---
title: Kibana settings YAML samples (local fixtures)
description: These {settings} inclusions mirror files used to stress-test automated settings rendering. Some descriptions use links and anchors that target the real...
url: https://docs-v3-preview.elastic.dev/elastic/docs-builder/tree/main/testing/kibana-settings-yaml-samples
products:
- Elastic Docs Builder
---
# Kibana settings YAML samples (local fixtures)
These `{settings}` inclusions mirror files used to stress-test automated settings rendering.
Some descriptions use links and anchors that target the real Kibana reference pages, not this local aggregate page; the builder rewrites or validates many of them, but diagnostics can still reference those external paths.
## kibana-alert-action-settings.yml
Alerting and actions are enabled by default in Kibana, but require you to configure the following:
1. [Set up Kibana to work with Elastic Stack Elastic Stack security features](https://www.elastic.co/docs/deploy-manage/security/secure-your-cluster-deployment).
2. [Set up TLS encryption between Kibana and Elasticsearch](https://www.elastic.co/docs/deploy-manage/security/set-up-basic-security-plus-https#encrypt-kibana-http).
3. If you are using an **on-premises** Elastic Stack deployment, [specify a value for `xpack.encryptedSavedObjects.encryptionKey`](#general-alert-action-settings).
### General settings
Self-managed Elastic deployments: Generally available
A string of 32 or more characters used to encrypt sensitive properties on alerting rules and actions before they're stored in Elasticsearch. Third party credentials — such as the username and password used to connect to an SMTP service — are an example of encrypted properties.
Kibana offers a [CLI tool](https://www.elastic.co/docs/reference/kibana/commands/kibana-encryption-keys) to help generate this encryption key.
If not set, Kibana will generate a random key on startup, but all alerting and action functions will be blocked. Generated keys are not allowed for alerting and actions because when a new key is generated on restart, existing encrypted data becomes inaccessible. For the same reason, alerting and actions in high-availability deployments of Kibana will behave unexpectedly if the key isn't the same on all instances of Kibana.
Although the key can be specified in clear text in `kibana.yml`, it's recommended to store this key securely in the [Kibana Keystore](https://www.elastic.co/docs/deploy-manage/security/secure-settings). Be sure to back up the encryption key value somewhere safe, as your alerting rules and actions will cease to function due to decryption failures should you lose it. If you want to rotate the encryption key, be sure to follow the instructions on [encryption key rotation](https://www.elastic.co/docs/deploy-manage/security/secure-saved-objects#encryption-key-rotation).
Datatype: `string`
### Action settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of hostnames that Kibana is allowed to connect to when built-in actions are triggered. It defaults to `["*"]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections.
Note that hosts associated with built-in actions, such as Slack and PagerDuty, are not automatically added to allowed hosts. If you are not using the default `["*"]` setting, you must ensure that the corresponding endpoints are added to the allowed hosts as well.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of custom host settings to override existing global settings.
Each entry in the list must have a `url` property, to associate a connection type (mail or https), hostname and port with the remaining options in the entry.
The settings in `xpack.actions.customHostSettings` can be used to override the global option `xpack.actions.ssl.verificationMode` and provide customized TLS settings on a per-server basis. Set `xpack.actions.ssl.verificationMode` to the value to be used by default for all servers, then add an entry in `xpack.actions.customHostSettings` for every server that requires customized settings.
Datatype: `string`
Default: `an empty list`
In the following example, two custom host settings are defined. The first provides a custom host setting for mail server `mail.example.com` using port 465 that supplies server certificate authentication data from both a file and inline, and requires TLS for the connection. The second provides a custom host setting for https server `webhook.example.com` which turns off server certificate authentication, that will allow Kibana to connect to the server if it's using a self-signed certificate. The individual properties that can be used in the settings are documented below.
```yaml
xpack.actions.customHostSettings:
- url: smtp://mail.example.com:465
ssl:
verificationMode: 'full'
certificateAuthoritiesFiles: [ 'one.crt' ]
certificateAuthoritiesData: |
-----BEGIN CERTIFICATE-----
MIIDTD...
CwUAMD...
... multiple lines of certificate data ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDTD...
CwUAMD...
