---
title: Elastic Cloud Kibana settings
description: The following Kibana settings can be configured using the Edit user settings option when editing your Elastic Cloud Hosted deployment configuration. Settings...
url: https://www.elastic.co/elastic/docs-builder/docs/3522/reference/kibana/cloud/elastic-cloud-kibana-settings
products:
- Elastic Cloud Hosted
- Kibana
applies_to:
- Elastic Cloud Hosted: Generally available
---
# Elastic Cloud Kibana settings
## Supported Kibana settings
The following Kibana settings can be configured using the **Edit user settings** option when editing your Elastic Cloud Hosted deployment configuration. Settings not listed on this page are not supported on Elastic Cloud Hosted.
## General
Use these settings to configure general features available in Kibana.
### General settings
Self-managed Elastic deployments: Generally available
Toggling this causes the server to regenerate assets on the next startup, which may cause a delay before pages start being served. Set to `false` to disable Console.
Datatype: `bool`
Default: `true`
Elastic Stack: Generally available since 8.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Propagate request-specific metadata to Elasticsearch server by way of the `x-opaque-id` header.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Controls whether to enable the newsfeed system for the Kibana UI notification center. Set to `false` to disable the newsfeed system.
Datatype: `bool`
Default: `true`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
Indicates which roles to configure the Kibana process with, which will effectively run Kibana in different modes. Valid options are `background_tasks` and `ui`, or `*` to select all roles.
Datatype: `string`
Default: `*`
Self-managed Elastic deployments: Generally available
Choose the default email connector for user notifications. As of `8.6.0`, Kibana is shipping with a new notification mechanism that will send email notifications for various user actions, e.g. assigning a *Case* to a user. To enable notifications, an email connector must be [preconfigured](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pre-configured-connectors) in the system via `kibana.yml`, and the notifications plugin must be configured to point to the ID of that connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Set the interval in milliseconds to sample system and process performance metrics. The minimum value is 100.
Datatype: `int`
Default: `5000`
Self-managed Elastic deployments: Generally available
Override for cgroup cpu path when mounted in a manner that is inconsistent with `/proc/self/cgroup`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Override for cgroup cpuacct path when mounted in a manner that is inconsistent with `/proc/self/cgroup`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The path where Kibana stores persistent data not saved in Elasticsearch.
Datatype: `string`
Default: `data`
Self-managed Elastic deployments: Generally available
Add sources for the [Permissions Policy `report-to` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the path where Kibana creates the process ID file.
Datatype: `string`
Self-managed Elastic deployments: Generally available
If authentication is enabled, setting this to `true` enables unauthenticated users to access the Kibana server status API and status page.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Allow all authenticated users to access the full Kibana server status API. When `false`, users are required to have the Elasticsearch `monitor` cluster privilege.
NOTE: This setting is only relevant if `status.allowAnonymous` is `false` (default).
Datatype: `bool`
Default: `false`
### Content Security Policy (CSP) settings
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `script-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
Datatype: `string`
Elastic Stack: Deprecated since 8.7
Self-managed Elastic deployments: Generally available
Set this to `false` to add the [`unsafe-eval`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions) source expression to the `script-src` directive.
When `csp.disableUnsafeEval` is set to `true`, Kibana will use a custom version of the Handlebars template library. Handlebars is used in various locations in the Kibana frontend where custom templates can be supplied by the user when for instance setting up a visualisation. If you experience any issues rendering Handlebars templates, please set this setting to `false` and [open an issue](https://github.com/elastic/kibana/issues/new/choose) in the Kibana GitHub repository.
Datatype: `bool`
Default: `true`
Deprecated in 8.7.0. Use `csp.script_src: ['unsafe-eval']` instead if you wish to enable `unsafe-eval`. This config option will have no effect in a future version.
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `worker-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `style-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `connect-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `default-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `font-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `frame-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `img-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src).
Datatype: `string`
Elastic Stack: Generally available since 9.3
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `frame-ancestors` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).
Datatype: `string`
The `frame-ancestors` directive can also be configured by using [`server.securityResponseHeaders.disableEmbedding`](#server-securityresponseheaders-disableembedding). In that case, that takes precedence and any values in `csp.frame_ancestors` are ignored.
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `form-action` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action).
Datatype: `string`
Default: `'self'`
Elastic Stack: Planned for deprecation
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `form-action` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action) in reporting mode.
Datatype: `string`
Use `csp.form_action` instead.
Elastic Stack: Deprecated since 9.3
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/object-src) in reporting mode.
Datatype: `string`
This setting is deprecated in favor of `csp.object_src`.
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `connect-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src) in reporting mode.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `report-uri` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `report-to` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Blocks Kibana access to any browser that does not enforce even rudimentary CSP rules. In practice, this disables support for older, less safe browsers like Internet Explorer.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Shows a warning message after loading Kibana to any browser that does not enforce even rudimentary CSP rules, though Kibana is still accessible. This configuration is effectively ignored when [`csp.strict`](#csp-strict) is enabled.
Datatype: `bool`
Default: `true`
### Elasticsearch connection settings
Self-managed Elastic deployments: Generally available
Header names and values to send to Elasticsearch. Any custom headers cannot be overwritten by client-side headers, regardless of the [`elasticsearch.requestHeadersWhitelist`](#elasticsearch-requestheaderswhitelist) configuration.
Datatype: `string`
Default: `{}`
Self-managed Elastic deployments: Generally available
The URLs of the Elasticsearch instances to use for all your queries. All nodes listed here must be on the same cluster.
To enable SSL/TLS for outbound connections to Elasticsearch, use the `https` protocol in this setting.
Datatype: `string`
Default: `[ "http://localhost:9200" ]`
Self-managed Elastic deployments: Generally available
The URL through which Elasticsearch is publicly accessible, if any. This will be shown to users in Kibana when they need connection details for your Elasticsearch cluster.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of the [`elasticsearch.requestTimeout`](#elasticsearch-requesttimeout) setting.
Datatype: `int`
Self-managed Elastic deployments: Generally available
List of Kibana client-side headers to send to Elasticsearch. To send **no** client-side headers, set this value to [] (an empty list). Removing the `authorization` header from being whitelisted means that you cannot use [basic authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#basic-authentication) in Kibana.
Datatype: `string`
Default: `[ 'authorization', 'es-client-authentication' ]`
Self-managed Elastic deployments: Generally available
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value must be a positive integer.
Datatype: `int`
Default: `30000`
Self-managed Elastic deployments: Generally available
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
Datatype: `int`
Default: `30000`
Elastic Stack: Generally available since 8.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies whether Kibana should use compression for communications with Elasticsearch.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Time in milliseconds between requests to check Elasticsearch for an updated list of nodes.
Datatype: `string`
Default: `false`
Self-managed Elastic deployments: Generally available
Attempt to find other Elasticsearch nodes on startup.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Update the list of Elasticsearch nodes immediately following a connection fault.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 8.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of sockets that can be used for communications with Elasticsearch.
Datatype: `int`
Default: `800`
Self-managed Elastic deployments: Generally available
Either `false` or a `byteSize` value. When set, responses from Elasticsearch with a size higher than the defined limit will be rejected. This is intended to be used as a circuit-breaker mechanism to avoid memory errors in case of unexpectedly high responses coming from Elasticsearch.
Datatype: `string`
Default: `false`
Self-managed Elastic deployments: Generally available
The maximum number of idle sockets to keep open between Kibana and Elasticsearch. If more sockets become idle, they will be closed.
Datatype: `int`
Default: `256`
Self-managed Elastic deployments: Generally available
The timeout for idle sockets kept open between Kibana and Elasticsearch. If the socket is idle for longer than this timeout, it will be closed. If you have a transparent proxy between Kibana and Elasticsearch be sure to set this value lower than or equal to the proxy's timeout.
Datatype: `string`
Default: `60s`
Self-managed Elastic deployments: Generally available
If your Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
If your Elasticsearch is protected with basic authentication, this setting provides the password that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
If your Elasticsearch is protected with basic authentication, this token provides the credentials that the Kibana server uses to perform maintenance on the Kibana index at startup. This setting is an alternative to `elasticsearch.username` and `elasticsearch.password`.
Datatype: `string`
### Elasticsearch SSL settings
Self-managed Elastic deployments: Generally available
Controls Kibana behavior in regard to presenting a client certificate when requested by Elasticsearch. This setting applies to all outbound SSL/TLS connections to Elasticsearch, including requests that are proxied for end users.
Datatype: `bool`
Default: `false`
When Elasticsearch uses certificates to authenticate end users with a PKI realm and [`elasticsearch.ssl.alwaysPresentCertificate`](#elasticsearch-ssl-alwayspresentcertificate) is `true`, proxied requests may be executed as the identity that is tied to the Kibana server.
Self-managed Elastic deployments: Generally available
Path to a PEM-encoded X.509 client certificate. This is used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting to take effect, the `xpack.security.http.ssl.client_authentication` setting in Elasticsearch must be also be set to `"required"` or `"optional"` to request a client certificate from Kibana.
Datatype: `string`
This setting cannot be used in conjunction with [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Path to the corresponding private key for the PEM-encoded X.509 client certificate specified via [`elasticsearch.ssl.certificate`](#elasticsearch-ssl-cert-key). These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting to take effect, the `xpack.security.http.ssl.client_authentication` setting in Elasticsearch must be also be set to `"required"` or `"optional"` to request a client certificate from Kibana.
Datatype: `string`
This setting cannot be used in conjunction with [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates, which make up a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch.
In addition to this setting, trusted certificates may be specified via [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path) and/or [`elasticsearch.ssl.truststore.path`](#elasticsearch-ssl-truststore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The password that decrypts the private key that is specified via [`elasticsearch.ssl.key`](#elasticsearch-ssl-cert-key). This value is optional, as the key may not be encrypted.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 keystore that contains an X.509 client certificate and it's corresponding private key. These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting, you must also set the `xpack.security.http.ssl.client_authentication` setting in Elasticsearch to `"required"` or `"optional"` to request a client certificate from Kibana.
If the keystore contains any additional certificates, they are used as a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch. In addition to this setting, trusted certificates may be specified via [`elasticsearch.ssl.certificateAuthorities`](#elasticsearch-ssl-certificateauthorities) and/or [`elasticsearch.ssl.truststore.path`](#elasticsearch-ssl-truststore-path).
Datatype: `string`
This setting cannot be used in conjunction with [`elasticsearch.ssl.certificate`](#elasticsearch-ssl-cert-key) or [`elasticsearch.ssl.key`](#elasticsearch-ssl-cert-key).
Self-managed Elastic deployments: Generally available
The password that decrypts the keystore specified via [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path). If the keystore has no password, leave this as blank. If the keystore has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates, which make up a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch.
In addition to this setting, trusted certificates may be specified via [`elasticsearch.ssl.certificateAuthorities`](#elasticsearch-ssl-certificateauthorities) and/or [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The password that decrypts the trust store specified via [`elasticsearch.ssl.truststore.path`](#elasticsearch-ssl-truststore-path). If the trust store has no password, leave this as blank. If the trust store has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to Elasticsearch. Valid values are `"full"`, `"certificate"`, and `"none"`. Using `"full"` performs hostname verification, using `"certificate"` skips hostname verification, and using `"none"` skips verification entirely.
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
### Logging settings
Self-managed Elastic deployments: Generally available
The `root` logger is a [dedicated logger](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#dedicated-loggers) and is pre-configured. The `root` logger logs at `info` level by default. If any other logging configuration is specified, `root` *must* also be explicitly configured.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A list of logging appenders to forward the root level logger instance to. By default `root` is configured with the `default` appender that logs to stdout with a `pattern` layout. This is the configuration that all custom loggers will use unless they're re-configured explicitly. You can override the default behavior by configuring a different [appender](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#logging-appenders) to apply to `root`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Level at which a log record should be logged. Supported levels are: *all*, *fatal*, *error*, *warn*, *info*, *debug*, *trace*, *off*. Levels are ordered from *all* (highest) to *off* and a log record will be logged it its level is higher than or equal to the level of its logger, otherwise the log record is ignored. Use this value to [change the overall log level](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#change-overall-log-level).
Datatype: `enum`
Default: `info`
Options:
- `all`
- `fatal`
- `error`
- `warn`
- `info`
- `debug`
- `trace`
- `off`
Set to `all` to log all events, including system usage information and all requests. Set to `off` to silence all logs. You can also use the logging [cli commands](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kib-advanced-logging#logging-cli-migration) to set log level to `verbose` or silence all logs.
The following example shows a valid verbose `logging.root` configuration:
```text
logging:
appenders:
console_appender:
type: console
layout:
type: pattern
highlight: true
root:
appenders: [console_appender]
level: all
```
Self-managed Elastic deployments: Generally available
Allows you to [customize a specific logger instance](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#customize-specific-log-records).
Datatype: `string`
Self-managed Elastic deployments: Generally available
[Appenders](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#logging-appenders) define how and where log messages are displayed (eg. **stdout** or console) and stored (eg. file on the disk).
Datatype: `string`
### Map settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable connections to Elastic Maps Service. When `includeElasticMapsService` is turned off, only tile layer configured by [`map.tilemap.url`](#tilemap-url) is available in [Maps](https://www.elastic.co/docs/explore-analyze/visualize/maps).
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the URL of a self hosted [Elastic Maps Server](https://www.elastic.co/docs/explore-analyze/visualize/maps/maps-connect-to-ems#elastic-maps-server)
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The map attribution string. Provide attributions in markdown and use `\|` to delimit attributions, for example: `"[attribution 1](https://www.attribution1)\|[attribution 2](https://www.attribution2)"`.
Datatype: `string`
Default: `"© [Elastic Maps Service](https://www.elastic.co/elastic-maps-service)"`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum zoom level.
Datatype: `int`
Default: `10`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The minimum zoom level.
Datatype: `int`
Default: `1`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
An array of subdomains used by the tile service. Specify the position of the subdomain the URL with the token `{{s}}`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The URL to the service that Kibana uses as the default basemap in [maps](https://www.elastic.co/docs/explore-analyze/visualize/maps) and [vega maps](https://www.elastic.co/docs/explore-analyze/visualize/custom-visualizations-with-vega#vega-with-a-map). By default, Kibana sets a basemap from the [Elastic Maps Service](https://www.elastic.co/docs/explore-analyze/visualize/maps/maps-connect-to-ems), but users can point to their own Tile Map Service. For example: `"https://tiles.elastic.co/v2/default/{{z}}/{x}/{{y}}.png?elastic_tile_service_tos=agree&my_app_name=kibana"`
Datatype: `string`
### Migrations settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Defines the number of documents migrated at a time. The higher the value, the faster the Saved Objects migration process performs at the cost of higher memory consumption. If upgrade migrations results in Kibana crashing with an out of memory exception or fails due to an Elasticsearch `circuit_breaking_exception`, use a smaller `batchSize` value to reduce the memory pressure.
Datatype: `int`
Default: `1000`
Elastic Stack: Generally available since 8.4
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Discard saved objects with unknown types during a migration. Must be set to the target version, for example: `8.4.0`. Default: undefined.
Datatype: `string`
Elastic Stack: Generally available since 8.4
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Discard corrupt saved objects, as well as those that cause transform errors during a migration. Must be set to the target version, for example: `8.4.0`. Default: undefined.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Defines the maximum payload size for indexing batches of upgraded saved objects to avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch. This value should be lower than or equal to your Elasticsearch cluster's `http.max_content_length` configuration option.
Datatype: `string`
Default: `100mb`
Self-managed Elastic deployments: Generally available
The number of times migrations retry temporary failures, such as a network timeout, 503 status code, or `snapshot_in_progress_exception`. When upgrade migrations frequently fail after exhausting all retry attempts with a message such as `Unable to complete the [...] step after 15 attempts, terminating.`, increase the setting value.
