adds the frame-ancestors: 'self' directive to the Content-Security-Policy response header and adds the X-Frame-Options: SAMEORIGIN response header.

Datatype: bool

Default: false

server.securityResponseHeaders.crossOriginOpenerPolicy

Supported on:

Controls whether the Cross-Origin-Opener-Policy header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are unsafe-none, same-origin-allow-popups, same-origin, or null. To disable, set to null.

Datatype: enum

Default: "same-origin"

Options:

unsafe-none
same-origin-allow-popups
same-origin
null

Server XSRF settings

server.xsrf.allowlist

Supported on:

It is not recommended to disable protections for arbitrary API endpoints. Instead, supply the kbn-xsrf header. The server.xsrf.allowlist setting requires the following format:

		*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections.
		
	

Datatype: string

Default: []

UI and visualization settings

uiSettings.globalOverrides.hideAnnouncements

Supported on:

Set to true to stop showing messages and tours that highlight new features.

Datatype: bool

Default: false

uiSettings.globalOverrides.hideFeedback

Supported on:

Set to true to stop showing elements requesting user feedback.

Datatype: bool

Default: false

vis_type_timelion.enabled

Supported on:

Set to false to disable Timelion visualizations.

Datatype: bool

Default: true

vis_type_table.legacyVisEnabled

Supported on:

Starting from version 7.11, a new datatable visualization is used. Set to true to enable the legacy version. In version 8.0 and later, the old implementation is removed and this setting is no longer supported.

Datatype: bool

vis_type_vega.enabled

Supported on:

For versions 7.7 and later, set to false to disable Vega visualizations.

Datatype: bool

Default: true

vega.enableExternalUrls

Supported on:

Set to true to allow Vega vizualizations to use data from sources other than the linked Elasticsearch cluster. In version 8.0 and later, the vega.enableExternalUrls is not supported. Use vis_type_vega.enableExternalUrls instead.

Datatype: bool

Deprecation details

In version 8.0 and later, this setting is not supported. Use vis_type_vega.enableExternalUrls instead.

vis_type_vega.enableExternalUrls

Supported on:

Set this value to true to allow Vega to use any URL to access external data sources and images. When false, Vega can only get data from Elasticsearch.

Datatype: bool

Default: false

Feature and plugin settings

xpack.securitySolution.maxUploadResponseActionFileBytes

Supported on:

Allow to configure the max file upload size for use with the Upload File Response action available with the Defend Integration. To learn more, check Endpoint Response actions.

Datatype: string

xpack.securitySolution.disableEndpointRuleAutoInstall

Supported on:

Set to true to disable the automatic installation of Elastic Defend SIEM rules when a new Endpoint integration policy is created. Introduced with v9.2.4.

Datatype: bool

Default: false

xpack.securitySolution.maxEndpointScriptFileSize

Supported on:

The maximum file size in bytes for scripts uploaded to the Elastic Defend script library. Default is 26214400 (25MB).

Datatype: bool

Default: 26214400

Alerting and actions

Alerting and actions are enabled by default in Kibana, but require you to configure the following:

Set up Kibana to work with Elastic Stack security features.
Set up TLS encryption between Kibana and Elasticsearch.
If you are using an on-premises Elastic Stack deployment, specify a value for xpack.encryptedSavedObjects.encryptionKey.

Action settings

xpack.actions.allowedHosts

Supported on:

A list of hostnames that Kibana is allowed to connect to when built-in actions are triggered. It defaults to ["*"], allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list [] can be used to block built-in actions from making any external connections.

Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default ["*"] setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.

Datatype: string

xpack.actions.customHostSettings

Supported on:

A list of custom host settings to override existing global settings.

Each entry in the list must have a url property, to associate a connection type (mail or https), hostname and port with the remaining options in the entry.

The settings in xpack.actions.customHostSettings can be used to override the global option xpack.actions.ssl.verificationMode and provide customized TLS settings on a per-server basis. Set xpack.actions.ssl.verificationMode to the value to be used by default for all servers, then add an entry in xpack.actions.customHostSettings for every server that requires customized settings.

Datatype: string

Default: an empty list

In the following example, two custom host settings are defined. The first provides a custom host setting for mail server mail.example.com using port 465 that supplies server certificate authentication data from both a file and inline, and requires TLS for the connection. The second provides a custom host setting for https server webhook.example.com which turns off server certificate authentication, that will allow Kibana to connect to the server if it's using a self-signed certificate. The individual properties that can be used in the settings are documented below.

		xpack.actions.customHostSettings:
    - url: smtp://mail.example.com:465
      ssl:
        verificationMode: 'full'
        certificateAuthoritiesFiles: [ 'one.crt' ]
        certificateAuthoritiesData: |
            -----BEGIN CERTIFICATE-----
            MIIDTD...
            CwUAMD...
            ... multiple lines of certificate data ...
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIIDTD...
            CwUAMD...
            ... multiple lines of certificate data ...
            -----END CERTIFICATE-----
        smtp:
          requireTLS: true
    - url: <EXAMPLE_WEBHOOK_URL>
      ssl:
        verificationMode: 'none'
		
	

xpack.actions.customHostSettings[n].url

Supported on:

A URL associated with this custom host setting. Should be in the form of protocol://hostname:port, where protocol is https or smtp. If the port is not provided, 443 is used for https and 25 is used for smtp. The smtp URLs are used for the Email actions that use this server, and the https URLs are used for actions which use https to connect to services.

Entries with https URLs can use the ssl options, and entries with smtp URLs can use both the ssl and smtp options.

No other URL values should be part of this URL, including paths, query strings, and authentication information. When an http or smtp request is made as part of running an action, only the protocol, hostname, and port of the URL for that request are used to look up these configuration values.

Datatype: string

xpack.actions.customHostSettings[n].smtp.ignoreTLS

Supported on:

A boolean value indicating that TLS must not be used for this connection. The options smtp.ignoreTLS and smtp.requireTLS can not both be set to true.

Datatype: bool

Default: false

xpack.actions.customHostSettings[n].smtp.requireTLS

Supported on:

A boolean value indicating that TLS must be used for this connection. The options smtp.ignoreTLS and smtp.requireTLS can not both be set to true.

Datatype: bool

Default: false

xpack.actions.customHostSettings[n].ssl.verificationMode

Supported on:

Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to the host server. Valid values are full, certificate, and none. Use full to perform hostname verification, certificate to skip hostname verification, and none to skip verification. Default: full. Equivalent Kibana setting. Overrides the general xpack.actions.ssl.verificationMode configuration for requests made for this hostname/port.

Datatype: enum

Default: full

Options:

full
certificate
none

xpack.actions.customHostSettings[n].ssl.certificateAuthoritiesData

Supported on:

The contents of one or more PEM-encoded certificate files in multiline format. This configuration can be used for environments where the files cannot be made available.

Datatype: string

xpack.actions.email.domain_allowlist

Supported on:

A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.

Datatype: string

Warning

This feature is available in Kibana 7.17.4 and 8.3.0 onwards but is not supported in Kibana 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly.

xpack.actions.email.recipient_allowlist

Supported on:

A list of allowed email recipient patterns (to, cc, or bcc) that can be used with email connectors. If you attempt to send an email to a recipient that does not match the allowed patterns, the action will fail. The failure message indicates that the email is not allowed.

Datatype: string

Warning

This setting cannot be used with xpack.actions.email.domain_allowlist.