... multiple lines of certificate data ...
-----END CERTIFICATE-----
smtp:
requireTLS: true
- url:
ssl:
verificationMode: 'none'
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A URL associated with this custom host setting. Should be in the form of `protocol://hostname:port`, where `protocol` is `https` or `smtp`. If the port is not provided, 443 is used for `https` and 25 is used for `smtp`. The `smtp` URLs are used for the Email actions that use this server, and the `https` URLs are used for actions which use `https` to connect to services.
Entries with `https` URLs can use the `ssl` options, and entries with `smtp` URLs can use both the `ssl` and `smtp` options.
No other URL values should be part of this URL, including paths, query strings, and authentication information. When an http or smtp request is made as part of running an action, only the protocol, hostname, and port of the URL for that request are used to look up these configuration values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A boolean value indicating that TLS must not be used for this connection. The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A boolean value indicating that TLS must be used for this connection. The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`. Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. [Equivalent Kibana setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-verificationMode). Overrides the general `xpack.actions.ssl.verificationMode` configuration for requests made for this hostname/port.
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
Self-managed Elastic deployments: Generally available
A file name or list of file names of PEM-encoded certificate files to use to validate the server.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The contents of one or more PEM-encoded certificate files in multiline format. This configuration can be used for environments where the files cannot be made available.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.
Datatype: `string`
This feature is available in Kibana 7.17.4 and 8.3.0 onwards but is not supported in Kibana 8.0, 8.1 or 8.2. As such, this setting should be removed before upgrading from 7.17 to 8.0, 8.1 or 8.2. It is possible to configure the settings in 7.17.4 and then upgrade to 8.3.0 directly.
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of allowed email recipient patterns (`to`, `cc`, or `bcc`) that can be used with email connectors. If you attempt to send an email to a recipient that does not match the allowed patterns, the action will fail. The failure message indicates that the email is not allowed.
Datatype: `string`
This setting cannot be used with `xpack.actions.email.domain_allowlist`.
For example:
```yaml
xpack.actions.email.recipient_allowlist: ["admin-*@company.org", "sales-*@example.com"]
```
Only "to", "cc", or "bcc" email addresses that match the listed patterns will be accepted. For example, "admin-network@company.org" or "sales-north@example.com".
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum length of an email body in bytes. Values longer than this length will be truncated. The default is 25MB, the maximum is 25MB.
Datatype: `int`
Default: `25000000 (25MB)`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The SMTP endpoint for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.
Datatype: `string`
Default: `email-smtp.us-east-1.amazonaws.com`
This setting alone is insufficient for overriding system defaults for the SES SMTP endpoint. You must also configure the `xpack.actions.email.services.ses.port` setting.
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The port number for an Amazon Simple Email Service (SES) service provider that can be used by email connectors.
Datatype: `int`
Default: `465`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
An array of strings indicating all email services that are enabled. Available options are `elastic-cloud`, `google-mail`, `microsoft-outlook`, `amazon-ses`, `microsoft-exchange`, and `other`. If the array is empty, no email services are enabled. The default value is `["*"]`, which enables all email services.
Datatype: `string`
Default: `["*"]`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
A list of action types that are enabled. It defaults to `["*"]`, enabling all types. The names for built-in Kibana action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, `.servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.tines`, `.torq`, `.xmatters`, `.gen-ai`, `.bedrock`, `.gemini`, `.d3security`, and `.webhook`. An empty list `[]` will disable all action types.
Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in Kibana and will not function.
Datatype: `string`
Default: `["*"]`
[Preconfigured connectors](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pre-configured-connectors) are not affected by this setting.
Self-managed Elastic deployments: Generally available
The URL for the Microsoft Azure Active Directory endpoint to use for MS Exchange email authentication.
Datatype: `string`
Default: `https://login.microsoftonline.com`
Self-managed Elastic deployments: Generally available
The URL for the Microsoft Graph API endpoint to use for MS Exchange email authentication.
Datatype: `string`
Default: `https://graph.microsoft.com/v1.0`
Self-managed Elastic deployments: Generally available
The URL for the Microsoft Graph API scope endpoint to use for MS Exchange email authentication.