Datatype: `int`
Default: `15`
Elastic Stack: Generally available since 9.2
Self-managed Elastic deployments: Generally available
When enabled, migration progress is only logged if the migration fails, reducing log volume during successful startups. When disabled (the default), migration steps are logged continuously, which keeps failing or stuck migrations visible. Set to `true` to reduce startup log volume.
Datatype: `bool`
Default: `false`
In these versions, this setting defaults to `true`.
### Saved Objects settings
Self-managed Elastic deployments: Generally available
The maximum count of saved objects that can be imported or exported. This setting exists to prevent the Kibana server from running out of memory when handling large numbers of saved objects. It is recommended to only raise this setting if you are confident your server can hold this many objects in memory.
Datatype: `int`
Default: `10000`
Self-managed Elastic deployments: Generally available
The maximum byte size of a saved objects import that the Kibana server will accept. This setting exists to prevent the Kibana server from running out of memory when handling a large import payload. Note that this setting overrides the more general [`server.maxPayload`](#server-maxpayload) for saved object imports only.
Datatype: `int`
Default: `26214400`
### Search and autocomplete settings
Elastic Stack: Deprecated since 8.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the max number of documents loaded by each shard to generate autocomplete suggestions. Allowed values are between 1 and 10000000.
Datatype: `int`
Default: `100000`
Using this setting in Kibana 9.4.0 and 9.4.1 causes a startup failure due to a known regression. Migrate to `unifiedSearch.autocomplete.valueSuggestions.terminateAfter` or upgrade to a later version.
Deprecated in 8.3.0. Use `unifiedSearch.autocomplete.valueSuggestions.terminateAfter` instead.
Elastic Stack: Deprecated since 8.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the time in milliseconds to wait for autocomplete suggestions from Elasticsearch. Allowed values are between 1 and 1200000.
Datatype: `int`
Default: `1000`
Using this setting in Kibana 9.4.0 and 9.4.1 causes a startup failure due to a known regression. Migrate to `unifiedSearch.autocomplete.valueSuggestions.timeout` or upgrade to a later version.
Deprecated in 8.3.0. Use `unifiedSearch.autocomplete.valueSuggestions.timeout` instead.
Elastic Stack: Generally available since 8.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Time in milliseconds to wait for autocomplete suggestions from Elasticsearch. This value must be a whole number greater than zero.
Datatype: `int`
Default: `1000`
Elastic Stack: Generally available since 8.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of documents loaded by each shard to generate autocomplete suggestions. This value must be a whole number greater than zero.
Datatype: `int`
Default: `100000`
To reload the logging settings, send a SIGHUP signal to Kibana. For more logging configuration options, see the [Configure Logging in Kibana](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging) guide.
### Server settings
Self-managed Elastic deployments: Generally available
Enables you to specify a path to mount Kibana at if you are running behind a proxy. Use the [`server.rewriteBasePath`](#server-rewritebasepath) setting to tell Kibana if it should remove the basePath from requests it receives, and to prevent a deprecation warning at startup. This setting cannot end in a slash (`/`).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The publicly available URL that end-users access Kibana at. Must include the protocol, hostname, port (if different than the defaults for `http` and `https`, 80 and 443 respectively), and the [`server.basePath`](#server-basePath) (when that setting is configured explicitly). This setting cannot end in a slash (`/`).
Datatype: `string`
Self-managed Elastic deployments: Generally available
This setting specifies the host of the back end server. To allow remote users to connect, set the value to the IP address or DNS name of the Kibana server. Use `0.0.0.0` to make Kibana listen on all IPs (public and private).
Datatype: `string`
Default: `"localhost"`
Self-managed Elastic deployments: Generally available
The number of milliseconds to wait for additional data before restarting the [`server.socketTimeout`](#server-sockettimeout) counter.
Datatype: `int`
Default: `120000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum payload size in bytes for incoming server requests.
This option controls the maximum payload size Kibana can handle, rather than the incoming request size, which also limits the inflated size when compression is used.
Datatype: `int`
Default: `1048576`
Self-managed Elastic deployments: Generally available
A human-readable display name that identifies this Kibana instance.
Datatype: `string`
Default: `"your-hostname"`
Self-managed Elastic deployments: Generally available
Kibana is served by a back end server. This setting specifies the port to use.
Datatype: `int`
Default: `5601`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
The HTTP protocol to use, either `http1` or `http2`. Set to `http1` to opt out of `HTTP/2` support when TLS is enabled. Use of `http1` may impact browser loading performance especially for dashboards with many panels. Default is `http2` if TLS is enabled, otherwise `http1`.
Datatype: `enum`
Options:
- `http1`
- `http2`
By default, enabling `http2` requires a valid `h2c` configuration, meaning that TLS must be enabled via [`server.ssl.enabled`](#server-ssl-enabled) and [`server.ssl.supportedprotocols`](#server-ssl-supportedProtocols), if specified, must contain at least `TLSv1.2` or `TLSv1.3`. Strict validation of the `h2c` setup can be disabled by adding `server.http2.allowUnsecure: true` to the configuration.
Self-managed Elastic deployments: Generally available
Sets the grace period for Kibana to attempt to resolve any ongoing HTTP requests after receiving a `SIGTERM`/`SIGINT` signal, and before shutting down. Any new HTTP requests received during this period are rejected, because the incoming socket is closed without further processing.
Datatype: `string`
Default: `30s`
Self-managed Elastic deployments: Generally available
The number of milliseconds to wait before closing an inactive socket.
Datatype: `int`
Default: `120000`
Self-managed Elastic deployments: Generally available
Sets the maximum time allowed for the client to transmit the request payload (body) before giving up and responding with a Request Timeout (408) error response.
Datatype: `int`
Default: `20000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Header names and values to send on all responses to the client from the Kibana server.
Datatype: `string`
Default: `{}`
Self-managed Elastic deployments: Generally available
Sets whether or not the `X-Opaque-Id` header should be trusted from any IP address for identifying requests in logs and forwarded to Elasticsearch.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
A list of IPv4 and IPv6 address which the `X-Opaque-Id` header should be trusted from. Normally this would be set to the IP addresses of the load balancers or reverse-proxy that end users use to access Kibana. If any are set, [`server.requestId.allowFromAnyIp`](#server-requestid-allowfromanyip) must also be set to `false.`
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies whether Kibana should rewrite requests that are prefixed with [`server.basePath`](#server-basepath) or require that they are rewritten by your reverse proxy.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The unique identifier for this Kibana instance. It must be a valid UUIDv4. It gets automatically generated on the first startup if not specified and persisted in the `data` path.
Datatype: `string`
### Server compression settings
Self-managed Elastic deployments: Generally available
Set to `false` to disable HTTP compression for all responses.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies an array of trusted hostnames, such as the Kibana host, or a reverse proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header. This setting may not be used when [`server.compression.enabled`](#server-compression) is set to `false`.
Datatype: `string`
Elastic Stack: Generally available since 8.6
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable brotli (br) compression format. Browsers not supporting brotli compression will fallback to using gzip instead. This setting may not be used when [`server.compression.enabled`](#server-compression) is set to `false`.
Datatype: `bool`
Default: `false`
### Server CORS settings
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
Set to `true` to allow cross-origin API calls.
Datatype: `bool`
Default: `false`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
Set to `true` to allow browser code to access response body whenever request performed with user credentials.
Datatype: `bool`
Default: `false`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
List of origins permitted to access resources. You must specify explicit hostnames and not use `server.cors.allowOrigin: ["*"]` when `server.cors.allowCredentials: true`.
Datatype: `string`
Default: `["*"]`
### Server rate limiter settings
Self-managed Elastic deployments: Generally available
Enables rate-limiting of requests to the Kibana server based on Node.js' Event Loop Utilization. If the average event loop utilization for the specified term exceeds the configured threshold, the server will respond with a `429 Too Many Requests` status code.
This functionality should be used carefully as it may impact the server's availability. The configuration options vary per environment, so it is recommended to enable this option in a testing environment first, adjust the rate-limiter configuration, and then roll it out to production.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The Event Loop Utilization (ELU) threshold for rate-limiting requests to the Kibana server. The ELU is a value between 0 and 1, representing the average event loop utilization over the specified term. If the average ELU exceeds this threshold, the server will respond with a `429 Too Many Requests` status code.
In a multi-instance environment with autoscaling, this value is usually between 0.6 and 0.8 to give the autoscaler enough time to react. This value can be higher in a single-instance environment but should not exceed 1.0. In general, the lower the value, the more aggressive the rate limiting. And the highest possible option should be used to prevent the Kibana server from being terminated.
Datatype: `float`
Self-managed Elastic deployments: Generally available
This value is one of `short`, `medium`, or `long`, representing the term over which the average event loop utilization is calculated. It uses exponential moving averages (EMA) to smooth out the utilization values. Each term corresponds to `15s`, `30s`, and `60s`, respectively.
The term value also changes the way the rate limiter sees the trend in the load:
- `short`: `elu.short > server.rateLimiter.term`;
- `medium`: `elu.short > server.rateLimiter.elu AND elu.medium > server.rateLimiter.elu`;
- `long`: `elu.short > server.rateLimiter.elu AND elu.medium > server.rateLimiter.elu AND elu.long > server.rateLimiter.elu`.
This behavior prevents requests from being throttled if the load starts decreasing. In general, the shorter the term, the more aggressive the rate limiting. In the multi-instance environment, the `medium` term makes the most sense as it gives the Kibana server enough time to spin up a new instance and prevents the existing instances from being terminated.
Datatype: `enum`
Options:
- `short`
- `medium`
- `long`
### Server security response headers
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Strict-Transport-Security`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or `null`. To disable, set to `null`.
Datatype: `string`
Default: `null`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`X-Content-Type-Options`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are `nosniff` or `null`. To disable, set to `null`.
Datatype: `string`
Default: `"nosniff"`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Referrer-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are `no-referrer`, `no-referrer-when-downgrade`, `origin`, `origin-when-cross-origin`, `same-origin`, `strict-origin`, `strict-origin-when-cross-origin`, `unsafe-url`, or `null`. To disable, set to `null`.
Datatype: `string`
Default: `"strict-origin-when-cross-origin"`
Elastic Stack: Preview
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Permissions-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or `null`. Refer to the [`Permissions-Policy` documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) for defined directives, values, and text format. To disable, set to `null`.
Datatype: `string`
Default: `camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()`
Elastic Stack: Preview
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Permissions-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or `null`. Refer to the [`Permissions-Policy` documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) for defined directives, values, and text format.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) and [`X-Frame-Options`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) headers are configured to disable embedding Kibana in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors: 'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 8.7
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are `unsafe-none`, `same-origin-allow-popups`, `same-origin`, or `null`. To disable, set to `null`.
Datatype: `enum`
Default: `"same-origin"`
Options:
- `unsafe-none`
- `same-origin-allow-popups`
- `same-origin`
- `null`
### Server SSL settings
Self-managed Elastic deployments: Generally available
Path to a PEM-encoded X.509 server certificate. This is used by Kibana to establish trust when receiving inbound SSL/TLS connections from users.
Datatype: `string`
This setting cannot be used in conjunction with [`server.ssl.keystore.path`](#server-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Path to the corresponding private key for the PEM-encoded X.509 server certificate specified via [`server.ssl.certificate`](#server-ssl-cert-key). This is used by Kibana to establish trust when receiving inbound SSL/TLS connections from users.
Datatype: `string`
This setting cannot be used in conjunction with [`server.ssl.keystore.path`](#server-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates which make up a trusted certificate chain for Kibana. This chain is used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. If PKI authentication is enabled, this chain is also used by Kibana to verify client certificates from end users.
In addition to this setting, trusted certificates may be specified via [`server.ssl.keystore.path`](#server-ssl-keystore-path) and/or [`server.ssl.truststore.path`](#server-ssl-truststore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.1.1/man1/ciphers.md#CIPHER-LIST-FORMAT).
Datatype: `string`
Default: `TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA`
Self-managed Elastic deployments: Generally available
Controls the behavior in Kibana for requesting a certificate from client connections. Valid values are `"required"`, `"optional"`, and `"none"`. Using `"required"` will refuse to establish the connection unless a client presents a certificate, using `"optional"` will allow a client to present a certificate if it has one, and using `"none"` will prevent a client from presenting a certificate.
Datatype: `enum`
Default: `"none"`
Options:
- `required`
- `optional`
- `none`
Self-managed Elastic deployments: Generally available
Enables SSL/TLS for inbound connections to Kibana. When set to `true`, a certificate and its corresponding private key must be provided. These can be specified via [`server.ssl.keystore.path`](#server-ssl-keystore-path) or the combination of [`server.ssl.certificate`](#server-ssl-cert-key) and [`server.ssl.key`](#server-ssl-cert-key).
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The password that decrypts the private key that is specified via [`server.ssl.key`](#server-ssl-cert-key). This value is optional, as the key may not be encrypted.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 keystore that contains an X.509 server certificate and its corresponding private key. If the keystore contains any additional certificates, those will be used as a trusted certificate chain for Kibana. All of these are used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. The certificate chain is also used by Kibana to verify client certificates from end users when PKI authentication is enabled.
In addition to this setting, trusted certificates may be specified via [`server.ssl.certificateAuthorities`](#server-ssl-certificateauthorities) and/or [`server.ssl.truststore.path`](#server-ssl-truststore-path).
Datatype: `string`
This setting cannot be used in conjunction with [`server.ssl.certificate`](#server-ssl-cert-key) or [`server.ssl.key`](#server-ssl-cert-key).
Self-managed Elastic deployments: Generally available
The password that will be used to decrypt the keystore specified via [`server.ssl.keystore.path`](#server-ssl-keystore-path). If the keystore has no password, leave this unset. If the keystore has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates which make up a trusted certificate chain for Kibana. This chain is used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. If PKI authentication is enabled, this chain is also used by Kibana to verify client certificates from end users.
In addition to this setting, trusted certificates may be specified via [`server.ssl.certificateAuthorities`](#server-ssl-certificateauthorities) and/or [`server.ssl.keystore.path`](#server-ssl-keystore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The password that will be used to decrypt the trust store specified via [`server.ssl.truststore.path`](#server-ssl-truststore-path). If the trust store has no password, leave this unset. If the trust store has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Kibana binds to this port and redirects all http requests to https over the port configured as [`server.port`](#server-port).
Datatype: `int`
Self-managed Elastic deployments: Generally available
An array of supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. Enabling `TLSv1.1` would require both setting the `--tls-min-1.1` option in the `node.options` configuration and adding `TLSv1.1` to `server.ssl.supportedProtocols`. `HTTP/2` requires the use of minimum `TLSv1.2` for secure connections.
Datatype: `string`
Default: `TLSv1.2, TLSv1.3`
### Server XSRF settings
Elastic Stack: Generally available since 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
It is not recommended to disable protections for arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. The [`server.xsrf.allowlist`](#settings-xsrf-allowlist) setting requires the following format:
```text
*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections.
```
Datatype: `string`
Default: `[]`
Self-managed Elastic deployments: Generally available
Setting this to `true` will completely disable Cross-site request forgery protection in Kibana. This is not recommended.
Datatype: `bool`
Default: `false`
### Telemetry settings
Self-managed Elastic deployments: Generally available
When `false`, users cannot change the opt-in status through [Advanced Settings](https://www.elastic.co/docs/reference/kibana/advanced-settings), and Kibana only looks at the value of [`telemetry.optIn`](#settings-telemetry-optin) to determine whether to send telemetry data or not.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set to `false` to stop sending any telemetry data to Elastic. Reporting your cluster statistics helps us improve your user experience. When `false`, the telemetry data is never sent to Elastic.