For example:

		xpack.actions.email.recipient_allowlist: ["admin-*@company.org", "sales-*@example.com"]
		
	

Only "to", "cc", or "bcc" email addresses that match the listed patterns will be accepted. For example, "admin-network@company.org" or "sales-north@example.com".

xpack.actions.email.services.ses.host

Supported on:

The SMTP endpoint for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.

Datatype: string

Default: email-smtp.us-east-1.amazonaws.com

Warning

This setting alone is insufficient for overriding system defaults for the SES SMTP endpoint. You must also configure the xpack.actions.email.services.ses.port setting.

xpack.actions.email.services.ses.port

Supported on:

The port number for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.

Datatype: int

Default: 465

xpack.actions.email.services.enabled

Supported on:

An array of strings indicating all email services that are enabled. Available options are elastic-cloud, google-mail, microsoft-outlook, amazon-ses, microsoft-exchange, and other. If the array is empty, no email services are enabled. The default value is ["*"], which enables all email services.

Datatype: string

Default: ["*"]

xpack.actions.enableFooterInEmail

Supported on:

A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions.

Datatype: bool

Default: true

xpack.actions.enabledActionTypes

Supported on:

A list of action types that are enabled. It defaults to ["*"], enabling all types. The names for built-in Kibana action types are prefixed with a . and include: .email, .index, .jira, .opsgenie, .pagerduty, .resilient, .server-log, .servicenow, .servicenow-itom, .servicenow-sir, .slack, .swimlane, .teams, .tines, .torq, .xmatters, .gen-ai, .bedrock, .gemini, .d3security, and .webhook. An empty list [] will disable all action types.

Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in Kibana and will not function.

Datatype: string

Default: ["*"]

Important

Preconfigured connectors are not affected by this setting.

xpack.actions.proxyUrl

Supported on:

Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.

Proxies may be used to proxy http or https requests through a proxy using the http or https protocol. Kibana only uses proxies in "CONNECT" mode (sometimes referred to as "tunneling" TCP mode, compared to HTTP mode). That is, Kibana will always make requests through a proxy using the HTTP CONNECT method.

If your proxy is using the https protocol (vs the http protocol), the setting xpack.actions.ssl.proxyVerificationMode: none will likely be needed, unless your proxy's certificates are signed using a publicly available certificate authority.

There is currently no support for using basic authentication with a proxy (authentication for the proxy itself, not the URL being requested through the proxy).

Datatype: string

To help diagnose problems using a proxy, you can use the curl command with options to use your proxy, and log debug information, with the following command, replacing the proxy and target URLs as appropriate. This will force the request to be made to the proxy in tunneling mode, and display some of the interaction between the client and the proxy.

curl --verbose --proxytunnel --proxy http://localhost:8080 <EXAMPLE_URL>

xpack.actions.proxyBypassHosts

Supported on:

Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.

By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings xpack.actions.proxyBypassHosts and xpack.actions.proxyOnlyHosts cannot be used at the same time.

Datatype: string

For example:

xpack.actions.proxyBypassHosts: [ "events.pagerduty.com" ]

If applicable, include the subdomain in the hostname.

xpack.actions.proxyOnlyHosts

Supported on:

Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.

By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used. The settings xpack.actions.proxyBypassHosts and xpack.actions.proxyOnlyHosts cannot be used at the same time.

Datatype: string

For example:

xpack.actions.proxyOnlyHosts: [ "events.pagerduty.com" ]

If applicable, include the subdomain in the hostname.

xpack.actions.proxyHeaders

Supported on:

Specifies HTTP headers for the proxy, if using a proxy for actions.

Datatype: string

Default: {}

xpack.actions.ssl.proxyVerificationMode

Supported on:

Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server.

Use full to perform hostname verification, certificate to skip hostname verification, and none to skip verification.

Equivalent Kibana setting

Datatype: enum

Default: full

Options:

full
certificate
none

xpack.actions.ssl.verificationMode

Supported on:

Controls the verification for the server certificate that Kibana receives when making an outbound SSL/TLS connection for actions. Valid values are full, certificate, and none. Use full to perform hostname verification, certificate to skip hostname verification, and none to skip verification.

Equivalent Kibana setting

This setting can be overridden for specific URLs by using the setting xpack.actions.customHostSettings[n].ssl.verificationMode (described above) to a different value.

Datatype: enum

Default: full

Options:

full
certificate
none

xpack.actions.maxResponseContentLength

Supported on:

Specifies the max number of bytes of the http response for requests to external resources.

Datatype: int

Default: 1000000 (1MB)

xpack.actions.responseTimeout

Supported on:

Specifies the time allowed for requests to external resources. Requests that take longer are canceled. The time is formatted as a number and a time unit (ms, s, m, h, d, w, M, or Y). For example, 20m, 24h, 7d, 1w. Default: 60s.

Datatype: string

xpack.actions.run.maxAttempts

Supported on:

Specifies the maximum number of times an action can be attempted to run.

Datatype: int

Options:

minimum 1 and maximum 10

xpack.actions.run.connectorTypeOverrides

Supported on:

Overrides the configs under xpack.actions.run for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.

Datatype: string

For example:

		xpack.actions.run:
    maxAttempts: 1
    connectorTypeOverrides:
        - id: '.server-log'
          maxAttempts: 5
		
	

xpack.actions.queued.max

Supported on:

Specifies the maximum number of actions that can be queued.

Datatype: int

Default: 1000000

Preconfigured connector settings

These settings vary depending on which type of preconfigured connector you're adding.

For example:

		xpack.actions.preconfigured:
  my-server-log:
    name: preconfigured-server-log-connector-type
    actionTypeId: .server-log
		
	

For more examples, go to Preconfigured connectors.

xpack.actions.preconfiguredAlertHistoryEsIndex

Supported on:

Enables a preconfigured alert history Elasticsearch Index connector.

Datatype: bool

Default: false

Alerting settings

xpack.alerting.cancelAlertsOnRuleTimeout

Supported on:

Specifies whether to skip writing alerts and scheduling actions if rule processing was cancelled due to a timeout. This setting can be overridden by individual rule types.

Datatype: bool

Default: true

xpack.alerting.rules.minimumScheduleInterval.value

Supported on:

Specifies the minimum schedule interval for rules. This minimum is applied to all rules created or updated after you set this value. The time is formatted as a number and a time unit (s, m, h, or d). For example, 20m, 24h, 7d. This duration cannot exceed 1d.

Datatype: string

Default: 1m

xpack.alerting.rules.minimumScheduleInterval.enforce

Supported on:

Specifies the behavior when a new or changed rule has a schedule interval less than the value defined in xpack.alerting.rules.minimumScheduleInterval.value. If false, rules with schedules less than the interval will be created but warnings will be logged. If true, rules with schedules less than the interval cannot be created.

Datatype: bool

Default: false

xpack.alerting.rules.run.actions.max

Supported on:

Specifies the maximum number of actions that a rule can generate each time detection checks run.

Datatype: int

xpack.alerting.rules.run.alerts.max

Supported on:

Specifies the maximum number of alerts that a rule can generate each time detection checks run.