This setting can be changed at any time in [Advanced Settings](https://www.elastic.co/docs/reference/kibana/advanced-settings). To prevent users from changing it, set [`telemetry.allowChangingOptInStatus`](#telemetry-allowchangingoptinstatus) to `false`.
Datatype: `bool`
Default: `true`
### UI and visualization settings
Elastic Stack: Generally available since 9.4
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to stop showing messages and tours that highlight new features.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 9.4
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to stop showing elements requesting user feedback.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable Timelion visualizations.
Datatype: `bool`
Default: `true`
Elastic Stack: Removed in 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Starting from version 7.11, a new datatable visualization is used. Set to `true` to enable the legacy version. In version 8.0 and later, the old implementation is removed and this setting is no longer supported.
Datatype: `bool`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
For versions 7.7 and later, set to `false` to disable Vega visualizations.
Datatype: `bool`
Default: `true`
Elastic Stack: Deprecated since 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to allow Vega vizualizations to use data from sources other than the linked Elasticsearch cluster. In version 8.0 and later, the `vega.enableExternalUrls` is not supported. Use `vis_type_vega.enableExternalUrls` instead.
Datatype: `bool`
In version 8.0 and later, this setting is not supported. Use `vis_type_vega.enableExternalUrls` instead.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set this value to true to allow Vega to use any URL to access external data sources and images. When false, Vega can only get data from Elasticsearch.
Datatype: `bool`
Default: `false`
### Feature and plugin settings
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Cross-Cluster Replication UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Enables the **Explore underlying data** option that allows you to open **Discover** from a dashboard panel and view the panel data.
When you create visualizations using the **Lens** drag-and-drop editor, you can use the toolbar to open and explore your data in **Discover**. For more information, check out [Explore the data in Discover](https://www.elastic.co/docs/explore-analyze/visualize/lens#explore-lens-data-in-discover).
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Enables you to view the underlying documents in a data series from a dashboard panel.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Index Lifecycle Policies UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Index Management UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the License Management UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Remote Clusters UI.
Datatype: `bool`
Default: `true`
Elastic Stack: Deprecated since 8.11
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Rollup Jobs UI.
Datatype: `bool`
Default: `true`
Rollups are deprecated and will be removed in a future version. Use [downsampling](https://www.elastic.co/docs/manage-data/data-store/data-streams/downsampling-time-series-data-stream) instead.
Elastic Stack: Generally available since 8.9
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Allow to configure the max file upload size for use with the Upload File Response action available with the Defend Integration. To learn more, check [Endpoint Response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions).
Datatype: `string`
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to disable the automatic installation of Elastic Defend SIEM rules when a new Endpoint integration policy is created. Introduced with v9.2.4.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 9.4
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum file size in bytes for scripts uploaded to the Elastic Defend script library. Default is `26214400` (25MB).
Datatype: `bool`
Default: `26214400`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Snapshot and Restore UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Upgrade Assistant UI.
Datatype: `bool`
Default: `true`
## Alerting and actions
Alerting and actions are enabled by default in Kibana, but require you to configure the following:
1. [Set up Kibana to work with Elastic Stack security features](https://www.elastic.co/docs/deploy-manage/security/secure-your-cluster-deployment).
2. [Set up TLS encryption between Kibana and Elasticsearch](https://www.elastic.co/docs/deploy-manage/security/set-up-basic-security-plus-https#encrypt-kibana-http).
3. If you are using an **on-premises** Elastic Stack deployment, [specify a value for `xpack.encryptedSavedObjects.encryptionKey`](#general-alert-action-settings).
### General settings
Self-managed Elastic deployments: Generally available
A string of 32 or more characters used to encrypt sensitive properties on alerting rules and actions before they're stored in Elasticsearch. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties.
Kibana offers a [CLI tool](https://www.elastic.co/docs/reference/kibana/commands/kibana-encryption-keys) to help generate this encryption key.
If not set, Kibana will generate a random key on startup, but all alerting and action functions will be blocked. Generated keys are not allowed for alerting and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerting and actions in high-availability deployments of Kibana will behave unexpectedly if the key isn't the same on all instances of Kibana.
Although the key can be specified in clear text in `kibana.yml`, it's recommended to store this key securely in the [Kibana Keystore](https://www.elastic.co/docs/deploy-manage/security/secure-settings). Be sure to back up the encryption key value somewhere safe, as your alerting rules and actions will cease to function due to decryption failures should you lose it. If you want to rotate the encryption key, be sure to follow the instructions on [encryption key rotation](https://www.elastic.co/docs/deploy-manage/security/secure-saved-objects#encryption-key-rotation).
Datatype: `string`
### Action settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of hostnames that Kibana is allowed to connect to when built-in actions are triggered. It defaults to `["*"]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections.
Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default `["*"]` setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of custom host settings to override existing global settings.
Each entry in the list must have a `url` property, to associate a connection type (mail or https), hostname and port with the remaining options in the entry.
The settings in `xpack.actions.customHostSettings` can be used to override the global option `xpack.actions.ssl.verificationMode` and provide customized TLS settings on a per-server basis. Set `xpack.actions.ssl.verificationMode` to the value to be used by default for all servers, then add an entry in `xpack.actions.customHostSettings` for every server that requires customized settings.
Datatype: `string`
Default: `an empty list`
In the following example, two custom host settings are defined. The first provides a custom host setting for mail server `mail.example.com` using port 465 that supplies server certificate authentication data from both a file and inline, and requires TLS for the connection. The second provides a custom host setting for https server `webhook.example.com` which turns off server certificate authentication, that will allow Kibana to connect to the server if it's using a self-signed certificate. The individual properties that can be used in the settings are documented below.
```yaml
xpack.actions.customHostSettings:
- url: smtp://mail.example.com:465
ssl:
verificationMode: 'full'
certificateAuthoritiesFiles: [ 'one.crt' ]
certificateAuthoritiesData: |
-----BEGIN CERTIFICATE-----
MIIDTD...
CwUAMD...
... multiple lines of certificate data ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDTD...
CwUAMD...
... multiple lines of certificate data ...
-----END CERTIFICATE-----
smtp:
requireTLS: true
- url:
ssl:
verificationMode: 'none'
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A URL associated with this custom host setting. Should be in the form of `protocol://hostname:port`, where `protocol` is `https` or `smtp`. If the port is not provided, 443 is used for `https` and 25 is used for `smtp`. The `smtp` URLs are used for the Email actions that use this server, and the `https` URLs are used for actions which use `https` to connect to services.
Entries with `https` URLs can use the `ssl` options, and entries with `smtp` URLs can use both the `ssl` and `smtp` options.
No other URL values should be part of this URL, including paths, query strings, and authentication information. When an http or smtp request is made as part of running an action, only the protocol, hostname, and port of the URL for that request are used to look up these configuration values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A boolean value indicating that TLS must not be used for this connection. The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A boolean value indicating that TLS must be used for this connection. The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`. Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. [Equivalent Kibana setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-verificationmode). Overrides the general `xpack.actions.ssl.verificationMode` configuration for requests made for this hostname/port.
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
Self-managed Elastic deployments: Generally available
A file name or list of file names of PEM-encoded certificate files to use to validate the server.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The contents of one or more PEM-encoded certificate files in multiline format. This configuration can be used for environments where the files cannot be made available.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.
Datatype: `string`
This feature is available in Kibana 7.17.4 and 8.3.0 onwards but is not supported in Kibana 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly.
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of allowed email recipient patterns (`to`, `cc`, or `bcc`) that can be used with email connectors. If you attempt to send an email to a recipient that does not match the allowed patterns, the action will fail. The failure message indicates that the email is not allowed.
Datatype: `string`
This setting cannot be used with `xpack.actions.email.domain_allowlist`.
For example:
```yaml
xpack.actions.email.recipient_allowlist: ["admin-*@company.org", "sales-*@example.com"]
```
Only "to", "cc", or "bcc" email addresses that match the listed patterns will be accepted. For example, "admin-network@company.org" or "sales-north@example.com".
Elastic Stack: Generally available since 9.3
Self-managed Elastic deployments: Generally available
The maximum length of an email body in bytes. Values longer than this length will be truncated. The default is 25MB, the maximum is 25MB.
Datatype: `int`
Default: `25000000 (25MB)`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The SMTP endpoint for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.
Datatype: `string`
Default: `email-smtp.us-east-1.amazonaws.com`
This setting alone is insufficient for overriding system defaults for the SES SMTP endpoint. You must also configure the `xpack.actions.email.services.ses.port` setting.
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The port number for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.
Datatype: `int`
Default: `465`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
An array of strings indicating all email services that are enabled. Available options are `elastic-cloud`, `google-mail`, `microsoft-outlook`, `amazon-ses`, `microsoft-exchange`, and `other`. If the array is empty, no email services are enabled. The default value is `["*"]`, which enables all email services.
Datatype: `string`
Default: `["*"]`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of action types that are enabled. It defaults to `["*"]`, enabling all types. The names for built-in Kibana action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, `.servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.tines`, `.torq`, `.xmatters`, `.gen-ai`, `.bedrock`, `.gemini`, `.d3security`, and `.webhook`. An empty list `[]` will disable all action types.
Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in Kibana and will not function.
Datatype: `string`
Default: `["*"]`
[Preconfigured connectors](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pre-configured-connectors) are not affected by this setting.
Self-managed Elastic deployments: Generally available
The URL for the Microsoft Azure Active Directory endpoint to use for MS Exchange email authentication.
Datatype: `string`
Default: `https://login.microsoftonline.com`
Self-managed Elastic deployments: Generally available
The URL for the Microsoft Graph API endpoint to use for MS Exchange email authentication.
Datatype: `string`
Default: `https://graph.microsoft.com/v1.0`
Self-managed Elastic deployments: Generally available
The URL for the Microsoft Graph API scope endpoint to use for MS Exchange email authentication.
Datatype: `string`
Default: `https://graph.microsoft.com/.default`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.
Proxies may be used to proxy http or https requests through a proxy using the http or https protocol. Kibana only uses proxies in "CONNECT" mode (sometimes referred to as "tunneling" TCP mode, compared to HTTP mode). That is, Kibana will always make requests through a proxy using the HTTP `CONNECT` method.
If your proxy is using the https protocol (vs the http protocol), the setting `xpack.actions.ssl.proxyVerificationMode: none` will likely be needed, unless your proxy's certificates are signed using a publicly available certificate authority.
There is currently no support for using basic authentication with a proxy (authentication for the proxy itself, not the URL being requested through the proxy).
Datatype: `string`
To help diagnose problems using a proxy, you can use the `curl` command with options to use your proxy, and log debug information, with the following command, replacing the proxy and target URLs as appropriate. This will force the request to be made to the proxy in tunneling mode, and display some of the interaction between the client and the proxy.
```sh
curl --verbose --proxytunnel --proxy http://localhost:8080
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.
By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
Datatype: `string`
For example:
```yaml
xpack.actions.proxyBypassHosts: [ "events.pagerduty.com" ]
```
If applicable, include the subdomain in the hostname.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.
By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
Datatype: `string`
For example:
```yaml
xpack.actions.proxyOnlyHosts: [ "events.pagerduty.com" ]
```
If applicable, include the subdomain in the hostname.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies HTTP headers for the proxy, if using a proxy for actions.
Datatype: `string`
Default: `{}`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification.
[Equivalent Kibana setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-verificationmode)
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the verification for the server certificate that Kibana receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`. Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification.
[Equivalent Kibana setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-verificationmode)
This setting can be overridden for specific URLs by using the setting `xpack.actions.customHostSettings[n].ssl.verificationMode` (described above) to a different value.
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the max number of bytes of the http response for requests to external resources.
Datatype: `int`
Default: `1000000 (1MB)`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the time allowed for requests to external resources. Requests that take longer are canceled. The time is formatted as a number and a time unit (`ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `Y`). For example, `20m`, `24h`, `7d`, `1w`. Default: `60s`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of times an action can be attempted to run.
Datatype: `int`
Options:
- `minimum 1 and maximum 10`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Overrides the configs under `xpack.actions.run` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.
Datatype: `string`
For example:
```yaml
xpack.actions.run:
maxAttempts: 1
connectorTypeOverrides:
- id: '.server-log'
maxAttempts: 5
```
Elastic Stack: Generally available since 8.11
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of actions that can be queued.
Datatype: `int`
Default: `1000000`
### Preconfigured connector settings
These settings vary depending on which type of preconfigured connector you're adding.
For example:
```yaml
xpack.actions.preconfigured:
my-server-log:
name: preconfigured-server-log-connector-type
actionTypeId: .server-log
```
For more examples, go to [Preconfigured connectors](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pre-configured-connectors).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Enables a preconfigured alert history Elasticsearch [Index](https://www.elastic.co/docs/reference/kibana/connectors-kibana/index-action-type) connector.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Specifies configuration details that are specific to the type of preconfigured connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The type of preconfigured connector.
Datatype: `enum`
Options:
- `.email`
- `.index`
- `.opsgenie`
- `.server-log`
- `.resilient`
- `.slack`
- `.webhook`
Self-managed Elastic deployments: Generally available
The configuration details, which are specific to the type of preconfigured connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), specifies the OpenAI API provider.
Datatype: `enum`
Options:
- `OpenAI`
- `Azure OpenAI`
Self-managed Elastic deployments: Generally available
A configuration URL that varies by connector:
- For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), specifies the Amazon Bedrock request URL.
- For an [Google Gemini connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/gemini-action-type), specifies the Google Gemini request URL.
- For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), specifies the OpenAI request URL.
- For a [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the IBM Resilient instance URL.
- For a [Jira connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type), specifies the Jira instance URL.
- For an [Opsgenie connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/opsgenie-action-type), specifies the Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`.
- For a [PagerDuty connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pagerduty-action-type), specifies the PagerDuty event URL. Defaults to `https://events.pagerduty.com/v2/enqueue`.
- For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type) specifies the ServiceNow instance URL.
- For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies the Swimlane instance URL.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
An application ID that varies by connector:
- For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies a Swimlane application identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A client identifier that varies by connector:
- For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies a GUID format value that corresponds to the client ID, which is a part of OAuth 2.0 client credentials authentication.
- For a [ServiceNow ITOM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), or [ServiceNow SecOps connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type) specifies the client identifier assigned to the OAuth application.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type) with basic authentication, specifies the request URL for the Elastic Alerts trigger in xMatters.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a stringified JSON payload with Mustache variables that is sent to the create comment URL to create a case comment. The required variable is `case.description`.
Datatype: `string`
The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API HTTP request method to create a case comment in the third-party system.
Datatype: `string`
Default: `put`
Options:
- `post`
- `put`
- `patch`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a REST API URL string to create a case comment by ID in the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a stringified JSON payload with Mustache variables that is sent to the create case URL to create a case. Required variables are `case.title` and `case.description`.
Datatype: `string`
The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API HTTP request method to create a case in the third-party system.
Datatype: `string`
Default: `post`
Options:
- `post`
- `put`
- `patch`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a REST API URL string to create a case in the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a string from the response body of the create case method that corresponds to the external service identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The default model to use for requests, which varies by connector:
- For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), current support is for the Anthropic Claude models.
- Elastic Cloud Serverless: Generally available Defaults to `us.anthropic.claude-sonnet-4-5-20250929-v1:0`.
- Elastic Stack: Generally available since 9.2 Defaults to `us.anthropic.claude-sonnet-4-5-20250929-v1:0`.
- Elastic Stack: Generally available in 9.1 Defaults to `us.anthropic.claude-3-7-sonnet-20250219-v1:0`.
- Elastic Stack: Generally available in 9.0 Defaults to `anthropic.claude-3-5-sonnet-20240620-v1:0`.
- For a [Google Gemini connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/gemini-action-type), current support is for the Gemini models.
- Elastic Cloud Serverless: Generally available Defaults to `gemini-2.5-pro`.
- Elastic Stack: Generally available since 9.1 Defaults to `gemini-2.5-pro`.
- Elastic Stack: Generally available in 9.0 Defaults to `gemini-1.5-pro-002`.
- For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), it is optional and applicable only when `xpack.actions.preconfigured..config.apiProvider` is `OpenAI`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [index connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/index-action-type), a field that indicates when the document was indexed.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the from address for all emails sent by the connector. It must be specified in `user@host-name` format.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a string from the response body of the get case method that corresponds to the external service title.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a REST API URL string with an external service ID Mustache variable to get the case from the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For an [email](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), or [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies whether a user and password are required inside the secrets configuration.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
For a [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type) or [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a set of key-value pairs sent as headers with the request.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the host name of the service provider.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [index connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/index-action-type), specifies the Elasticsearch index.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies whether to use basic or OAuth authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the key ID assigned to the JWT verifier map of your OAuth application. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies field mappings.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the alert identifier. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case identifier. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case name. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case comments. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case description. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the rule name. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies a field mapping for the severity. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), specifies the HTTP request method, either `post` or `put`. Defaults to `post`.
Datatype: `enum`
Default: `post`
Options:
- `post`
- `put`
Self-managed Elastic deployments: Generally available
For an [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the IBM Resilient organization identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the port to connect to on the service provider.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Jira connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type), specifies the Jira project key.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies whether the connection will use TLS when connecting to the service provider. If not true, the connection will initially connect over TCP then attempt to switch to TLS via the SMTP STARTTLS command.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the name of the email service. For example, `elastic_cloud`, `exchange_server`, `gmail`, `other`, `outlook365`, or `ses`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies a GUID format value that corresponds to a tenant ID, which is a part of OAuth 2.0 client credentials authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a stringified JSON payload with Mustache variables that is sent to the update case URL to update a case. Required variables are `case.title` and `case.description`.
Datatype: `string`
The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API HTTP request method to update the case in the third-party system.
Datatype: `enum`
Default: `put`
Options:
- `post`
- `put`
- `patch`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API URL to update the case by ID in the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
A configuration URL that varies by connector:
- For a [D3 Security connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/d3security-action-type), specifies the D3 Security API request URL.
- For a [Tines connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/tines-action-type), specifies the Tines tenant URL.
- For a [webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), specifies the web service request URL.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the user identifier. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type), specifies whether it uses HTTP basic authentication.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type) or [ServiceNow SecOps connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), specifies whether the connector uses the Table API or the Import Set API. If set to `false`, the Elastic application should be installed in ServiceNow.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
For a [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a URL string with either the external service ID or external service title Mustache variable to view a case in the external system.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Torq connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/torq-action-type), specifies the endpoint URL of the Elastic Security integration in Torq.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The name of the preconfigured connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Sensitive configuration details, such as username, password, and keys, which are specific to the connector type.
Datatype: `string`
Sensitive properties, such as passwords, should be stored in the [Kibana keystore](https://www.elastic.co/docs/deploy-manage/security/secure-settings#creating-keystore).
Self-managed Elastic deployments: Generally available
For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), specifies the AWS access key for authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
An API key secret that varies by connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A credentials secret that varies by connector:
- For a [Google Gemini connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/gemini-action-type), specifies the GCP service account credentials JSON file for authentication.
- For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), specifies the OpenAI or Azure OpenAI API key for authentication.
- For an [Opsgenie connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/opsgenie-action-type), specifies the Opsgenie API authentication key for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the authentication key ID for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the authentication key secret for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Jira](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type) or [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies the API authentication token for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A client secret that varies by connector:
- For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the client secret that you generated for your app in the app registration portal. It is required when the email service is `exchange_server`, which uses OAuth 2.0 client credentials authentication.
- For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the client secret assigned to the OAuth application. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
The client secret must be URL-encoded.
Self-managed Elastic deployments: Generally available
An email address that varies by connector:
- For a [Jira connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type), specifies the account email for HTTP basic authentication.
- For a [Tines connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/tines-action-type), specifies the email used to sign in to Tines.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A password secret that varies by connector:
- For an [email](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), or [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a password that is required when `xpack.actions.preconfigured..config.hasAuth` is `true`.
- For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies a password that is required when `xpack.actions.preconfigured..config.isOAuth` is `false`.
- For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type), specifies a password that is required when `xpack.actions.preconfigured..config.usesBasic` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the RSA private key. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the password for the RSA private key.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [PagerDuty connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pagerduty-action-type), specifies the 32 character PagerDuty Integration Key for an integration on a service, also referred to as the routing key.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), specifies the AWS secret for authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type) with URL authentication, specifies the request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is used only when `xpack.actions.preconfigured..config.usesBasic` is `false`.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
A token secret that varies by connector:
- For a [D3 Security connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/d3security-action-type), specifies the D3 Security token.
- For a [Slack connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/slack-action-type), specifies the Slack bot user OAuth token.
- For a [Tines connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/tines-action-type), specifies the Tines API token.
- For a [Torq connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/torq-action-type), specifies the secret of the webhook authentication header.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A user name secret that varies by connector:
- For an [email](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), or [Webhook - Case Management connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a user name that is required when `xpack.actions.preconfigured..config.hasAuth` is `true`.
- For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type), specifies a user name that is required when `xpack.actions.preconfigured..config.usesBasic` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A URL that varies by connector:
- For a [Microsoft Teams connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/teams-action-type), specifies the URL of the incoming webhook.
- For a [Slack connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/slack-action-type), specifies the Slack webhook URL.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SecOps](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies a user name that is required when `xpack.actions.preconfigured..config.isOAuth` is `false`.
Datatype: `string`
Elastic Stack: Generally available since 9.1
Self-managed Elastic deployments: Generally available
Disable PFX file support for SSL client authentication. When set to `false`, the application will not accept PFX certificate files and will require separate certificate and private key files instead. Only applies to the [Webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type).
Datatype: `bool`
Default: `true`
### Alerting settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies whether to skip writing alerts and scheduling actions if rule processing was cancelled due to a timeout. This setting can be overridden by individual rule types.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the maximum number of rules to run per minute.
Datatype: `int`
Default: `32000`
In Serverless, the maximum number of rules to run per minute is set to `800` for Elastic Security projects and `400` for other projects. This setting can't be configured.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the minimum schedule interval for rules. This minimum is applied to all rules created or updated after you set this value. The time is formatted as a number and a time unit (`s`, `m`, `h`, or `d`). For example, `20m`, `24h`, `7d`. This duration cannot exceed `1d`.
Datatype: `string`
Default: `1m`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the behavior when a new or changed rule has a schedule interval less than the value defined in `xpack.alerting.rules.minimumScheduleInterval.value`. If `false`, rules with schedules less than the interval will be created but warnings will be logged. If `true`, rules with schedules less than the interval cannot be created.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of actions that a rule can generate each time detection checks run.
Datatype: `int`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of alerts that a rule can generate each time detection checks run.
Datatype: `int`
Default: `1000`
The exact number of alerts your cluster can safely handle depends on your cluster configuration and workload. While it is technically possible to increase this value above 1000, doing so is not recommended and not supported. Increasing this limit can significantly affect Kibana and Elasticsearch performance and memory usage. Carefully evaluate the impact on your deployment before making this change.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the default timeout for tasks associated with all types of rules. The time is formatted as a number and a time unit (`ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `Y`). For example, `20m`, `24h`, `7d`, `1w`. Default: `5m`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Overrides the configs under `xpack.alerting.rules.run` for the rule type with the given ID. List the rule identifier and its settings in an array of objects.
Datatype: `string`
For example:
```yaml
xpack.alerting.rules.run:
timeout: '5m'
ruleTypeOverrides:
- id: '.index-threshold'
timeout: '15m'
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Overrides the configs under `xpack.alerting.rules.run.actions` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.
Datatype: `string`
For example:
```yaml
xpack.alerting.rules.run:
actions:
max: 10
connectorTypeOverrides:
- id: '.server-log'
max: 5
```
Elastic Stack: Removed in 9.0, Elastic Stack: Generally available from 7.15 to 9.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of actions that a single alert instance could run using ephemeral tasks (in-memory, non-persisted).
Datatype: `int`
Ignored since 9.0. Ephemeral tasks were removed. If you are upgrading your cluster or using the current version, you must remove this setting from your `kibana.yml` file to avoid configuration errors.
Elastic Stack: Removed in 8.2, Elastic Stack: Generally available from 7.16 to 8.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The default timeout for rule tasks. Accepts a duration string such as `5m` or `1h`.
Datatype: `string`
Removed in 8.2. Use `xpack.alerting.rules.run.timeout` instead.
Elastic Stack: Generally available since 7.7
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to log event log document entries in the Kibana server log. Useful for debugging but can be verbose in production.
Datatype: `bool`
Default: `false`
### Rule Registry settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
An array of observability rule registration contexts whose alert indices should not be written to. Allowed values are `observability.logs`, `observability.metrics`, `observability.apm`, and `observability.uptime`.
Datatype: `array of strings`
Default: `[]`
## APM
These settings allow the APM app to function, and specify the data that it surfaces. Unless you've customized your setup, you do not need to configure any settings to use the APM app. It is enabled by default.
### APM indices
The APM app uses data views to query APM indices. To change the default APM indices that the APM app queries, open the APM app and select **Settings** > **Indices**. Index settings in the APM app take precedence over those set in `kibana.yml`.
APM indices are Kibana space-aware; changes to APM index settings will only apply to the currently enabled space.
### General APM settings
If you'd like to change any of the default values, copy and paste the relevant settings into your `kibana.yml` configuration file. Changing these settings may disable features of the APM App.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of suggestions fetched in autocomplete selection boxes.
Datatype: `int`
Default: `100`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of unique transaction combinations sampled for generating service map focused on a specific service.
Datatype: `int`
Default: `100`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of unique transaction combinations sampled for generating the global service map.
Datatype: `int`
Default: `1000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable service maps.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of trace IDs sampled for generating service map focused on a specific service.
Datatype: `int`
Default: `65`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of trace IDs sampled for generating the global service map.
Datatype: `int`
Default: `6`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of traces per request for generating the global service map.
Datatype: `int`
Default: `50`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to hide the APM app from the main menu.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of child items displayed when viewing trace details.
Datatype: `int`
Default: `5000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Index name where Observability annotations are stored.
Datatype: `string`
Default: `observability-annotations`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets a `fixed_interval` for date histograms in metrics aggregations.
Datatype: `int`
Default: `30`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable cloud APM migrations.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Matcher for all error indices.
Datatype: `string`
Default: `logs-apm*,apm-*,logs-*.otel-*`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Matcher for all onboarding indices.
Datatype: `string`
Default: `apm-*`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Matcher for all span indices.
Datatype: `string`
Default: `traces-apm*,apm-*,traces-*.otel-*`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Matcher for all transaction indices.
Datatype: `string`
Default: `traces-apm*,apm-*,traces-*.otel-*`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Matcher for all metrics indices.
Datatype: `string`
Default: `metrics-apm*,apm-*,metrics-*.otel-*`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Matcher for all source map indices.
Datatype: `string`
Default: `apm-*`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable the automatic creation of the APM data view when the APM app is opened.
Datatype: `bool`
Default: `true`
Elastic Stack: Generally available since 7.10
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the search strategy used for transactions. When set to `auto`, Kibana uses aggregated transactions if available and falls back to individual transactions. Set to `always` to force the use of aggregated transactions, or `never` to always query individual transactions.
Datatype: `enum`
Default: `auto`
Options:
- `auto`
- `always`
- `never`
Self-managed Elastic deployments: Generally available
Specifies the URL of a self hosted file that contains latest agent versions. Set to `''` to disable requesting latest agent versions.
Datatype: `string`
Default: `https://apm-agent-versions.elastic.co/versions.json`
## Banners
Banners are disabled by default. You need to manually configure them in order to use the feature.
You can configure the `xpack.banners` settings in your `kibana.yml` file.
Banners are a [subscription feature](https://www.elastic.co/subscriptions).
### All settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `top` to display a banner above the Elastic header.
Datatype: `enum`
Default: `disabled`
Options:
- `disabled`
- `top`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The text to display inside the banner, either plain text or Markdown.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The color for the banner text.
Datatype: `string`
Default: `#8A6A0A`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The color for the banner link text.
Datatype: `string`
Default: `#0B64DD`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The color of the banner background.
Datatype: `string`
Default: `#FFF9E8`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
If true, per-space banner overrides will be disabled.
Datatype: `bool`
Default: `false`
## Cases
You do not need to configure any additional settings to use [cases](https://www.elastic.co/docs/explore-analyze/alerts-cases/cases) in Kibana. To provide greater control over case features, you can configure the following settings in the `kibana.yml` file:
### Cases settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The MIME types that you can attach to a case, represented in an array of strings. For example: `['image/tiff','text/csv','application/zip'].` The default MIME types are specified in [mime_types.ts](https://github.com/elastic/kibana/blob/master/x-pack/platform/plugins/shared/cases/common/constants/mime_types.ts).
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The size limit for files that you can attach to a case, represented as the number of bytes. By default, the limit is 10 MiB for images and 100 MiB for all other MIME types. If you specify a value for this setting, it affects all file types.
Datatype: `int`
Elastic Stack: Generally available since 8.19
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable the Cases analytics index, which stores case data in a dedicated index for analytics purposes.
Datatype: `bool`
Default: `false`
## Fleet and integrations
By default, Fleet is enabled. To use Fleet, you also need to configure Kibana and Elasticsearch hosts.
Many Fleet settings can also be configured directly through the Fleet UI. See [Fleet UI settings](https://www.elastic.co/docs/reference/fleet/fleet-settings) for details.
Go to the [Fleet](https://www.elastic.co/docs/reference/fleet/index) docs for more information about Fleet.
In Elastic Cloud, Fleet flags are already configured.
### General Fleet settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` (default) to enable Fleet.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set to `true` to indicate Fleet is running in an air-gapped environment. Refer to [Air-gapped environments](https://www.elastic.co/docs/reference/fleet/air-gapped) for details. Enabling this flag helps Fleet skip needless requests and improve the user experience for air-gapped environments.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 8.9
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Allow to configure batch size for creating and updating Fleet user artifacts. Examples include creation of Trusted Applications and Endpoint Exceptions in Security.
Datatype: `int`
### Elastic Package Manager settings
Self-managed Elastic deployments: Generally available
The address to use to reach the Elastic Package Manager registry.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The proxy address to use to reach the Elastic Package Manager registry if an internet connection is not directly available. Refer to [Air-gapped environments](https://www.elastic.co/docs/reference/fleet/air-gapped) for details.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The path on disk to the GPG key used to verify Elastic Package Manager packages. If the Elastic public key is ever reissued as a security precaution, you can use this setting to specify the new key.
Datatype: `string`
### Fleet settings
The `xpack.fleet.agents.elasticsearch.*` settings are intended for a quickstart setup. For more advanced use cases, use the `xpack.fleet.outputs` setting to preconfigure outputs.
Self-managed Elastic deployments: Generally available
Hostnames used by Elastic Agent for accessing Fleet Server.
If configured in your `kibana.yml`, this setting is grayed out and unavailable in the Fleet UI. To make this setting editable in the UI, do not configure it in the configuration file.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Hostnames used by Elastic Agent for accessing Elasticsearch.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Hash pin used for certificate verification. The pin is a base64-encoded string of the SHA-256 fingerprint.
Datatype: `string`
### Preconfiguration settings (for advanced use cases)
Use these settings to pre-define integrations, agent policies, and Fleet Server hosts or proxies that you want Fleet to load up by default.