Datatype: int

Default: 1000

Warning

The exact number of alerts your cluster can safely handle depends on your cluster configuration and workload. While it is technically possible to increase this value above 1000, doing so is not recommended and not supported. Increasing this limit can significantly affect Kibana and Elasticsearch performance and memory usage. Carefully evaluate the impact on your deployment before making this change.

xpack.alerting.rules.run.timeout

Supported on:

Specifies the default timeout for tasks associated with all types of rules. The time is formatted as a number and a time unit (ms, s, m, h, d, w, M, or Y). For example, 20m, 24h, 7d, 1w. Default: 5m.

Datatype: string

xpack.alerting.rules.run.ruleTypeOverrides

Supported on:

Overrides the configs under xpack.alerting.rules.run for the rule type with the given ID. List the rule identifier and its settings in an array of objects.

Datatype: string

For example:

		xpack.alerting.rules.run:
    timeout: '5m'
    ruleTypeOverrides:
        - id: '.index-threshold'
          timeout: '15m'
		
	

xpack.alerting.rules.run.actions.connectorTypeOverrides

Supported on:

Overrides the configs under xpack.alerting.rules.run.actions for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.

Datatype: string

For example:

		xpack.alerting.rules.run:
    actions:
        max: 10
        connectorTypeOverrides:
            - id: '.server-log'
              max: 5
		
	

xpack.alerting.maxEphemeralActionsPerAlert

Supported on:

The maximum number of actions that a single alert instance could run using ephemeral tasks (in-memory, non-persisted).

Datatype: int

Deprecation details

Ignored since 9.0. Ephemeral tasks were removed. If you are upgrading your cluster or using the current version, you must remove this setting from your kibana.yml file to avoid configuration errors.

xpack.alerting.defaultRuleTaskTimeout

Supported on:

The default timeout for rule tasks. Accepts a duration string such as 5m or 1h.

Datatype: string

Deprecation details

Removed in 8.2. Use xpack.alerting.rules.run.timeout instead.

xpack.eventLog.logEntries

Supported on:

Set to true to log event log document entries in the Kibana server log. Useful for debugging but can be verbose in production.

Datatype: bool

Default: false

Rule Registry settings

xpack.ruleRegistry.write.disabledRegistrationContexts

Supported on:

An array of observability rule registration contexts whose alert indices should not be written to. Allowed values are observability.logs, observability.metrics, observability.apm, and observability.uptime.

Datatype: array of strings

Default: []

APM

These settings allow the APM app to function, and specify the data that it surfaces. Unless you've customized your setup, you do not need to configure any settings to use the APM app. It is enabled by default.

General APM settings

If you'd like to change any of the default values, copy and paste the relevant settings into your kibana.yml configuration file. Changing these settings may disable features of the APM App.

xpack.apm.maxSuggestions

Supported on:

Maximum number of suggestions fetched in autocomplete selection boxes.

Datatype: int

Default: 100

xpack.apm.serviceMapFingerprintBucketSize

Supported on:

Maximum number of unique transaction combinations sampled for generating service map focused on a specific service.

Datatype: int

Default: 100

xpack.apm.serviceMapFingerprintGlobalBucketSize

Supported on:

Maximum number of unique transaction combinations sampled for generating the global service map.

Datatype: int

Default: 1000

xpack.apm.serviceMapEnabled

Supported on:

Set to false to disable service maps.

Datatype: bool

Default: true

xpack.apm.serviceMapTraceIdBucketSize

Supported on:

Maximum number of trace IDs sampled for generating service map focused on a specific service.

Datatype: int

Default: 65

xpack.apm.serviceMapTraceIdGlobalBucketSize

Supported on:

Maximum number of trace IDs sampled for generating the global service map.

Datatype: int

Default: 6

xpack.apm.serviceMapMaxTracesPerRequest

Supported on:

Maximum number of traces per request for generating the global service map.

Datatype: int

Default: 50

xpack.apm.ui.enabled

Supported on:

Set to false to hide the APM app from the main menu.

Datatype: bool

Default: true

xpack.apm.ui.maxTraceItems

Supported on:

Maximum number of child items displayed when viewing trace details.

Datatype: int

Default: 5000

xpack.observability.annotations.index

Supported on:

Index name where Observability annotations are stored.

Datatype: string

Default: observability-annotations

xpack.apm.metricsInterval

Supported on:

Sets a fixed_interval for date histograms in metrics aggregations.

Datatype: int

Default: 30

xpack.apm.agent.migrations.enabled

Supported on:

Set to true to enable cloud APM migrations.

Datatype: bool

Default: false

xpack.apm.indices.error

Supported on:

Matcher for all error indices.

Datatype: string

Default: logs-apm*,apm-*,logs-*.otel-*

xpack.apm.indices.onboarding

Supported on:

Matcher for all onboarding indices.

Datatype: string

Default: apm-*

xpack.apm.indices.span

Supported on:

Matcher for all span indices.

Datatype: string

Default: traces-apm*,apm-*,traces-*.otel-*

xpack.apm.indices.transaction

Supported on:

Matcher for all transaction indices.

Datatype: string

Default: traces-apm*,apm-*,traces-*.otel-*

xpack.apm.indices.metric

Supported on:

Matcher for all metrics indices.

Datatype: string

Default: metrics-apm*,apm-*,metrics-*.otel-*

xpack.apm.indices.sourcemap

Supported on:

Matcher for all source map indices.

Datatype: string

Default: apm-*

xpack.apm.autoCreateApmDataView

Supported on:

Set to false to disable the automatic creation of the APM data view when the APM app is opened.

Datatype: bool

Default: true

xpack.apm.searchAggregatedTransactions

Supported on:

Controls the search strategy used for transactions. When set to auto, Kibana uses aggregated transactions if available and falls back to individual transactions. Set to always to force the use of aggregated transactions, or never to always query individual transactions.

Datatype: enum

Default: auto

Options:

auto
always
never

Banners are disabled by default. You need to manually configure them in order to use the feature.

You can configure the xpack.banners settings in your kibana.yml file.

Note

Banners are a subscription feature.

xpack.banners.placement

Supported on:

Set to top to display a banner above the Elastic header.

Datatype: enum

Default: disabled

Options:

disabled
top

xpack.banners.textContent

Supported on:

The text to display inside the banner, either plain text or Markdown.

Datatype: string

xpack.banners.textColor

Supported on:

The color for the banner text.

Datatype: string

Default: #8A6A0A

xpack.banners.linkColor

Supported on:

The color for the banner link text.

Datatype: string

Default: #0B64DD

xpack.banners.backgroundColor

Supported on:

The color of the banner background.

Datatype: string

Default: #FFF9E8

xpack.banners.disableSpaceBanners

Supported on:

If true, per-space banner overrides will be disabled.

Datatype: bool

Default: false

Cases

You do not need to configure any additional settings to use cases in Kibana. To provide greater control over case features, you can configure the following settings in the kibana.yml file:

Cases settings

xpack.cases.files.allowedMimeTypes

Supported on:

The MIME types that you can attach to a case, represented in an array of strings. For example: ['image/tiff','text/csv','application/zip']. The default MIME types are specified in mime_types.ts.

Datatype: string

xpack.cases.files.maxSize

Supported on:

The size limit for files that you can attach to a case, represented as the number of bytes. By default, the limit is 10 MiB for images and 100 MiB for all other MIME types. If you specify a value for this setting, it affects all file types.

Datatype: int

xpack.cases.analytics.index.enabled

Supported on:

Set to true to enable the Cases analytics index, which stores case data in a dedicated index for analytics purposes.