These settings are not supported to pre-configure the Endpoint and Cloud Security integration.
Self-managed Elastic deployments: Generally available
List of integrations that are installed when the Fleet app starts up for the first time.
Datatype: `string`
```yaml
xpack.fleet.packages:
- name: apache
version: 0.5.0
xpack.fleet.agentPolicies:
- name: Preconfigured Policy
id: preconfigured-policy
namespace: test
package_policies:
- package:
name: system
name: System Integration
namespace: test
id: preconfigured-system
inputs:
system-system/metrics:
enabled: true
vars:
'[system.hostfs]': home/test
streams:
'[system.core]':
enabled: true
vars:
period: 20s
system-winlog:
enabled: false
```
Self-managed Elastic deployments: Generally available
Required. Name of the integration from the package registry.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Either an exact semantic version, or the keyword `latest` to fetch the latest integration version.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of agent policies that are configured when the Fleet app starts.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Unique ID for this policy. The ID may be a number or string.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the agent policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Text description of this policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. String identifying this policy's namespace.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. List of keywords that specify the monitoring data to collect. Valid values include `['logs']`, `['metrics']`, and `['logs', 'metrics']`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. If `true`, monitoring will be enabled, but logs/metrics collection will be disabled. Use this if you want to keep agent's monitoring server alive even when logs/metrics aren't being collected.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true`, this policy is not editable by the user and can only be changed by updating the Kibana config.
Datatype: `bool`
Elastic Stack: Deprecated since 8.1
Self-managed Elastic deployments: Deprecated since 8.1
Optional. If `true`, this policy is the default agent policy.
Datatype: `bool`
Deprecated in 8.1.0.
Elastic Stack: Deprecated since 8.1
Self-managed Elastic deployments: Deprecated since 8.1
Optional. If `true`, this policy is the default Fleet Server agent policy.
Datatype: `bool`
Deprecated in 8.1.0.
Self-managed Elastic deployments: Generally available
Optional. ID of the output to send data. (Need to be identical to `monitoring_output_id`)
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. ID of the output to send monitoring data. (Need to be identical to `data_output_id`)
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. ID of the fleet server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. List of integration policies to add to this policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Unique ID of the integration policy. The ID may be a number or string.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the integration policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Integration that this policy configures.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Name of the integration associated with this policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Text string describing this integration policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
String identifying this policy's namespace.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Map of input for the integration. Follows the same schema as the package policy API inputs, with the exception that any object in `vars` can be passed `frozen: true` in order to prevent that specific `var` from being edited by the user.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of outputs that are configured when the Fleet app starts.
Certain types of outputs have additional required and optional settings. Refer to [Output settings](https://www.elastic.co/docs/reference/fleet/fleet-settings#output-settings) in the Fleet and Elastic Agent Guide for the full list of settings for each output type.
If configured in your `kibana.yml`, output settings are grayed out and unavailable in the Fleet UI. To make these settings editable in the UI, do not configure them in the configuration file.
Datatype: `string`
The `xpack.fleet.outputs` settings are intended for advanced configurations such as having multiple outputs. We recommend not enabling the `xpack.fleet.agents.elasticsearch.host` settings when using `xpack.fleet.outputs`.
```yaml
xpack.fleet.outputs:
- id: my-logstash-output-with-a-secret
name: preconfigured logstash output with a secret
type: logstash
hosts: ["localhost:9999"]
ssl:
certificate: xxxxxxxxxx
secrets:
ssl:
key: securekey
```
Self-managed Elastic deployments: Generally available
Required. Unique ID for this output. The ID should be a string.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Type of Output.
Datatype: `enum`
Options:
- `elasticsearch`
- `logstash`
- `kafka`
- `remote_elasticsearch`
Self-managed Elastic deployments: Generally available
Optional. Array that contains the list of host for that output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. If `true`, the output specified in `xpack.fleet.outputs` will be the one used to send agent data unless there is another one configured specifically for the agent policy.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true`, the output specified in `xpack.fleet.outputs` will be the one used to send agent monitoring data unless there is another one configured specifically for the agent policy.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true`, the output specified in `xpack.fleet.outputs` will not appear in the UI, and can only be managed via `kibana.yml` or the Fleet API.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. Extra config for that output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Unique ID of a proxy to access the output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Set to enable authentication using the Secure Sockets Layer (SSL) protocol.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The SSL certificate that Elastic Agents use to authenticate with the output. Include the full contents of the certificate here.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Certificate authority (CA) used to issue the certificate.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Include here any values for preconfigured outputs that should be stored as secrets. A secret value is replaced in the `kibana.yml` settings file with a reference, with the original value stored externally as a secure hash. Note that this type of secret storage requires all configured Fleet Servers to be on version 8.12.0 or later.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The private certificate key that Elastic Agents use to authenticate with the output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of Fleet Server hosts that are configured when the Fleet app starts.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Unique ID for the host server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the host server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Array of one or more host URLs that Elastic Agents will use to connect to Fleet Server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Whether or not this host should be the default to use for Fleet Server.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true` the host will not appear in the UI, and can only be managed through `kibana.yml` or the Fleet API.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. Unique ID of the proxy to access the Fleet Server host.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of proxies to access Fleet Server that are configured when the Fleet app starts.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Unique ID of the proxy to access the Fleet Server host.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the proxy to access the Fleet Server host.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. URL that Elastic Agents use to connect to the proxy to access Fleet Server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Map of headers to use with the proxy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Key to use for the proxy header.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Value to use for the proxy header.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Certificate authority (CA) used to issue the certificate.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. The name of the certificate used to authenticate the proxy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. The certificate key used to authenticate the proxy.
Datatype: `string`
Elastic Stack: Deprecated since 9.3, Elastic Stack: Generally available from 8.6 to 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of experimental feature flag to enable in Fleet.
Datatype: `string`
From 9.3.0 onwards, use `xpack.fleet.experimentalFeatures` to explicitly enable or disable experimental features.
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set experimental feature flags to `true` or `false` to enable or disable them, respectively.
Datatype: `string`
Experimental features should not be enabled in production environments. The features in this section are experimental and may be changed or removed completely in future releases. Elastic will make a best effort to fix any issues, but experimental features are not supported to the same level as generally available (GA) features.
```yaml
xpack.fleet.experimentalFeatures:
useSpaceAwareness: false
enableAgentPrivilegeLevelChange: true
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` (default), to enable the automatic creation of global `logs-*` and `metrics-*` data views.
Datatype: `bool`
Default: `true`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the interval of the automatic upgrade task for Fleet-managed Elastic Agents.
Datatype: `string`
Default: `30m`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the retry delays of the automatic upgrade task for Fleet-managed Elastic Agents. The array's length indicates the maximum number of retries.
Datatype: `string`
Default: `['30m', '1h', '2h', '4h', '8h', '16h', '24h']`
Elastic Stack: Generally available since 9.4
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the interval at which Fleet reassigns agents to the matching [version-specific agent policy](https://www.elastic.co/docs/reference/fleet/version-specific-agent-policies).
Datatype: `string`
Default: `1m`
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the time-to-live (TTL) for integration rollback availability. This setting controls how long the rollback option remains available after an integration is upgraded. The value must be specified in a duration format (for example, `7d`, `14d`, `168h`, or `1w`). For more information, refer to [Roll back an integration](https://www.elastic.co/docs/reference/fleet/roll-back-integration).
Datatype: `string`
Default: `7d`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of revisions to maintain for a Fleet agent policy.
Datatype: `int`
Default: `10`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The time interval for performing cleanups of Fleet agent policy revisions. The value must be specified in a duration format (for example, `30m`, `1h`, `1d`).
Datatype: `string`
Default: `1h`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of Fleet agent policies to clean up revisions from per interval.
Datatype: `int`
Default: `100`
Configure the following Automatic Import settings in the `kibana.yml` file.
Automatic Import helps you create new Elastic integrations using AI.
### Automatic Import settings
Elastic Stack: Generally available since 8.15
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable the Automatic Import feature. Previously known as `xpack.integration_assistant.enabled`.
Datatype: `bool`
Default: `true`
## Internationalization
You do not need to configure any settings to run Kibana in English.
### General settings
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The locale used for server-rendered strings and as the default for users
who haven't picked a preferred language. Must be one of the values listed
in `i18n.locales` when that setting is non-empty.
Datatype: `string`
Default: `'en'`
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The list of locales that Kibana offers in the per-user language picker.
Locales not in this list are not available to users, even if translation
files for them are installed. Set to `[]` to disable the language picker
entirely.
Datatype: `list`
Default: `["en", "fr-FR", "ja-JP", "zh-CN", "de-DE"]`
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
When `true` (the default), Kibana writes a `KBN_LOCALE` cookie on every
rendered response so the browser remembers the resolved locale across
page loads, anonymous pages, and post-logout browsing. Set to `false`
to disable the cookie.
Datatype: `boolean`
Default: `true`
Elastic Stack: Planned for deprecation
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set the Kibana interface language.
Datatype: `enum`
Default: `en`
Options:
- `en`: English
- `zh-CN`: Chinese
- `ja-JP`: Japanese
- `fr-FR`: French
- `de-DE`: German
Replaced by `i18n.defaultLocale`. Kibana continues to honor `i18n.locale` if set, logging a deprecation warning at startup.
## Logging
You do not need to configure any additional settings to use the logging features in Kibana. Logging is enabled by default and will log at `info` level using the `pattern` layout, which outputs logs to `stdout`.
However, if you are planning to ingest your logs using Elasticsearch or another tool, we recommend using the `json` layout, which produces logs in ECS format. In general, `pattern` layout is recommended when raw logs will be read by a human, and `json` layout when logs will be read by a machine.
The logging configuration is validated against the predefined schema and if there are any issues with it, Kibana will fail to start with the detailed error message.
Kibana relies on three high-level entities to set the logging service: appenders, loggers, and root. These can be configured in the `logging` namespace in `kibana.yml`.
- Appenders define where log messages are displayed (stdout or console) and their layout (`pattern` or `json`). They also allow you to specify if you want the logs stored and, if so, where (file on the disk), or shipped to an OpenTelemetry (OTLP) endpoint.
- Loggers define what logging settings, such as the level of verbosity and the appenders, to apply to a particular context. Each log entry context provides information about the service or plugin that emits it and any of its sub-parts, for example, `metrics.ops` or `elasticsearch.query`.
- Root is a logger that applies to all the log entries in Kibana.
For details on audit logging settings, refer to the [Kibana security settings](/elastic/docs-builder/docs/3522/reference/kibana/configuration-reference/security-settings#audit-logging-settings).
### Logging settings
The following list serves as a quick reference for different logging configuration keys. Note that these are not stand-alone settings and may require additional logging configuration. See the [Configure Logging in Kibana](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging) guide and complete [examples](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples) for common configuration use cases.
Self-managed Elastic deployments: Generally available
Unique appender identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Appender to use for logging records to **stdout**. By default, uses the `[%date][%level][%logger] %message %error` **pattern** layout. To use a **json**, set the [layout type to `json`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#log-in-json-ecs-example).
Elastic Stack: Generally available since 9.1 `%error` is present since Stack version 9.1.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Allows you to specify a fileName to write log records to disk. To write [all log records to file](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#log-to-file-example), add the file appender to `root.appenders`. If configured, you also need to specify [`logging.appenders.file.pathName`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#log-to-file-example).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Similar to [Log4j's](https://logging.apache.org/log4j/2.x/) `RollingFileAppender`, this appender will log to a file and rotate if following a rolling strategy when the configured policy triggers. There are currently two policies supported: [`size-limit`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#size-limit-triggering-policy) and [`time-interval`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#time-interval-triggering-policy).
Datatype: `string`
Elastic Stack: Planned
Self-managed Elastic deployments: Generally available
Ships log records to an OpenTelemetry-compatible (OTLP) endpoint over HTTP, Protobuf, or gRPC. Records are buffered by the OpenTelemetry SDK's `BatchLogRecordProcessor` and flushed periodically or on shutdown.
To forward all logs to an OTLP endpoint, add the appender to `logging.root.appenders`:
```yaml
logging:
appenders:
otlp:
type: otel
protocol: proto
url: https://collector:4318/v1/logs
headers:
Authorization: 'Bearer '
attributes:
'[deployment.environment]': production
root:
appenders: [default, otlp]
```
Datatype: `string`
Self-managed Elastic deployments: Generally available
The appender type determines where the log messages are sent. Required.
Datatype: `enum`
Options:
- `console`
- `file`
- `otel`
- `rewrite`
- `rolling-file`
Self-managed Elastic deployments: Generally available
Determines the filepath where the log messages are written to for file and rolling-file appender types. Required for appenders that write to file.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specify the triggering policy for when a rollover should occur for the `rolling-file` type appender.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specify the time interval for rotating a log file for a `time-interval` type `rolling-file` appender.
Datatype: `string`
Default: `24h`
Self-managed Elastic deployments: Generally available
Specify the size limit at which the policy should trigger a rollover for a `size-limit` type `rolling-file` appender.
Datatype: `string`
Default: `100mb`
Self-managed Elastic deployments: Generally available
Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Rolling file strategy type. Only `numeric` is currently supported.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The suffix to append to the file path when rolling. Must include `%i`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The maximum number of files to keep. The maximum is `100`.
Datatype: `int`
Default: `7`
Elastic Stack: Planned
Self-managed Elastic deployments: Generally available
The OTLP endpoint URL to which log records are shipped. Required for the `otel` appender type.
The expected path depends on the chosen protocol:
- HTTP/Protobuf (`http` or `proto`): typically ends in `/v1/logs`. For example, `https://collector:4318/v1/logs`.
- gRPC (`grpc`): a bare host and port without a path. For example, `https://collector:4317`.
Datatype: `string`
Elastic Stack: Planned
Self-managed Elastic deployments: Generally available
The transport protocol used to send log records to the OTLP endpoint. Applies to the `otel` appender type only.
- `proto` (default): OTLP over HTTP using Protobuf encoding. More compact than `http` (JSON) and more broadly compatible than `grpc`, which requires HTTP/2.
- `http`: OTLP over HTTP using JSON encoding.
- `grpc`: OTLP over gRPC. Headers must be provided as gRPC metadata key-value pairs.
Datatype: `enum`
Default: `proto`
Options:
- `proto`
- `http`
- `grpc`
Elastic Stack: Planned
Self-managed Elastic deployments: Generally available
Optional map of HTTP headers sent with every request to the OTLP endpoint. Applies to the `otel` appender type only. Commonly used for authentication. For example, `Authorization: 'Bearer '` or `Authorization: 'ApiKey '`.
For the `grpc` protocol the key-value pairs are sent as gRPC metadata instead of HTTP headers.
Header values are stored in plain text in `kibana.yml`. Use a secrets management solution or environment-variable substitution to avoid exposing credentials.
Datatype: `object`
Elastic Stack: Planned
Self-managed Elastic deployments: Generally available
Optional TLS settings for the OTLP endpoint, including mutual TLS (client certificates). Applies to the `otel` appender for all protocols (`http`, `proto`, `grpc`).
- `certificateAuthorities`: PEM-encoded CA bundle(s) used to verify the server certificate. Use a filesystem path to a PEM file (recommended), an inline PEM string (must contain `-----BEGIN`), or an array of paths when multiple CAs are required.
- `certificate` / `key`: Client certificate and private key for mTLS. Both must be set together. Values may be paths or inline PEM strings.
- `keyPassphrase`: Passphrase when the private key is encrypted (requires `key`).
- `verificationMode`: How strictly to verify the server certificate: `full` (default), `certificate` (verify chain but not hostname), or `none` (insecure; not recommended outside controlled environments).