Datatype: bool

Default: false

Fleet and integrations

By default, Fleet is enabled. To use Fleet, you also need to configure Kibana and Elasticsearch hosts.

Many Fleet settings can also be configured directly through the Fleet UI. See Fleet UI settings for details.

Go to the Fleet docs for more information about Fleet.

Note

In Elastic Cloud, Fleet flags are already configured.

General Fleet settings

xpack.fleet.agents.enabled

Supported on:

Set to true (default) to enable Fleet.

Datatype: bool

Default: true

xpack.fleet.createArtifactsBulkBatchSize

Supported on:

Allow to configure batch size for creating and updating Fleet user artifacts. Examples include creation of Trusted Applications and Endpoint Exceptions in Security.

Datatype: int

Preconfiguration settings (for advanced use cases)

Use these settings to pre-define integrations, agent policies, and Fleet Server hosts or proxies that you want Fleet to load up by default.

Note

These settings are not supported to pre-configure the Endpoint and Cloud Security integration.

xpack.fleet.enableExperimental

Supported on:

List of experimental feature flag to enable in Fleet.

Datatype: string

Deprecation details

From 9.3.0 onwards, use xpack.fleet.experimentalFeatures to explicitly enable or disable experimental features.

xpack.fleet.experimentalFeatures

Supported on:

Set experimental feature flags to true or false to enable or disable them, respectively.

Datatype: string

Note

Experimental features should not be enabled in production environments. The features in this section are experimental and may be changed or removed completely in future releases. Elastic will make a best effort to fix any issues, but experimental features are not supported to the same level as generally available (GA) features.

		xpack.fleet.experimentalFeatures:
  useSpaceAwareness: false
  enableAgentPrivilegeLevelChange: true
		
	

xpack.fleet.enableManagedLogsAndMetricsDataviews

Supported on:

Set to true (default), to enable the automatic creation of global logs-* and metrics-* data views.

Datatype: bool

Default: true

xpack.fleet.autoUpgrades.taskInterval

Supported on:

Configure the interval of the automatic upgrade task for Fleet-managed Elastic Agents.

Datatype: string

Default: 30m

xpack.fleet.autoUpgrades.retryDelays

Supported on:

Configure the retry delays of the automatic upgrade task for Fleet-managed Elastic Agents. The array's length indicates the maximum number of retries.

Datatype: string

Default: ['30m', '1h', '2h', '4h', '8h', '16h', '24h']

xpack.fleet.versionSpecificPolicyAssignment.taskInterval

Supported on:

Configure the interval at which Fleet reassigns agents to the matching version-specific agent policy.

Datatype: string

Default: 1m

xpack.fleet.integrationRollbackTTL

Supported on:

Configure the time-to-live (TTL) for integration rollback availability. This setting controls how long the rollback option remains available after an integration is upgraded. The value must be specified in a duration format (for example, 7d, 14d, 168h, or 1w). For more information, refer to Roll back an integration.

Datatype: string

Default: 7d

xpack.fleet.fleetPolicyRevisionsCleanup.max_revisions

Supported on:

The maximum number of revisions to maintain for a Fleet agent policy.

Datatype: int

Default: 10

xpack.fleet.fleetPolicyRevisionsCleanup.interval

Supported on:

The time interval for performing cleanups of Fleet agent policy revisions. The value must be specified in a duration format (for example, 30m, 1h, 1d).

Datatype: string

Default: 1h

xpack.fleet.fleetPolicyRevisionsCleanup.max_policies_per_run

Supported on:

The maximum number of Fleet agent policies to clean up revisions from per interval.

Datatype: int

Default: 100

Configure the following Automatic Import settings in the kibana.yml file. Automatic Import helps you create new Elastic integrations using AI.

Automatic Import settings

xpack.automatic_import.enabled

Supported on:

Set to false to disable the Automatic Import feature. Previously known as xpack.integration_assistant.enabled.

Datatype: bool

Default: true

Internationalization

You do not need to configure any settings to run Kibana in English.

General settings

i18n.defaultLocale

The locale used for server-rendered strings and as the default for users who haven't picked a preferred language. Must be one of the values listed in i18n.locales when that setting is non-empty.

Datatype: string

Default: 'en'

i18n.locales

The list of locales that Kibana offers in the per-user language picker. Locales not in this list are not available to users, even if translation files for them are installed. Set to [] to disable the language picker entirely.

Datatype: list

Default: ["en", "fr-FR", "ja-JP", "zh-CN", "de-DE"]

i18n.allowLocaleCookie

When true (the default), Kibana writes a KBN_LOCALE cookie on every rendered response so the browser remembers the resolved locale across page loads, anonymous pages, and post-logout browsing. Set to false to disable the cookie.

Datatype: boolean

Default: true

i18n.locale

Set the Kibana interface language.

Datatype: enum

Default: en

Options:

en - English
zh-CN - Chinese
ja-JP - Japanese
fr-FR - French
de-DE - German

Deprecation details

Replaced by i18n.defaultLocale. Kibana continues to honor i18n.locale if set, logging a deprecation warning at startup.

Logging

You do not need to configure any additional settings to use the logging features in Kibana. Logging is enabled by default and will log at info level using the pattern layout, which outputs logs to stdout.

However, if you are planning to ingest your logs using Elasticsearch or another tool, we recommend using the json layout, which produces logs in ECS format. In general, pattern layout is recommended when raw logs will be read by a human, and json layout when logs will be read by a machine.

Note

The logging configuration is validated against the predefined schema and if there are any issues with it, Kibana will fail to start with the detailed error message.

Kibana relies on three high-level entities to set the logging service: appenders, loggers, and root. These can be configured in the logging namespace in kibana.yml.

Appenders define where log messages are displayed (stdout or console) and their layout (pattern or json). They also allow you to specify if you want the logs stored and, if so, where (file on the disk), or shipped to an OpenTelemetry (OTLP) endpoint.
Loggers define what logging settings, such as the level of verbosity and the appenders, to apply to a particular context. Each log entry context provides information about the service or plugin that emits it and any of its sub-parts, for example, metrics.ops or elasticsearch.query.
Root is a logger that applies to all the log entries in Kibana.

For details on audit logging settings, refer to the Kibana security settings.

Logging settings

The following list serves as a quick reference for different logging configuration keys. Note that these are not stand-alone settings and may require additional logging configuration. See the Configure Logging in Kibana guide and complete examples for common configuration use cases.

logging.root.level

Supported on:

Specify default verbosity for all log messages to fall back to if not specifically configured at the individual logger level. The all and off levels can be used only in configuration and are just handy shortcuts that allow you to log every log record or disable logging entirely or for a specific logger.

Datatype: enum

Default: info

Options:

all
fatal
error
warn
info
debug
trace
off

Maps

General map settings

map.regionmap

Supported on:

Specifies additional vector layers for use in Region Map visualizations. Each layer object points to an external vector file that contains a geojson FeatureCollection. The file must use the WGS84 coordinate reference system and only include polygons. If the file is hosted on a separate domain from Kibana, the server needs to be CORS-enabled so Kibana can download the file.

Datatype: string

The following example shows a valid regionmap configuration.

		map.regionmap:
  includeElasticMapsService: false
  layers:
    - name: "Departments of France"
      url: "<MY_CORS_ENABLED_SERVER_URL>/france_departements.geojson"
      attribution: "INRAP"
      fields:
        - name: "department"
          description: "Full department name"
        - name: "INSEE"
          description: "INSEE numeric identifier"
		
	

map.regionmap.includeElasticMapsService

Supported on:

Turns on or off whether layers from the Elastic Maps Service should be included in the vector layer option list. Supported on Elastic Cloud Enterprise. By turning this off, only the layers that are configured here will be included.