For `http` and `proto`, these map to Node.js `https.Agent` TLS options. For `grpc`, they map to `@grpc/grpc-js` `credentials.createSsl` channel credentials.
Prefer file paths readable by the Kibana process (for example under `/etc/kibana/certs/`). Ensure private keys are not world-readable. TLS material is never written to Kibana logs on success or failure.
The passphrase and the certificates (if provided as inline PEM strings) are stored in plain text in `kibana.yml`. Use a secrets management solution or environment variable substitution to avoid exposing credentials.
Datatype: `object`
Elastic Stack: Planned
Self-managed Elastic deployments: Generally available
Optional map of additional OpenTelemetry resource attributes merged on top of the auto-detected host, process, OS, and service attributes. Applies to the `otel` appender type only. Can be used to set or override attributes such as `service.name` or `deployment.environment`.
Because Kibana expands dotted YAML keys into nested objects, wrap dotted attribute names in square brackets:
```yaml
attributes:
'[service.name]': my-kibana
'[deployment.environment]': production
```
Datatype: `object`
Self-managed Elastic deployments: Generally available
Determines how the log messages are displayed. Required.
Datatype: `enum`
Options:
- `pattern`: Provides human-readable output.
- `json`: Provides ECS-compliant output.
Self-managed Elastic deployments: Generally available
Optional boolean to highlight log messages in color. Applies to `pattern` layout only.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Optional [string pattern](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#pattern-layout) for placeholders that will be replaced with data from the actual log message. Applicable to pattern type layout only.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of specific appenders to apply to `root`. Defaults to `console` with `pattern` layout.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specify default verbosity for all log messages to fall back to if not specifically configured at the individual logger level. The `all` and `off` levels can be used only in configuration and are just handy shortcuts that allow you to log every log record or disable logging entirely or for a specific logger.
Datatype: `enum`
Default: `info`
Options:
- `all`
- `fatal`
- `error`
- `warn`
- `info`
- `debug`
- `trace`
- `off`
Self-managed Elastic deployments: Generally available
Specific logger instance.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specify verbosity of log messages for a logger context. Optional and inherits the verbosity of any ancestor logger, up to the `root` logger `level`.
Datatype: `enum`
Options:
- `all`
- `fatal`
- `error`
- `warn`
- `info`
- `debug`
- `trace`
- `off`
Self-managed Elastic deployments: Generally available
Determines the appender to apply to a specific logger context as an array. Optional and falls back to the appender(s) of the `root` logger if not specified.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional boolean to log debug messages when a deprecated API is called.
Datatype: `bool`
Default: `false`
## Maps
### General map settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies additional vector layers for use in [Region Map](https://www.elastic.co/docs/explore-analyze/visualize/maps/maps-getting-started) visualizations. Each layer object points to an external vector file that contains a geojson FeatureCollection. The file must use the [WGS84 coordinate reference system](https://en.wikipedia.org/wiki/World_Geodetic_System) and only include polygons. If the file is hosted on a separate domain from Kibana, the server needs to be CORS-enabled so Kibana can download the file.
Datatype: `string`
The following example shows a valid regionmap configuration.
```yaml
map.regionmap:
includeElasticMapsService: false
layers:
- name: "Departments of France"
url: "/france_departements.geojson"
attribution: "INRAP"
fields:
- name: "department"
description: "Full department name"
- name: "INSEE"
description: "INSEE numeric identifier"
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Turns on or off whether layers from the Elastic Maps Service should be included in the vector layer option list. Supported on Elastic Cloud Enterprise. By turning this off, only the layers that are configured here will be included.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Optional. References the originating source of the geojson file.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Mandatory. Each layer can contain multiple fields to indicate what properties from the geojson features you wish to expose. The previous example shows how to define multiple properties.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Mandatory. The human readable text that is shown under the Options tab when building the Region Map visualization.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Mandatory. This value is used to do an inner-join between the document stored in Elasticsearch and the geojson file. For example, if the field in the geojson is called `Location` and has city names, there must be a field in Elasticsearch that holds the same values that Kibana can then use to lookup for the geoshape data.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Mandatory. A description of the map being provided.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Mandatory. The location of the geojson file as provided by a webserver.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the map attribution string. Attribution must be a list of links, delimited by `\|`. For example: `"[attribution 1](https://www.attribution1)\|[attribution 2](https://www.attribution2)"`
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the maximum zoom level.
Datatype: `int`
Default: `10`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the minimum zoom level.
Datatype: `int`
Default: `0`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Provides an array of subdomains used by the tile service. Specify the position of the subdomain the URL with the token `{s}`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the URL to the tileservice that Kibana uses to display map tiles in tilemap visualizations.
Datatype: `string`
## Monitoring
By default, **Stack Monitoring** is enabled, but data collection is disabled. When you first start Kibana monitoring, you are prompted to enable data collection. If you are using Elastic Stack security features, you must be signed in as a user with the `cluster:manage` privilege to enable data collection. The built-in `superuser` role has this privilege and the built-in `elastic` user has this role.
You can adjust how monitoring data is collected from Kibana and displayed in Kibana by configuring settings in the `kibana.yml` file. There are also `monitoring.ui.elasticsearch.*` settings, which support the same values as [Kibana configuration settings](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings).
To control how data is collected from your Elasticsearch nodes, you configure [`xpack.monitoring.collection` settings](https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/monitoring-settings) in `elasticsearch.yml`. To control how monitoring data is collected from Logstash, configure monitoring settings in `logstash.yml`.
For more information, check out [Monitor a cluster](https://www.elastic.co/docs/deploy-manage/monitor).
### General monitoring settings
Elastic Stack: Deprecated since 7.11
Self-managed Elastic deployments: Deprecated
When enabled, sends email notifications for Watcher alerts to the specified email address.
Datatype: `bool`
Default: `true`
Deprecated in 7.11.
Elastic Stack: Deprecated since 7.11
Elastic Cloud Hosted: Deprecated, Self-managed Elastic deployments: Deprecated
When enabled, specifies the email address where you want to receive cluster alert notifications.
Datatype: `string`
Deprecated in 7.11.
Self-managed Elastic deployments: Generally available
Set to `true` (default) to enable [cross-cluster search](https://www.elastic.co/docs/solutions/search/cross-cluster-search) of your monitoring data. The [`remote_cluster_client`](https://www.elastic.co/docs/deploy-manage/remote-clusters/remote-clusters-settings) role must exist on each node.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the location of the Elasticsearch cluster where your monitoring data is stored.
By default, this is the same as [`elasticsearch.hosts`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-hosts). This setting enables you to use a single Kibana instance to search and visualize data in your production cluster as well as monitor data sent to a dedicated monitoring cluster.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the username used by Kibana monitoring to establish a persistent connection in Kibana to the Elasticsearch monitoring cluster and to verify licensing status on the Elasticsearch monitoring cluster when using `monitoring.ui.elasticsearch.hosts`.
All other requests performed by **Stack Monitoring** to the monitoring Elasticsearch cluster uses the authenticated user's credentials, which must be the same on both the Elasticsearch monitoring cluster and the Elasticsearch production cluster.
If not set, Kibana uses the value of the [`elasticsearch.username`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-user-passwd) setting.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the password used by Kibana monitoring to establish a persistent connection in Kibana to the Elasticsearch monitoring cluster and to verify licensing status on the Elasticsearch monitoring cluster when using `monitoring.ui.elasticsearch.hosts`.
All other requests performed by **Stack Monitoring** to the monitoring Elasticsearch cluster use the authenticated user's credentials, which must be the same on both the Elasticsearch monitoring cluster and the Elasticsearch production cluster.
If not set, Kibana uses the value of the [`elasticsearch.password`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-user-passwd) setting.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies a [service account token](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-service-token) for the Elasticsearch cluster where your monitoring data is stored when using `monitoring.ui.elasticsearch.hosts`. This setting is an alternative to using `monitoring.ui.elasticsearch.username` and `monitoring.ui.elasticsearch.password`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the time in milliseconds to wait for Elasticsearch to respond to internal health checks. By default, it matches the [`elasticsearch.pingTimeout`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-pingTimeout) setting, which has a default value of `30000`.
Datatype: `int`
Default: `30000`
Self-managed Elastic deployments: Generally available
Shares the same configuration as [`elasticsearch.ssl`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-cert-key). These settings configure encrypted communication between Kibana and the monitoring cluster.
Datatype: `string`
### Monitoring collection settings
These settings control how data is collected from Kibana.
Self-managed Elastic deployments: Generally available
Set to `true` (default) to enable data collection from the Kibana NodeJS server for Kibana dashboards to be featured in **Stack Monitoring**.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the number of milliseconds to wait in between data sampling on the Kibana NodeJS server for the metrics that are displayed in the Kibana dashboards. Defaults to `10000` (10 seconds).
Datatype: `int`
Default: `10000`
### Monitoring UI settings
These settings adjust how **Stack Monitoring** displays monitoring data. However, the defaults work best in most circumstances. For more information about configuring Kibana, see [Setting Kibana server properties](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings).
Self-managed Elastic deployments: Generally available
Specifies the number of log entries to display in **Stack Monitoring**. Defaults to `10`. The maximum value is `50`.
Datatype: `int`
Default: `10`
Self-managed Elastic deployments: Generally available
Set to `false` to hide **Stack Monitoring**. The monitoring back-end continues to run as an agent for sending Kibana stats to the monitoring cluster. Defaults to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the name of the indices that are shown on the [**Logs**](https://www.elastic.co/docs/deploy-manage/monitor/monitoring-data/elasticsearch-metrics#logs-monitor-page) page in **Stack Monitoring**. The default value is `filebeat-*`.
Datatype: `string`
Default: `filebeat-*`
Elastic Stack: Deprecated since 8.15
Self-managed Elastic deployments: Deprecated
Used as a workaround to avoid querying `metricbeat-*` indices which are now no longer queried.
Datatype: `string`
Default: `metricbeat-*`
This setting was deprecated in 8.15.0.
Self-managed Elastic deployments: Generally available
Specifies the number of term buckets to return out of the overall terms list when performing terms aggregations to retrieve index and node metrics. For more information about the `size` parameter, see [Terms Aggregation](https://www.elastic.co/docs/reference/aggregations/search-aggregations-bucket-terms-aggregation#search-aggregations-bucket-terms-aggregation-size). Defaults to `10000`.
Datatype: `int`
Default: `10000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the minimum number of seconds that a time bucket in a chart can represent. Defaults to 10. If you modify the `monitoring.ui.collection.interval` in `elasticsearch.yml`, use the same value in this setting.
Datatype: `int`
Default: `10`
Self-managed Elastic deployments: Generally available
Specifies how many seconds can pass before the Kibana status reports are considered stale. Defaults to `120`.
Datatype: `int`
Default: `120`
### Monitoring UI container settings
**Stack Monitoring** exposes the Cgroup statistics that we collect for you to make better decisions about your container performance, rather than guessing based on the overall machine performance. If you are not running your applications in a container, then Cgroup statistics are not useful.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
For Elasticsearch clusters that are running in containers, this setting changes the **Node Listing** to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the **Node Overview** page instead of the overall operating system's CPU utilization. Defaults to `false`.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
For Logstash nodes that are running in containers, this setting changes the Logstash **Node Listing** to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the Logstash node detail pages instead of the overall operating system's CPU utilization. Defaults to `false`.
Datatype: `bool`
Default: `false`
## Product feedback
Configure the product intercept settings in your `kibana.yml` configuration file.
A product intercept is a prompt for feedback about the Elastic product that appears periodically in the Kibana UI.
### Product intercept settings
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Enable or disable Elastic product feedback prompts.
Datatype: `bool`
Default: `true`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The time that elapses between Elastic product feedback prompts. Accepts a duration string with a number and a unit (`d`, `h`, `m`, `s`). For example, `20m`, `24h`, `7d`.
Datatype: `string`
Default: `90d`
## Reporting
### Enable reporting
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
When `true`, enables the reporting features. Set this to `false` to disable reporting features entirely. The default is `true`.
Datatype: `bool`
Default: `true`
Disabling the reporting features is discouraged. If you need to turn off the ability to generate reports, configure the roles and spaces in the [Kibana application privileges](https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access).If needed, you can also prevent a Kibana instance from claiming reporting work by setting [`xpack.reporting.queue.pollEnabled: false`](#xpack-reportingQueue-pollEnabled).
Elastic Stack: Removed in 9.0, Elastic Stack: Generally available from 7.14 to 9.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
When `true`, enables a deprecated role-based access model for reporting where access is controlled by the `reporting_user` role. Set to `false` to use the application privilege-based access model instead.
Datatype: `bool`
Removed in 9.0. Reporting access is now controlled exclusively through Kibana application privileges.
By default, an encryption key is generated for the reporting features each time you start Kibana. If a static encryption key is not persisted in the Kibana configuration, any pending reports fail when you restart Kibana.
If you are load balancing across multiple Kibana instances, each instance needs to have the same reporting encryption key. Otherwise, report generation fails if a report is queued through one instance, and another instance picks up the job from the report queue. The instance that picks up the job is unable to decrypt the reporting job metadata.
### Encryption key setting
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The static encryption key for reporting. Use an alphanumeric text string that is at least 32 characters. By default, Kibana generates a random key when it starts, which causes pending reports to fail after restart. Configure `xpack.reporting.encryptionKey` to preserve the same key across multiple restarts and multiple Kibana instances.
Datatype: `string`
```yaml
xpack.reporting.encryptionKey: "something_secret"
```
### CSV settings
We recommend using CSV reports to export moderate amounts of data only. The feature enables analysis of data in external tools, but it is not intended for bulk export or to backup Elasticsearch data. Report timeout and incomplete data issues are likely if you are exporting data where:
- More than 250 MB of data is being exported
- Data is stored on slow storage tiers
- Any shard needed for the search is unavailable
- Network latency between nodes is high
- Cross-cluster search is used
- ES|QL is used and result row count exceeds the limits of ES|QL queries
To work around the limitations, use filters to create multiple smaller reports, or extract the data you need directly with the Elasticsearch APIs.For more information on using Elasticsearch APIs directly, see [Scroll API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-scroll), [Point in time API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-open-point-in-time), [ES|QL](https://www.elastic.co/docs/explore-analyze/query-filter/languages/esql-rest) or [SQL](https://www.elastic.co/docs/explore-analyze/query-filter/languages/sql-rest-format#_csv) with CSV response data format. We recommend that you use an official Elastic language client: details for each programming language library that Elastic provides are in the [Elasticsearch Client documentation](https://www.elastic.co/guide/en/elasticsearch/client/index.html).Reporting parameters can be adjusted to overcome some of these limiting scenarios. Results are dependent on data size, availability, and latency factors and are not guaranteed.
Elastic Stack: Generally available since 8.12
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the maximum number of concurrent shard requests that each sub-search request executes per node during Kibana CSV export. Defaults to `5`.
Datatype: `int`
Default: `5`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum [byte size](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#byte-units) of a CSV file before being truncated. This setting exists to prevent large exports from causing performance and storage issues. Can be specified as a number of bytes. Defaults to `250mb`.
Datatype: `string`
Default: `250mb`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Number of documents retrieved from Elasticsearch for each scroll iteration during a CSV export. The maximum value is `10000`. Defaults to `500`.
Datatype: `int`
Default: `500`
You may need to lower this setting if the default number of documents creates a strain on network resources.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Amount of [time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) allowed before Kibana cleans the scroll context during a CSV export. Valid option is either `auto` or [time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units). Defaults to `120s`.
Datatype: `string`
Default: `120s`
The default value was increased from `30s` to `120s` in version 9.0.If search latency in Elasticsearch is sufficiently high, such as if you are using cross-cluster search, you may either need to increase the time setting or set this config value to `auto`. When the config value is set to `auto` the scroll context will be preserved for as long as possible, before the report task is terminated due to the limits of `xpack.reporting.queue.timeout`.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Choose the API method used to page through data during CSV export. Valid options are `scroll` and `pit`. Defaults to `pit`.