Datatype: bool

Default: true

map.regionmap.layers[].attribution

Supported on:

Optional. References the originating source of the geojson file.

Datatype: string

map.regionmap.layers[].fields[]

Supported on:

Mandatory. Each layer can contain multiple fields to indicate what properties from the geojson features you wish to expose. The previous example shows how to define multiple properties.

Datatype: string

map.regionmap.layers[].fields[].description

Supported on:

Mandatory. The human readable text that is shown under the Options tab when building the Region Map visualization.

Datatype: string

map.regionmap.layers[].fields[].name

Supported on:

Mandatory. This value is used to do an inner-join between the document stored in Elasticsearch and the geojson file. For example, if the field in the geojson is called Location and has city names, there must be a field in Elasticsearch that holds the same values that Kibana can then use to lookup for the geoshape data.

Datatype: string

map.regionmap.layers[].name

Supported on:

Mandatory. A description of the map being provided.

Datatype: string

map.regionmap.layers[].url

Supported on:

Mandatory. The location of the geojson file as provided by a webserver.

Datatype: string

map.tilemap.options.attribution

Supported on:

Sets the map attribution string. Attribution must be a list of links, delimited by \|. For example: "[attribution 1](https://www.attribution1)\|[attribution 2](https://www.attribution2)"

Datatype: string

map.tilemap.options.maxZoom

Supported on:

Sets the maximum zoom level.

Datatype: int

Default: 10

map.tilemap.options.minZoom

Supported on:

Sets the minimum zoom level.

Datatype: int

Default: 0

map.tilemap.options.subdomains

Supported on:

Provides an array of subdomains used by the tile service. Specify the position of the subdomain the URL with the token {s}.

Datatype: string

map.tilemap.url

Supported on:

Sets the URL to the tileservice that Kibana uses to display map tiles in tilemap visualizations.

Datatype: string

Monitoring

By default, Stack Monitoring is enabled, but data collection is disabled. When you first start Kibana monitoring, you are prompted to enable data collection. If you are using Elastic Stack security features, you must be signed in as a user with the cluster:manage privilege to enable data collection. The built-in superuser role has this privilege and the built-in elastic user has this role.

You can adjust how monitoring data is collected from Kibana and displayed in Kibana by configuring settings in the kibana.yml file. There are also monitoring.ui.elasticsearch.* settings, which support the same values as Kibana configuration settings.

To control how data is collected from your Elasticsearch nodes, you configure xpack.monitoring.collection settings in elasticsearch.yml. To control how monitoring data is collected from Logstash, configure monitoring settings in logstash.yml.

For more information, check out Monitor a cluster.

General monitoring settings

monitoring.cluster_alerts.email_notifications.email_address

Supported on:

When enabled, specifies the email address where you want to receive cluster alert notifications.

Datatype: string

Deprecation details

Deprecated in 7.11.

Monitoring collection settings

These settings control how data is collected from Kibana.

monitoring.kibana.collection.interval

Supported on:

Specifies the number of milliseconds to wait in between data sampling on the Kibana NodeJS server for the metrics that are displayed in the Kibana dashboards. Defaults to 10000 (10 seconds).

Datatype: int

Default: 10000

Monitoring UI settings

These settings adjust how Stack Monitoring displays monitoring data. However, the defaults work best in most circumstances. For more information about configuring Kibana, see Setting Kibana server properties.

monitoring.ui.min_interval_seconds

Supported on:

Specifies the minimum number of seconds that a time bucket in a chart can represent. Defaults to 10. If you modify the monitoring.ui.collection.interval in elasticsearch.yml, use the same value in this setting.

Datatype: int

Default: 10

Monitoring UI container settings

Stack Monitoring exposes the Cgroup statistics that we collect for you to make better decisions about your container performance, rather than guessing based on the overall machine performance. If you are not running your applications in a container, then Cgroup statistics are not useful.

monitoring.ui.container.elasticsearch.enabled

Supported on:

For Elasticsearch clusters that are running in containers, this setting changes the Node Listing to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the Node Overview page instead of the overall operating system's CPU utilization. Defaults to false.

Datatype: bool

Default: false

Product feedback

Configure the product intercept settings in your kibana.yml configuration file. A product intercept is a prompt for feedback about the Elastic product that appears periodically in the Kibana UI.

Product intercept settings

xpack.product_intercept.enabled

Supported on:

Enable or disable Elastic product feedback prompts.

Datatype: bool

Default: true

xpack.product_intercept.interval

Supported on:

The time that elapses between Elastic product feedback prompts. Accepts a duration string with a number and a unit (d, h, m, s). For example, 20m, 24h, 7d.

Datatype: string

Default: 90d

Reporting

Enable reporting

xpack.reporting.enabled

Supported on:

When true, enables the reporting features. Set this to false to disable reporting features entirely. The default is true.

Datatype: bool

Default: true

Note

Disabling the reporting features is discouraged. If you need to turn off the ability to generate reports, configure the roles and spaces in the Kibana application privileges.

If needed, you can also prevent a Kibana instance from claiming reporting work by setting xpack.reporting.queue.pollEnabled: false.

xpack.reporting.roles.enabled

Supported on:

When true, enables a deprecated role-based access model for reporting where access is controlled by the reporting_user role. Set to false to use the application privilege-based access model instead.

Datatype: bool

Deprecation details

Removed in 9.0. Reporting access is now controlled exclusively through Kibana application privileges.

By default, an encryption key is generated for the reporting features each time you start Kibana. If a static encryption key is not persisted in the Kibana configuration, any pending reports fail when you restart Kibana.

If you are load balancing across multiple Kibana instances, each instance needs to have the same reporting encryption key. Otherwise, report generation fails if a report is queued through one instance, and another instance picks up the job from the report queue. The instance that picks up the job is unable to decrypt the reporting job metadata.

Encryption key setting

xpack.reporting.encryptionKey

Supported on:

The static encryption key for reporting. Use an alphanumeric text string that is at least 32 characters. By default, Kibana generates a random key when it starts, which causes pending reports to fail after restart. Configure xpack.reporting.encryptionKey to preserve the same key across multiple restarts and multiple Kibana instances.

Datatype: string

xpack.reporting.encryptionKey: "something_secret"

CSV settings

Note

We recommend using CSV reports to export moderate amounts of data only. The feature enables analysis of data in external tools, but it is not intended for bulk export or to backup Elasticsearch data. Report timeout and incomplete data issues are likely if you are exporting data where:

More than 250 MB of data is being exported
Data is stored on slow storage tiers
Any shard needed for the search is unavailable
Network latency between nodes is high
Cross-cluster search is used
ES|QL is used and result row count exceeds the limits of ES|QL queries

To work around the limitations, use filters to create multiple smaller reports, or extract the data you need directly with the Elasticsearch APIs.

For more information on using Elasticsearch APIs directly, see Scroll API, Point in time API, ES|QL or SQL with CSV response data format. We recommend that you use an official Elastic language client: details for each programming language library that Elastic provides are in the Elasticsearch Client documentation.