Datatype: `enum`
Default: `pit`
Options:
- `scroll`
- `pit`
Each method has its own unique limitations which are important to understand.
- Scroll API: Search is limited to 500 shards at the very most. In cases where data shards are unavailable or time out, the export may return partial data.
- PIT API: Permissions to read data aliases alone will not work: the permissions are needed on the underlying indices or datastreams. In cases where data shards are unavailable or time out, the export will be empty rather than returning partial data.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Enables a check that warns you when there's a potential formula included in the output (=, -, +, and @ chars). See OWASP: [[https://www.owasp.org/index.php/CSV_Injection](https://www.owasp.org/index.php/CSV_Injection)](https://www.owasp.org/index.php/CSV_Injection). Defaults to `true`.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Escape formula values in cells with a `'`. See OWASP: [[https://www.owasp.org/index.php/CSV_Injection](https://www.owasp.org/index.php/CSV_Injection)](https://www.owasp.org/index.php/CSV_Injection). Defaults to `false`.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Adds a byte order mark (`\ufeff`) at the beginning of the CSV file. Defaults to `false`.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of rows in a CSV report. Reports longer than the maximum limit will be truncated. The default is 10,000. The minimum is 1.
Datatype: `int`
Default: `10000`
We recommend using PNG/PDF reports to export moderate amounts of data only. The feature enables a high-level export capability, but it's not intended for bulk export. If you need to export several pages of image data, consider using multiple report jobs to export a small number of pages at a time. If the screenshot of exported dashboard contains a large number of pixels, consider splitting the large dashboard into smaller artifacts to use less memory and CPU resources.For the most reliable configuration of PDF/PNG reporting features, consider installing Kibana using [Docker](https://www.elastic.co/docs/deploy-manage/deploy/self-managed/install-kibana-with-docker) or using [Elastic Cloud](https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud).
### PNG/PDF capture settings
To generate PDF and PNG files, Reporting uses an internal "screenshotting" plugin which manages a headless browser that captures screenshots from Kibana.
The following settings control the capturing process.
If any timeouts from `xpack.screenshotting.capture.timeouts.*` settings occur when running a report job, Reporting will log the error and try to continue capturing the page with a screenshot. As a result, a download will be available, but there will likely be errors in the visualizations in the report.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specify the [time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) to allow the Reporting browser to wait for the "Loading…" screen to dismiss and find the initial data for the page. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to `1m`.
Datatype: `string`
Default: `1m`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specify the [time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) to allow the Reporting browser to wait for all visualization panels to load on the page. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to `1m`.
Datatype: `string`
Default: `1m`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specify the [time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) to allow the Reporting browser to wait for all visualizations to fetch and render the data. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to `2m`.
Datatype: `string`
Default: `2m`
Elastic Stack: Deprecated since 8.0
Self-managed Elastic deployments: Deprecated
Specify the [amount of time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) before taking a screenshot when visualizations are not evented. All visualizations that ship with Kibana are evented, so this setting should not have much effect. If you are seeing empty images instead of visualizations, try increasing this value. **NOTE**: This setting exists for backwards compatibility, but is unused and therefore does not have an affect on reporting performance.
Datatype: `string`
This setting was deprecated in 8.0.0.
### Chromium headless browser settings
For PDF and PNG reports, Reporting spawns a headless Chromium browser process on the server to load and capture a screenshot of the Kibana app. When installing Kibana on Linux and Windows platforms, the Chromium binary comes bundled with the Kibana download. For Mac platforms, the Chromium binary is downloaded the first time Kibana is started.
Self-managed Elastic deployments: Generally available
It is recommended that you research the feasibility of enabling unprivileged user namespaces. An exception is if you are running Kibana in Docker because the container runs in a user namespace with the built-in seccomp/bpf filters. For more information, refer to [Chromium sandbox](https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#reporting-chromium-sandbox). Defaults to `false` for all operating systems except CentOS, Debian, and Red Hat Linux, which use `true`.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Enables the proxy for Chromium to use. When set to `true`, you must also specify the `xpack.screenshotting.browser.chromium.proxy.server` setting. Defaults to `false`.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The uri for the proxy server. Providing the username and password for the proxy server via the uri is not supported.
Datatype: `string`
Self-managed Elastic deployments: Generally available
An array of hosts that should not go through the proxy server and should use a direct connection instead. Examples of valid entries are "elastic.co", "*.elastic.co", ".elastic.co", ".elastic.co:5601".
Datatype: `string`
### Kibana server settings for headless browser connection
To generate screenshots for PNG and PDF reports, Reporting opens the Kibana web interface using a local connection to the server. In most cases, using a local connection to the Kibana server presents no issue. If you prefer the headless browser to connect to Kibana using a specific hostname, there are a number of settings that allow the headless browser to connect to Kibana through a proxy, rather than directly.
The `xpack.reporting.kibanaServer` settings are optional. Take caution when editing these settings. Adding these settings can cause the PDF/PNG reporting features to fail. If reports fail, inspect the server logs and pay attention to errors regarding the headless browser being unable to connect to the server. The full Kibana URL that Reporting is attempting to open is logged during report execution.
Self-managed Elastic deployments: Generally available
The port for accessing Kibana.
Datatype: `int`
Self-managed Elastic deployments: Generally available
The protocol for accessing Kibana, typically `http` or `https`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The hostname for accessing Kibana.
Datatype: `string`
### Network policy settings for headless Chromium restrictions
To generate PDF reports, Reporting uses a headless Chromium browser to fully load the Kibana page on the server. This potentially involves sending requests to external hosts. For example, a request might go to an external image server to show a field formatted as an image, or to show an image in a Markdown visualization.
If the headless Chromium browser is asked to send a request that violates the network policy, it will stop processing the page before the request goes out, and the report is marked as a failure. Additional information about the event is in the Kibana server logs.
Kibana installations are not designed to be publicly accessible over the internet. The Reporting network policy and other capabilities of the Elastic Stack security features do not change this condition.
Self-managed Elastic deployments: Generally available
Capturing a screenshot from a Kibana page involves sending out requests for all the linked web assets. For example, a Markdown visualization can show an image from a remote server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
When `false`, disables the headless browser network policy. Defaults to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
A policy is specified as an array of objects that describe what to allow or deny based on a host or protocol. If a host or protocol is not specified, the rule matches any host or protocol.
The rule objects are evaluated sequentially from the beginning to the end of the array, and continue until there is a matching rule. If no rules allow a request, the request is denied.
Datatype: `string`
The `file:` protocol is always denied, even if no network policy is configured.
```yaml
# Only allow requests to elastic.co
xpack.screenshotting.networkPolicy:
rules: [ { allow: true, host: "elastic.co" } ]
```
```yaml
# Only allow HTTPS requests to https://elastic.co
xpack.screenshotting.networkPolicy:
rules: [ { allow: true, host: "elastic.co", protocol: "https:" } ]
```
Example of a baseline configuration for disallowing all requests to external paths:
```yaml
xpack.screenshotting.networkPolicy:
rules: [ { allow: true, host: "localhost:5601", protocol: "http:" } ]
```
Typically, Chromium will connect to Kibana on a local interface, but this may be different based on the environment and specific [headless browser connection settings](#reporting-kibana-server-settings).
A final `allow` rule with no host or protocol allows all requests that are not explicitly denied:
```yaml
# Denies requests from http://elastic.co, but anything else is allowed.
xpack.screenshotting.networkPolicy:
rules: [{ allow: false, host: "elastic.co", protocol: "http:" }, { allow: true }];
```
A network policy can be composed of multiple rules:
```yaml
# Allow any request to http://elastic.co but for any other host, https is required
xpack.screenshotting.networkPolicy
rules: [
{ allow: true, host: "elastic.co", protocol: "http:" },
{ allow: true, protocol: "https:" },
]
```
Reporting generates reports on the Kibana server as background tasks, and jobs are coordinated using documents in Elasticsearch. Depending on how often you generate reports and the overall number of reports, you might need to change the following settings.
### Background job settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
If capturing a report fails for any reason, Kibana will re-queue the report job for retry, as many times as this setting.
Datatype: `int`
Default: `3`
Elastic Stack: Deprecated since 8.15
Self-managed Elastic deployments: Generally available
How often Reporting creates a new index to store report jobs and file contents. Valid values are `year`, `month`, `week`, `day`, and `hour`.
Datatype: `enum`
Default: `week`
Options:
- `year`
- `month`
- `week`
- `day`
- `hour`
This setting exists for backwards compatibility, but is unused. Use the built-in ILM policy provided for the reporting plugin to customize the rollover of Reporting data.
This setting was deprecated in 8.15.0.
Self-managed Elastic deployments: Generally available
When `true`, enables the Kibana instance to poll Elasticsearch for pending jobs and claim them for execution. When `false`, allows the Kibana instance to only add new jobs to the reporting queue, list jobs, and provide the downloads to completed reports through the UI. This requires a deployment where at least one other Kibana instance in the Elastic cluster has this setting to `true`.
Datatype: `bool`
Default: `true`
Running multiple instances of Kibana in a cluster for load balancing of reporting requires identical values for [`xpack.reporting.encryptionKey`](https://www.elastic.co/docs/reference/kibana/configuration-reference/reporting-settings#xpack-reporting-encryptionkey) and, if security is enabled, [`xpack.security.encryptionKey`](https://www.elastic.co/docs/reference/kibana/configuration-reference/security-settings#xpack-security-encryptionkey).
Self-managed Elastic deployments: Generally available
Specifies the [time](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) that the reporting poller waits between polling the index for any pending Reporting jobs. Can be specified as a number of milliseconds.
Datatype: `string`
Default: `3s`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
[How long](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/api-conventions#time-units) each worker has to produce a report. If your machine is slow or under heavy load, you might need to increase this timeout. If a Reporting job execution goes over this time limit, the job is marked as a failure and no download will be available. Can be specified as a number of milliseconds.
Datatype: `string`
Default: `4m`
## Search sessions
### Background search settings
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
`false` by default. Set to `true` to enable background searches.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
How many retries Kibana can perform while attempting to send a search to the background. The default is `10`.
Datatype: `int`
Default: `10`
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
How long background search results are stored before they expire and are deleted. When users extend the validity period of the background search, this setting also determines by how long. The default is `7d`.
Datatype: `string`
Default: `7d`
### Search sessions settings (deprecated)
Elastic Stack: Deprecated since 8.15
Elastic Cloud Hosted: Deprecated, Self-managed Elastic deployments: Deprecated
Set to `true` to enable search sessions.
Datatype: `bool`
Default: `false`
Deprecated in 8.15.0. Replaced by the background search feature in 9.2.
Elastic Stack: Removed in 9.2, Elastic Stack: Deprecated from 8.15 to 9.1
Elastic Cloud Hosted: Deprecated, Self-managed Elastic deployments: Deprecated
How long Kibana stores search results from unsaved sessions, after the last search in the session completes. The default is `5m`.
Datatype: `string`
Default: `5m`
Deprecated in 8.15.0. This setting was part of the search sessions feature, which has been replaced by background search in 9.2.
Elastic Stack: Deprecated since 8.15
Elastic Cloud Hosted: Deprecated, Self-managed Elastic deployments: Deprecated
How many retries Kibana can perform while attempting to save a search session. The default is `10`.
Datatype: `int`
Default: `10`
Deprecated in 8.15.0. Replaced by the background search feature in 9.2.
Elastic Stack: Deprecated since 8.15
Elastic Cloud Hosted: Deprecated, Self-managed Elastic deployments: Deprecated
How long search session results are stored before they are deleted. Extending a search session resets the expiration by the same value. The default is `7d`.
Datatype: `string`
Default: `7d`
Deprecated in 8.15.0. Replaced by the background search feature in 9.2.
## Security and authentication
You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.
### Authentication security settings
You configure authentication settings in the `xpack.security.authc` namespace.
For example:
```yaml
xpack.security.authc:
providers:
basic.basic1:
order: 0
...
saml.saml1:
order: 1
...
saml.saml2:
order: 2
...
pki.realm3:
order: 3
...
...
```
1. Specifies the type of authentication provider (for example, `basic`, `token`, `saml`, `oidc`, `kerberos`, `pki`) and the provider name. This setting is mandatory.
2. Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory.
3. Specifies the settings for the SAML authentication provider with a `saml1` name.
4. Specifies the settings for the SAML authentication provider with a `saml2` name.
### Valid settings for all authentication providers
The valid settings in the `xpack.security.authc.providers` namespace vary depending on the authentication provider type. For more information, refer to [Authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.
Datatype: `bool`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Order of the provider in the authentication chain and on the Login Selector UI.
Datatype: `int`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Custom description of the provider entry displayed on the Login Selector UI.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Custom hint for the provider entry displayed on the Login Selector UI.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Custom icon for the provider entry displayed on the Login Selector UI.
Datatype: `string`
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the origin(s) where the provider will appear to users in the Login Selector UI. Each origin must be a valid URI only containing an origin. By default, providers are not restricted to specific origins.
Datatype: `string`
For example:
```yaml
xpack.security.authc:
providers:
basic.basic1:
origin: [http://localhost:5601, http://127.0.0.1:5601]
...
saml.saml1:
origin: https://elastic.co
...
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to `false` doesn't remove the provider from the authentication chain.
Datatype: `bool`
You are unable to set this setting to `false` for `basic` and `token` authentication providers.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Access agreement text in Markdown format. For more information, refer to [Access agreement](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/access-agreement).
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after a period of inactivity. Setting this to `0` will prevent sessions from expiring because of inactivity. By default, this setting is equal to [`xpack.security.session.idleTimeout`](#xpack-session-idletimeout).
Datatype: `string`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to `0`, user sessions could stay active indefinitely. By default, this setting is equal to [`xpack.security.session.lifespan`](#xpack-session-lifespan).
Datatype: `string`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
### SAML authentication provider settings
In addition to [the settings that are valid for all providers](#authentication-provider-settings), you can specify the following settings:
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
SAML realm in Elasticsearch that provider should use.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Determines if the provider should treat the `RelayState` parameter as a deep link in Kibana during Identity Provider initiated log in. By default, this setting is set to `false`. The link specified in `RelayState` should be a relative, URL-encoded Kibana URL. For example, the `/app/dashboards#/list` link in `RelayState` parameter would look like this: `RelayState=%2Fapp%2Fdashboards%23%2Flist`.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.
Datatype: `string`
### Discontinued SAML settings
Elastic Stack: Removed in 8.0, Elastic Stack: Generally available from 6.4 to 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `saml` to instruct Kibana to use SAML SSO as the authentication method.
Datatype: `string`
Elastic Stack: Removed in 8.0, Elastic Stack: Generally available from 6.4 to 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to HTTP or HTTPS. To access Kibana, HTTPS protocol is recommended.
Datatype: `enum`
Options:
- `http`
- `https`
Elastic Stack: Removed in 8.0, Elastic Stack: Generally available from 6.4 to 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to a fully qualified hostname to connect your users to the proxy server.
Datatype: `string`
Elastic Stack: Removed in 8.0, Elastic Stack: Generally available from 6.4 to 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The port number that connects your users to the proxy server (for example, 80 for HTTP or 443 for HTTPS).
Datatype: `int`
Elastic Stack: Removed in 7.0, Elastic Stack: Generally available from 6.8 to 7.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies if Kibana should treat the `RelayState` parameter as a deep link when Identity Provider Initiated login flow is used.