Reporting parameters can be adjusted to overcome some of these limiting scenarios. Results are dependent on data size, availability, and latency factors and are not guaranteed.

xpack.reporting.csv.maxConcurrentShardRequests

Supported on:

Sets the maximum number of concurrent shard requests that each sub-search request executes per node during Kibana CSV export. Defaults to 5.

Datatype: int

Default: 5

xpack.reporting.csv.maxSizeBytes

Supported on:

The maximum byte size of a CSV file before being truncated. This setting exists to prevent large exports from causing performance and storage issues. Can be specified as a number of bytes. Defaults to 250mb.

Datatype: string

Default: 250mb

xpack.reporting.csv.scroll.size

Supported on:

Number of documents retrieved from Elasticsearch for each scroll iteration during a CSV export. The maximum value is 10000. Defaults to 500.

Datatype: int

Default: 500

Note

You may need to lower this setting if the default number of documents creates a strain on network resources.

xpack.reporting.csv.scroll.duration

Supported on:

Amount of time allowed before Kibana cleans the scroll context during a CSV export. Valid option is either auto or time. Defaults to 120s.

Datatype: string

Default: 120s

Note

The default value was increased from 30s to 120s in version 9.0.

If search latency in Elasticsearch is sufficiently high, such as if you are using cross-cluster search, you may either need to increase the time setting or set this config value to auto. When the config value is set to auto the scroll context will be preserved for as long as possible, before the report task is terminated due to the limits of xpack.reporting.queue.timeout.

xpack.reporting.csv.scroll.strategy

Supported on:

Choose the API method used to page through data during CSV export. Valid options are scroll and pit. Defaults to pit.

Datatype: enum

Default: pit

Options:

scroll
pit

Note

Each method has its own unique limitations which are important to understand.

Scroll API: Search is limited to 500 shards at the very most. In cases where data shards are unavailable or time out, the export may return partial data.
PIT API: Permissions to read data aliases alone will not work: the permissions are needed on the underlying indices or datastreams. In cases where data shards are unavailable or time out, the export will be empty rather than returning partial data.

xpack.reporting.csv.checkForFormulas

Supported on:

Enables a check that warns you when there's a potential formula included in the output (=, -, +, and @ chars). See OWASP: https://www.owasp.org/index.php/CSV_Injection. Defaults to true.

Datatype: bool

Default: true

xpack.reporting.csv.escapeFormulaValues

Supported on:

Escape formula values in cells with a '. See OWASP: https://www.owasp.org/index.php/CSV_Injection. Defaults to false.

Datatype: bool

Default: false

xpack.reporting.csv.useByteOrderMarkEncoding

Supported on:

Adds a byte order mark (\ufeff) at the beginning of the CSV file. Defaults to false.

Datatype: bool

Default: false

xpack.reporting.csv.maxRows

Supported on:

The maximum number of rows in a CSV report. Reports longer than the maximum limit will be truncated. The default is 10,000. The minimum is 1.

Datatype: int

Default: 10000

Note

We recommend using PNG/PDF reports to export moderate amounts of data only. The feature enables a high-level export capability, but it's not intended for bulk export. If you need to export several pages of image data, consider using multiple report jobs to export a small number of pages at a time. If the screenshot of exported dashboard contains a large number of pixels, consider splitting the large dashboard into smaller artifacts to use less memory and CPU resources.

For the most reliable configuration of PDF/PNG reporting features, consider installing Kibana using Docker or using Elastic Cloud.

PNG/PDF capture settings

To generate PDF and PNG files, Reporting uses an internal "screenshotting" plugin which manages a headless browser that captures screenshots from Kibana.

The following settings control the capturing process.

Note

If any timeouts from xpack.screenshotting.capture.timeouts.* settings occur when running a report job, Reporting will log the error and try to continue capturing the page with a screenshot. As a result, a download will be available, but there will likely be errors in the visualizations in the report.

xpack.screenshotting.capture.timeouts.openUrl

Supported on:

Specify the time to allow the Reporting browser to wait for the "Loading…" screen to dismiss and find the initial data for the page. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to 1m.

Datatype: string

Default: 1m

xpack.screenshotting.capture.timeouts.waitForElements

Supported on:

Specify the time to allow the Reporting browser to wait for all visualization panels to load on the page. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to 1m.

Datatype: string

Default: 1m

xpack.screenshotting.capture.timeouts.renderComplete

Supported on:

Specify the time to allow the Reporting browser to wait for all visualizations to fetch and render the data. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to 2m.

Datatype: string

Default: 2m

Reporting generates reports on the Kibana server as background tasks, and jobs are coordinated using documents in Elasticsearch. Depending on how often you generate reports and the overall number of reports, you might need to change the following settings.

Background job settings

xpack.reporting.capture.maxAttempts

Supported on:

If capturing a report fails for any reason, Kibana will re-queue the report job for retry, as many times as this setting.

Datatype: int

Default: 3

xpack.reporting.queue.timeout

Supported on:

How long each worker has to produce a report. If your machine is slow or under heavy load, you might need to increase this timeout. If a Reporting job execution goes over this time limit, the job is marked as a failure and no download will be available. Can be specified as a number of milliseconds.

Datatype: string

Default: 4m

Search sessions

Background search settings

data.search.sessions.enabled

Supported on:

false by default. Set to true to enable background searches.

Datatype: bool

Default: false

data.search.sessions.maxUpdateRetries

Supported on:

How many retries Kibana can perform while attempting to send a search to the background. The default is 10.

Datatype: int

Default: 10

data.search.sessions.defaultExpiration

Supported on:

How long background search results are stored before they expire and are deleted. When users extend the validity period of the background search, this setting also determines by how long. The default is 7d.

Datatype: string

Default: 7d

Search sessions settings (deprecated)

data.search.sessions.enabled

Supported on:

Set to true to enable search sessions.

Datatype: bool

Default: false

Deprecation details

Deprecated in 8.15.0. Replaced by the background search feature in 9.2.

data.search.sessions.notTouchedTimeout

Supported on:

How long Kibana stores search results from unsaved sessions, after the last search in the session completes. The default is 5m.

Datatype: string

Default: 5m

Deprecation details

Deprecated in 8.15.0. This setting was part of the search sessions feature, which has been replaced by background search in 9.2.

data.search.sessions.maxUpdateRetries

Supported on:

How many retries Kibana can perform while attempting to save a search session. The default is 10.

Datatype: int

Default: 10

Deprecation details

Deprecated in 8.15.0. Replaced by the background search feature in 9.2.

data.search.sessions.defaultExpiration

Supported on:

How long search session results are stored before they are deleted. Extending a search session resets the expiration by the same value. The default is 7d.

Datatype: string

Default: 7d

Deprecation details

Deprecated in 8.15.0. Replaced by the background search feature in 9.2.

Security and authentication

You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.

Valid settings for all authentication providers

The valid settings in the xpack.security.authc.providers namespace vary depending on the authentication provider type. For more information, refer to Authentication.

xpack.security.authc.providers.<provider-type>.<provider-name>.enabled

Supported on:

Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.

Datatype: bool

xpack.security.authc.providers.<provider-type>.<provider-name>.order

Supported on:

Order of the provider in the authentication chain and on the Login Selector UI.

Datatype: int

xpack.security.authc.providers.<provider-type>.<provider-name>.description

Supported on:

Custom description of the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.hint

Supported on:

Custom hint for the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.icon

Supported on:

Custom icon for the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.origin

Supported on:

Specifies the origin(s) where the provider will appear to users in the Login Selector UI. Each origin must be a valid URI only containing an origin. By default, providers are not restricted to specific origins.

Datatype: string

For example:

		xpack.security.authc:
  providers:
    basic.basic1:
      origin: [http://localhost:5601, http://127.0.0.1:5601]
      ...

    saml.saml1:
      origin: https://elastic.co
      ...
		
	

xpack.security.authc.providers.<provider-type>.<provider-name>.showInSelector

Supported on:

Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to false doesn't remove the provider from the authentication chain.

Datatype: bool

Note

You are unable to set this setting to false for basic and token authentication providers.

xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message

Supported on:

Access agreement text in Markdown format. For more information, refer to Access agreement.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.session.idleTimeout

Supported on:

Ensures that user sessions will expire after a period of inactivity. Setting this to 0 will prevent sessions from expiring because of inactivity. By default, this setting is equal to xpack.security.session.idleTimeout.

Datatype: string

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.authc.providers.<provider-type>.<provider-name>.session.lifespan

Supported on:

Datatype: string

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

SAML authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers.saml.<provider-name>.realm

Supported on:

SAML realm in Elasticsearch that provider should use.

Datatype: string

xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize

Supported on:

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

Datatype: string

xpack.security.authc.providers.saml.<provider-name>.useRelayStateDeepLink

Supported on:

Determines if the provider should treat the RelayState parameter as a deep link in Kibana during Identity Provider initiated log in. By default, this setting is set to false. The link specified in RelayState should be a relative, URL-encoded Kibana URL. For example, the /app/dashboards#/list link in RelayState parameter would look like this: RelayState=%2Fapp%2Fdashboards%23%2Flist.

Datatype: bool

Default: false

xpack.security.authc.saml.maxRedirectURLSize

Supported on:

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

Datatype: string

Discontinued SAML settings

xpack.security.authProviders

Supported on:

Set to saml to instruct Kibana to use SAML SSO as the authentication method.

Datatype: string

xpack.security.public.protocol

Supported on:

Set to HTTP or HTTPS. To access Kibana, HTTPS protocol is recommended.

Datatype: enum

Options:

http
https

xpack.security.public.hostname

Supported on:

Set to a fully qualified hostname to connect your users to the proxy server.

Datatype: string

xpack.security.public.port

Supported on:

The port number that connects your users to the proxy server (for example, 80 for HTTP or 443 for HTTPS).

Datatype: int

xpack.security.authc.saml.useRelayStateDeepLink

Supported on:

Specifies if Kibana should treat the RelayState parameter as a deep link when Identity Provider Initiated login flow is used.

Datatype: bool

server.xsrf.whitelist

Supported on:

Explicitly allows the SAML authentication URL within Kibana, so that the Kibana server doesn't reject external authentication messages that originate from your Identity Provider. This setting is renamed to server.xsrf.allowlist in version 8.0.0.

Datatype: string

OpenID Connect authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers.oidc.<provider-name>.realm

Supported on:

OpenID Connect realm in Elasticsearch that the provider should use.

Datatype: string

Anonymous authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

For more information, refer to Anonymous authentication.

Note

You can configure only one anonymous provider per Kibana instance.

xpack.security.authc.providers.anonymous.<provider-name>.credentials

Supported on:

Credentials that Kibana should use internally to authenticate anonymous requests to Elasticsearch.

Datatype: string

For example:

		xpack.security.authc.providers.anonymous.anonymous1:
  credentials:
    username: "anonymous_service_account"
    password: "anonymous_service_account_password"
		
	

xpack.security.loginAssistanceMessage

Supported on:

Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.

Datatype: string

xpack.security.loginHelp

Supported on:

Adds a message accessible at the login UI with additional help information for the login process.

Datatype: string

xpack.security.authc.selector.enabled

Supported on:

Determines if the login selector UI should be enabled. By default, this setting is set to true if more than one authentication provider is configured.

Datatype: bool

Configure a default access agreement

xpack.security.accessAgreement.message

Supported on:

This setting specifies the access agreement text in Markdown format that will be used as the default access agreement for all providers that do not specify a value for xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message. For more information, refer to Access agreement.

Datatype: string

xpack.security.sameSiteCookies

Supported on:

Sets the SameSite attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are Strict, Lax, None. This is not set by default, which modern browsers will treat as Lax. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to None. Setting this value to None requires cookies to be sent over a secure connection by setting xpack.security.secureCookies: true.

Datatype: enum

Options:

Strict
Lax
None

xpack.security.session.idleTimeout

Supported on:

Ensures that user sessions will expire after a period of inactivity. This and xpack.security.session.lifespan are both highly recommended. You can also specify this setting for every provider separately. If this is set to 0, then sessions will never expire due to inactivity. By default, this value is 3 days.

Datatype: string

Default: 3d

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.lifespan

Supported on:

Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to 0, user sessions could stay active indefinitely. This and xpack.security.session.idleTimeout are both highly recommended. You can also specify this setting for every provider separately. By default, this value is 30 days for on-prem installations, and 24 hours for Elastic Cloud installations.

Datatype: string

Default: 30d (on-prem), 24h (Elastic Cloud)

Tip

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.cleanupInterval

Supported on:

Sets the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.

Datatype: string

Default: 1h

Tip

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.concurrentSessions.maxSessions

Supported on:

Set the maximum number of sessions each user is allowed to have active at any given time. By default, no limit is applied. If set, the value of this option should be an integer between 1 and 1000. When the limit is exceeded, the oldest session is automatically invalidated.

Datatype: int

Audit logging settings

You can enable audit logging to support compliance, accountability, and security. When enabled, Kibana will capture:

Who performed an action
What action was performed
When the action occurred

For more details and a reference of audit events, refer to Audit logs.

xpack.security.audit.enabled

Supported on:

Set to true to enable audit logging. Default: false

Datatype: bool

Default: false

For example:

		xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: ./logs/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10
  layout:
    type: json
		
	

This appender is the default and will be used if no appender.* config options are specified.
Rotates log files every 24 hours.
Keeps maximum of 10 log files before deleting older ones.

xpack.security.audit.appender.type

Supported on:

Required. Specifies where audit logs should be written to. Allowed values are console, file, or rolling-file.

Refer to file appender and rolling file appender for appender specific settings.

Datatype: enum

Options:

console
file
rolling-file

Ignore filters

xpack.security.audit.ignore_filters[]

Supported on:

List of filters that determine which events should be excluded from the audit log. An event will get filtered out if at least one of the provided filters matches.

Datatype: string

For example:

		xpack.security.audit.ignore_filters:
- actions: [http_request]
- categories: [database]
  types: [creation, change, deletion]
- spaces: [default]
- users: [elastic, kibana_system]
		
	

Filters out HTTP request events
Filters out any data write events
Filters out events from the default space
Filters out events from the elastic and kibana_system users

xpack.security.audit.ignore_filters[].actions[]

Supported on:

List of values matched against the event.action field of an audit event. Refer to Audit logs for a list of available events.

Datatype: string

xpack.security.audit.ignore_filters[].categories[]

Supported on:

List of values matched against the event.category field of an audit event. Refer to ECS categorization field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].outcomes[]

Supported on:

List of values matched against the event.outcome field of an audit event. Refer to ECS outcome field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].spaces[]

Supported on:

List of values matched against the kibana.space_id field of an audit event. This represents the space id in which the event took place.