Datatype: `bool`
Elastic Stack: Removed in 8.0, Elastic Stack: Generally available from 6.4 to 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Explicitly allows the SAML authentication URL within Kibana, so that the Kibana server doesn't reject external authentication messages that originate from your Identity Provider. This setting is renamed to `server.xsrf.allowlist` in version 8.0.0.
Datatype: `string`
### OpenID Connect authentication provider settings
In addition to [the settings that are valid for all providers](#authentication-provider-settings), you can specify the following settings:
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
OpenID Connect realm in Elasticsearch that the provider should use.
Datatype: `string`
### Anonymous authentication provider settings
In addition to [the settings that are valid for all providers](#authentication-provider-settings), you can specify the following settings:
For more information, refer to [Anonymous authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#anonymous-authentication).
You can configure only one anonymous provider per Kibana instance.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Credentials that Kibana should use internally to authenticate anonymous requests to Elasticsearch.
Datatype: `string`
For example:
```yaml
xpack.security.authc.providers.anonymous.anonymous1:
credentials:
username: "anonymous_service_account"
password: "anonymous_service_account_password"
```
### HTTP authentication settings
There is a very limited set of cases when you'd want to change these settings. For more information, refer to [HTTP authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#http-authentication).
Self-managed Elastic deployments: Generally available
Determines if HTTP authentication should be enabled. By default, this setting is set to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to `['apikey', 'bearer']` to support HTTP authentication with the [`ApiKey`](https://www.elastic.co/docs/deploy-manage/api-keys/elasticsearch-api-keys) and [`Bearer`](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#http-authentication) schemes.
Datatype: `string`
Default: `['apikey', 'bearer']`
### Login user interface settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Adds a message accessible at the login UI with additional help information for the login process.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Determines if the login selector UI should be enabled. By default, this setting is set to `true` if more than one authentication provider is configured.
Datatype: `bool`
### Configure a default access agreement
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
This setting specifies the access agreement text in Markdown format that will be used as the default access agreement for all providers that do not specify a value for `xpack.security.authc.providers...accessAgreement.message`. For more information, refer to [Access agreement](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/access-agreement).
Datatype: `string`
### Session and cookie security settings
Self-managed Elastic deployments: Generally available
Sets the name of the cookie used for the session. The default value is `"sid"`.
Datatype: `string`
Default: `sid`
Self-managed Elastic deployments: Generally available
An arbitrary string of 32 characters or more that is used to encrypt session information. Do **not** expose this key to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn't the same for all instances of Kibana.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Sets the `secure` flag of the session cookie. The default value is `false`. It is automatically set to `true` if [`server.ssl.enabled`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#server-ssl-enabled) is set to `true`. Set this to `true` if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the `SameSite` attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are `Strict`, `Lax`, `None`. This is **not set** by default, which modern browsers will treat as `Lax`. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to `None`. Setting this value to `None` requires cookies to be sent over a secure connection by setting [`xpack.security.secureCookies`](#xpack-security-securecookies): `true`.
Datatype: `enum`
Options:
- `Strict`
- `Lax`
- `None`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after a period of inactivity. This and [`xpack.security.session.lifespan`](#xpack-session-lifespan) are both highly recommended. You can also specify this setting for [every provider separately](#xpack-security-provider-session-idletimeout). If this is set to `0`, then sessions will never expire due to inactivity. By default, this value is 3 days.
Datatype: `string`
Default: `3d`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to `0`, user sessions could stay active indefinitely. This and [`xpack.security.session.idleTimeout`](#xpack-session-idletimeout) are both highly recommended. You can also specify this setting for [every provider separately](#xpack-security-provider-session-lifespan). By default, this value is 30 days for on-prem installations, and 24 hours for Elastic Cloud installations.
Datatype: `string`
Default: `30d (on-prem), 24h (Elastic Cloud)`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.
Datatype: `string`
Default: `1h`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Stack: Generally available since 8.7
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set the maximum number of sessions each user is allowed to have active at any given time. By default, no limit is applied. If set, the value of this option should be an integer between `1` and `1000`. When the limit is exceeded, the oldest session is automatically invalidated.
Datatype: `int`
### Encrypted saved objects settings
These settings control the encryption of saved objects with sensitive data. For more details, refer to [Secure saved objects](https://www.elastic.co/docs/deploy-manage/security/secure-saved-objects).
Self-managed Elastic deployments: Generally available
An arbitrary string of at least 32 characters that is used to encrypt sensitive properties of saved objects before they're stored in Elasticsearch. If not set, Kibana will generate a random key on startup, but certain features won't be available until you set the encryption key explicitly.
Datatype: `string`
Self-managed Elastic deployments: Generally available
An optional list of previously used encryption keys. Like [`xpack.encryptedSavedObjects.encryptionKey`](#xpack-encryptedsavedobjects-encryptionkey), these must be at least 32 characters in length. Kibana doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key.
Datatype: `string`
### Audit logging settings
You can enable audit logging to support compliance, accountability, and security. When enabled, Kibana will capture:
- Who performed an action
- What action was performed
- When the action occurred
For more details and a reference of audit events, refer to [Audit logs](https://www.elastic.co/docs/reference/kibana/kibana-audit-events).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable audit logging. **Default:** `false`
Datatype: `bool`
Default: `false`
For example:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: rolling-file
fileName: ./logs/audit.log
policy:
type: time-interval
interval: 24h
strategy:
type: numeric
max: 10
layout:
type: json
```
1. This appender is the default and will be used if no `appender.*` config options are specified.
2. Rotates log files every 24 hours.
3. Keeps maximum of 10 log files before deleting older ones.
Self-managed Elastic deployments: Generally available
Optional. Specifies where audit logs should be written to and how they should be formatted. If no appender is specified, a default appender will be used (see above).
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Required. Specifies where audit logs should be written to. Allowed values are `console`, `file`, or `rolling-file`.
Refer to [file appender](#audit-logging-file-appender) and [rolling file appender](#audit-logging-rolling-file-appender) for appender specific settings.
Datatype: `enum`
Options:
- `console`
- `file`
- `rolling-file`
Self-managed Elastic deployments: Generally available
Required. Specifies how audit logs should be formatted. Allowed values are `json` or `pattern`.
Refer to [pattern layout](#audit-logging-pattern-layout) for layout specific settings.
Datatype: `enum`
Options:
- `json`
- `pattern`
We recommend using `json` format to allow ingesting Kibana audit logs into Elasticsearch using Filebeat.
### File appender
The `file` appender writes to a file and can be configured using the following settings:
Self-managed Elastic deployments: Generally available
Required. Full file path the log file should be written to.
Datatype: `string`
### Rolling file appender
The `rolling-file` appender writes to a file and rotates it using a rolling strategy, when a particular policy is triggered:
Self-managed Elastic deployments: Generally available
Required. Full file path the log file should be written to.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies when a rollover should occur. Allowed values are `size-limit` and `time-interval`. **Default:** `time-interval`.
Refer to [size limit policy](#audit-logging-size-limit-policy) and [time interval policy](#audit-logging-time-interval-policy) for policy specific settings.
Datatype: `enum`
Default: `time-interval`
Options:
- `size-limit`
- `time-interval`
Self-managed Elastic deployments: Generally available
Specifies how the rollover should occur. Only allowed value is currently `numeric`. **Default:** `numeric`
Refer to [numeric strategy](#audit-logging-numeric-strategy) for strategy specific settings.
Datatype: `enum`
Default: `numeric`
Options:
- `numeric`
### Size limit triggering policy
The `size-limit` triggering policy will rotate the file when it reaches a certain size:
Self-managed Elastic deployments: Generally available
Maximum size the log file should reach before a rollover should be performed. **Default:** `100mb`
Datatype: `string`
Default: `100mb`
### Time interval triggering policy
The `time-interval` triggering policy will rotate the file every given interval of time:
Self-managed Elastic deployments: Generally available
How often a rollover should occur. **Default:** `24h`
Datatype: `string`
Default: `24h`
Self-managed Elastic deployments: Generally available
Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary. **Default:** `true`
Datatype: `bool`
Default: `true`
### Numeric rolling strategy
The `numeric` rolling strategy will suffix the log file with a given pattern when rolling over, and will retain a fixed number of rolled files:
Self-managed Elastic deployments: Generally available
Suffix to append to the file name when rolling over. Must include `%i`. **Default:** `-%i`
Datatype: `string`
Default: `-%i`
Self-managed Elastic deployments: Generally available
Maximum number of files to keep. Once this number is reached, oldest files will be deleted. **Default:** `7`
Datatype: `int`
Default: `7`
### Pattern layout
The `pattern` layout outputs a string, formatted using a pattern with special placeholders, which will be replaced with data from the actual log message:
Self-managed Elastic deployments: Generally available
Optional. Specifies how the log line should be formatted. **Default:** `[%date][%level][%logger]%meta %message`
Datatype: `string`
Default: `[%date][%level][%logger]%meta %message`
Self-managed Elastic deployments: Generally available
Optional. Set to `true` to enable highlighting log messages with colors.
Datatype: `bool`
### Ignore filters
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of filters that determine which events should be excluded from the audit log. An event will get filtered out if at least one of the provided filters matches.
Datatype: `string`
For example:
```yaml
xpack.security.audit.ignore_filters:
- actions: [http_request]
- categories: [database]
types: [creation, change, deletion]
- spaces: [default]
- users: [elastic, kibana_system]
```
1. Filters out HTTP request events
2. Filters out any data write events
3. Filters out events from the `default` space
4. Filters out events from the `elastic` and `kibana_system` users
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.action` field of an audit event. Refer to [Audit logs](https://www.elastic.co/docs/reference/kibana/kibana-audit-events) for a list of available events.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.category` field of an audit event. Refer to [ECS categorization field](https://www.elastic.co/docs/reference/ecs-allowed-values-event-category) for allowed values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.outcome` field of an audit event. Refer to [ECS outcome field](https://www.elastic.co/docs/reference/ecs-allowed-values-event-outcome) for allowed values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `kibana.space_id` field of an audit event. This represents the space id in which the event took place.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.type` field of an audit event. Refer to [ECS type field](https://www.elastic.co/docs/reference/ecs-allowed-values-event-type) for allowed values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `user.name` field of an audit event. This represents the `username` associated with the audit event.
Datatype: `string`
## Security Solution
Configure the following Security Solution settings in the `kibana.yml` file:
### Cloud Security Posture settings
Elastic Stack: Generally available since 8.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable the Kibana UI for Elastic's Cloud Security Posture solution, which provides compliance checks on Cloud and Kubernetes environments.
Datatype: `bool`
Default: `true`
### Value lists settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the maximum number of bytes allowed for uploading Security Solution [value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/value-lists-exceptions). For every 10 MB, it is recommended to have an additional 1 GB of RAM reserved for Kibana.
Datatype: `int`
Default: `9000000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the buffer size used for uploading Security Solution [value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/value-lists-exceptions). Increase the value to improve upload throughput at the expense of higher Kibana memory usage; decrease it to reduce memory usage at the cost of throughput.
Datatype: `int`
Default: `1000`
## Sharing
Configure sharing settings in your `kibana.yml` configuration file.
These settings allow you to customize the behavior of URL sharing in Kibana.
### URL expiration settings
URL expiration settings control the behavior of the unused URLs cleanup background task, which runs using the Task Manager plugin. This task allows you to periodically clean up saved objects of type `url` that have not been accessed in the specified period of time, controlled by the `share.url_expiration.duration` configuration option. Each saved object is a representation of a URL generated through the sharing functionality. Those settings are disabled by default. You must manually configure them in order to use this feature.
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
If `true` the URL expiration feature is enabled.
Datatype: `bool`
Default: `false`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the expiration threshold. Saved object that have not been accessed in the specified period of time will get deleted.
Datatype: `string`
Default: `1y`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls how often the task runs.
Datatype: `string`
Default: `7d`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls how many saved objects should be retrieved and scheduled for deletion per one run of the task.
Datatype: `int`
Default: `10000`
## Task Manager
Task Manager runs background tasks by polling for work on an interval. You can configure its behavior to tune for performance and throughput.
### Task Manager settings
Self-managed Elastic deployments: Generally available
The maximum number of times a task will be attempted before being abandoned as failed.
Datatype: `int`
Default: `3`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
How often, in milliseconds, the task manager will look for more work. Cannot be lower than 100.
Datatype: `int`
Default: `500`
Self-managed Elastic deployments: Generally available
How many requests can Task Manager buffer before it rejects new requests.
Datatype: `int`
Default: `1000`
Elastic Stack: Deprecated since 8.16
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of tasks that this Kibana instance will run simultaneously. The maximum value is 100.
Datatype: `int`
Default: `10`
This setting was deprecated in 8.16.0.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
This flag will enable automatic warn and error logging if task manager self detects a performance issue, such as the time between when a task is scheduled to execute and when it actually executes.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The amount of seconds we allow a task to delay before printing a warning server log.
Datatype: `int`
Default: `60`
Elastic Stack: Generally available since 8.6
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The log level used when verbose health logging is enabled. Set to `debug` for detailed output or `info` for higher-level summaries.
Datatype: `enum`
Default: `debug`
Options:
- `debug`
- `info`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Enables event loop delay monitoring, which will log a warning when a task causes an event loop delay which exceeds the `warn_threshold` setting.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the amount of event loop delay during a task execution which will cause a warning to be logged.
Datatype: `int`
Default: `5000`
Elastic Stack: Generally available since 7.11
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The percentage threshold of workers experiencing version conflicts above which Task Manager shifts its polling interval to avoid overloading Elasticsearch. Accepts values between 50 and 100.
Datatype: `int`
Default: `80`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the number of tasks that can be run at one time. The minimum value is 5 and the maximum is 50.
Datatype: `int`
Default: `10`
### Task Manager health settings
Settings that configure the [Health monitoring](https://www.elastic.co/docs/deploy-manage/monitor/kibana-task-manager-health-monitoring) endpoint.
Elastic Stack: Removed in 9.0, Elastic Stack: Deprecated from 8.8 to 9.0, Elastic Stack: Generally available from 7.15 to 8.7
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable ephemeral tasks, which ran actions inline without persisting them to Elasticsearch.
Datatype: `bool`
Default: `false`
Ephemeral tasks were deprecated in 8.8 and removed in 9.0. This setting has no effect on Kibana 9.0 and later.
Elastic Stack: Removed in 9.0, Elastic Stack: Deprecated from 8.8 to 9.0, Elastic Stack: Generally available from 7.15 to 8.7
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of ephemeral task requests that can be queued.
Datatype: `int`
Default: `10`
Ephemeral tasks were deprecated in 8.8 and removed in 9.0. This setting has no effect on Kibana 9.0 and later.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configures the threshold of failed task executions at which point the `warn` or `error` health status is set under each task type execution status (under `stats.runtime.value.execution.result_frequency_percent_as_number[${task type}].status`).
This setting allows configuration of both the default level and a custom task type specific level. By default, this setting is configured to mark the health of every task type as `warning` when it exceeds 80% failed executions, and as `error` at 90%.
Custom configurations allow you to reduce this threshold to catch failures sooner for task types that you might consider critical, such as alerting tasks.
This value can be set to any number between 0 to 100, and a threshold is hit when the value **exceeds** this number. This means that you can avoid setting the status to `error` by setting the threshold at 100, or hit `error` the moment any task fails by setting the threshold to 0 (as it will exceed 0 once a single failure occurs).
Datatype: `int`
## Universal Profiling
Configure the following Universal Profiling settings in the `kibana.yml` file.
Universal Profiling is only available on Elastic Cloud Hosted.
### Universal Profiling settings
Elastic Stack: Generally available since 8.5
Elastic Cloud Hosted: Generally available
Set to `true` to enable Universal Profiling, which provides always-on, fleet-wide continuous profiling. Available on Elastic Cloud Hosted only.
Datatype: `bool`
Default: `false`