Datatype: string

xpack.security.audit.ignore_filters[].types[]

Supported on:

List of values matched against the event.type field of an audit event. Refer to ECS type field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].users[]

Supported on:

List of values matched against the user.name field of an audit event. This represents the username associated with the audit event.

Datatype: string

Security Solution

Configure the following Security Solution settings in the kibana.yml file:

Cloud Security Posture settings

xpack.cloudSecurityPosture.enabled

Supported on:

Set to false to disable the Kibana UI for Elastic's Cloud Security Posture solution, which provides compliance checks on Cloud and Kubernetes environments.

Datatype: bool

Default: true

Value lists settings

xpack.lists.maxImportPayloadBytes

Supported on:

Sets the maximum number of bytes allowed for uploading Security Solution value lists. For every 10 MB, it is recommended to have an additional 1 GB of RAM reserved for Kibana.

Datatype: int

Default: 9000000

xpack.lists.importBufferSize

Supported on:

Sets the buffer size used for uploading Security Solution value lists. Increase the value to improve upload throughput at the expense of higher Kibana memory usage; decrease it to reduce memory usage at the cost of throughput.

Datatype: int

Default: 1000

Configure sharing settings in your kibana.yml configuration file. These settings allow you to customize the behavior of URL sharing in Kibana.

URL expiration settings

URL expiration settings control the behavior of the unused URLs cleanup background task, which runs using the Task Manager plugin. This task allows you to periodically clean up saved objects of type url that have not been accessed in the specified period of time, controlled by the share.url_expiration.duration configuration option. Each saved object is a representation of a URL generated through the sharing functionality. Those settings are disabled by default. You must manually configure them in order to use this feature.

share.url_expiration.enabled

Supported on:

If true the URL expiration feature is enabled.

Datatype: bool

Default: false

share.url_expiration.duration

Supported on:

Controls the expiration threshold. Saved object that have not been accessed in the specified period of time will get deleted.

Datatype: string

Default: 1y

share.url_expiration.check_interval

Supported on:

Controls how often the task runs.

Datatype: string

Default: 7d

share.url_expiration.url_limit

Supported on:

Controls how many saved objects should be retrieved and scheduled for deletion per one run of the task.

Datatype: int

Default: 10000

Task Manager

Task Manager runs background tasks by polling for work on an interval. You can configure its behavior to tune for performance and throughput.

Task Manager settings

xpack.task_manager.poll_interval

Supported on:

How often, in milliseconds, the task manager will look for more work. Cannot be lower than 100.

Datatype: int

Default: 500

xpack.task_manager.max_workers

Supported on:

The maximum number of tasks that this Kibana instance will run simultaneously. The maximum value is 100.

Datatype: int

Default: 10

Deprecation details

This setting was deprecated in 8.16.0.

xpack.task_manager.monitored_stats_health_verbose_log.enabled

Supported on:

This flag will enable automatic warn and error logging if task manager self detects a performance issue, such as the time between when a task is scheduled to execute and when it actually executes.

Datatype: bool

Default: false

xpack.task_manager.monitored_stats_health_verbose_log.warn_delayed_task_start_in_seconds

Supported on:

The amount of seconds we allow a task to delay before printing a warning server log.

Datatype: int

Default: 60

xpack.task_manager.monitored_stats_health_verbose_log.level

Supported on:

The log level used when verbose health logging is enabled. Set to debug for detailed output or info for higher-level summaries.

Datatype: enum

Default: debug

Options:

debug
info

xpack.task_manager.event_loop_delay.monitor

Supported on:

Enables event loop delay monitoring, which will log a warning when a task causes an event loop delay which exceeds the warn_threshold setting.

Datatype: bool

Default: true

xpack.task_manager.event_loop_delay.warn_threshold

Supported on:

Sets the amount of event loop delay during a task execution which will cause a warning to be logged.

Datatype: int

Default: 5000

xpack.task_manager.version_conflict_threshold

Supported on:

The percentage threshold of workers experiencing version conflicts above which Task Manager shifts its polling interval to avoid overloading Elasticsearch. Accepts values between 50 and 100.

Datatype: int

Default: 80

xpack.task_manager.capacity

Supported on:

Controls the number of tasks that can be run at one time. The minimum value is 5 and the maximum is 50.

Datatype: int

Default: 10

Task Manager health settings

Settings that configure the Health monitoring endpoint.

xpack.task_manager.ephemeral_tasks.enabled

Supported on:

Set to true to enable ephemeral tasks, which ran actions inline without persisting them to Elasticsearch.

Datatype: bool

Default: false

Deprecation details

Ephemeral tasks were deprecated in 8.8 and removed in 9.0. This setting has no effect on Kibana 9.0 and later.

xpack.task_manager.ephemeral_tasks.request_capacity

Supported on:

The maximum number of ephemeral task requests that can be queued.

Datatype: int

Default: 10

Deprecation details

Ephemeral tasks were deprecated in 8.8 and removed in 9.0. This setting has no effect on Kibana 9.0 and later.

xpack.task_manager.monitored_task_execution_thresholds

Supported on:

Configures the threshold of failed task executions at which point the warn or error health status is set under each task type execution status (under stats.runtime.value.execution.result_frequency_percent_as_number[${task type}].status).

This setting allows configuration of both the default level and a custom task type specific level. By default, this setting is configured to mark the health of every task type as warning when it exceeds 80% failed executions, and as error at 90%.

Custom configurations allow you to reduce this threshold to catch failures sooner for task types that you might consider critical, such as alerting tasks.

This value can be set to any number between 0 to 100, and a threshold is hit when the value exceeds this number. This means that you can avoid setting the status to error by setting the threshold at 100, or hit error the moment any task fails by setting the threshold to 0 (as it will exceed 0 once a single failure occurs).

Datatype: int

Universal Profiling

Configure the following Universal Profiling settings in the kibana.yml file. Universal Profiling is only available on Elastic Cloud Hosted.

Universal Profiling settings

xpack.profiling.enabled

Supported on:

Set to true to enable Universal Profiling, which provides always-on, fleet-wide continuous profiling. Available on Elastic Cloud Hosted only.

Datatype: bool

Default: false

Elastic Cloud Kibana settings

General settings

Content Security Policy (CSP) settings

Elasticsearch connection settings

Logging settings

Map settings

Migrations settings

Search and autocomplete settings

Server settings

Server compression settings

Server security response headers

Server XSRF settings

UI and visualization settings

Feature and plugin settings

Action settings

Preconfigured connector settings

Alerting settings

Rule Registry settings

General APM settings

All settings

Cases settings

General Fleet settings

Preconfiguration settings (for advanced use cases)

Automatic Import settings

General settings

Logging settings

General map settings

General monitoring settings

Monitoring collection settings

Monitoring UI settings

Monitoring UI container settings

Product intercept settings

Enable reporting

Encryption key setting

CSV settings

PNG/PDF capture settings

Background job settings

Background search settings

Search sessions settings (deprecated)

Valid settings for all authentication providers

SAML authentication provider settings

Discontinued SAML settings

OpenID Connect authentication provider settings

Anonymous authentication provider settings

Login user interface settings

Configure a default access agreement

Session and cookie security settings

Audit logging settings

Ignore filters

Cloud Security Posture settings

Value lists settings

URL expiration settings

Task Manager settings

Task Manager health settings

Universal Profiling settings