Datatype: `string`
Default: `https://graph.microsoft.com/.default`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.
Proxies may be used to proxy http or https requests through a proxy using the http or https protocol. Kibana only uses proxies in "CONNECT" mode (sometimes referred to as "tunneling" TCP mode, compared to HTTP mode). That is, Kibana will always make requests through a proxy using the HTTP `CONNECT` method.
If your proxy is using the https protocol (vs the http protocol), the setting `xpack.actions.ssl.proxyVerificationMode: none` will likely be needed, unless your proxy's certificates are signed using a publicly available certificate authority.
There is currently no support for using basic authentication with a proxy (authentication for the proxy itself, not the URL being requested through the proxy).
Datatype: `string`
To help diagnose problems using a proxy, you can use the `curl` command with options to use your proxy, and log debug information, with the following command, replacing the proxy and target URLs as appropriate. This will force the request to be made to the proxy in tunneling mode, and display some of the interaction between the client and the proxy.
```sh
curl --verbose --proxytunnel --proxy http://localhost:8080
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.
By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
Datatype: `string`
For example:
```yaml
xpack.actions.proxyBypassHosts: [ "events.pagerduty.com" ]
```
If applicable, include the subdomain in the hostname.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.
By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
Datatype: `string`
For example:
```yaml
xpack.actions.proxyOnlyHosts: [ "events.pagerduty.com" ]
```
If applicable, include the subdomain in the hostname.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies HTTP headers for the proxy, if using a proxy for actions.
Datatype: `string`
Default: `{}`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification.
[Equivalent Kibana setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-verificationMode)
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls the verification for the server certificate that Elastic Maps Server receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`. Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification.
[Equivalent Kibana setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-verificationMode)
This setting can be overridden for specific URLs by using the setting `xpack.actions.customHostSettings[n].ssl.verificationMode` (described above) to a different value.
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the max number of bytes of the http response for requests to external resources.
Datatype: `int`
Default: `1000000 (1MB)`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the time allowed for requests to external resources. Requests that take longer are canceled. The time is formatted as a number and a time unit (`ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `Y`). For example, `20m`, `24h`, `7d`, `1w`. Default: `60s`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of times an action can be attempted to run.
Datatype: `int`
Options:
- `minimum 1 and maximum 10`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Overrides the configs under `xpack.actions.run` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.
Datatype: `string`
For example:
```yaml
xpack.actions.run:
maxAttempts: 1
connectorTypeOverrides:
- id: '.server-log'
maxAttempts: 5
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of actions that can be queued. It is available in Elastic Cloud 8.11.0 and later versions.
Datatype: `int`
Default: `1000000`
### Preconfigured connector settings
These settings vary depending on which type of preconfigured connector you're adding.
For example:
```yaml
xpack.actions.preconfigured:
my-server-log:
name: preconfigured-server-log-connector-type
actionTypeId: .server-log
```
For more examples, go to [Preconfigured connectors](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pre-configured-connectors).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Enables a preconfigured alert history Elasticsearch [Index](https://www.elastic.co/docs/reference/kibana/connectors-kibana/index-action-type) connector.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Specifies configuration details that are specific to the type of preconfigured connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The type of preconfigured connector.
Datatype: `enum`
Options:
- `.email`
- `.index`
- `.opsgenie`
- `.server-log`
- `.resilient`
- `.slack`
- `.webhook`
Self-managed Elastic deployments: Generally available
The configuration details, which are specific to the type of preconfigured connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), specifies the OpenAI API provider.
Datatype: `enum`
Options:
- `OpenAI`
- `Azure OpenAI`
Self-managed Elastic deployments: Generally available
A configuration URL that varies by connector:
- For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), specifies the Amazon Bedrock request URL.
- For an [Google Gemini connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/gemini-action-type), specifies the Google Gemini request URL.
- For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), specifies the OpenAI request URL.
- For a [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the IBM Resilient instance URL.
- For a [Jira connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type), specifies the Jira instance URL.
- For an [Opsgenie connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/opsgenie-action-type), specifies the Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`.
- For a [PagerDuty connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pagerduty-action-type), specifies the PagerDuty event URL. Defaults to `https://events.pagerduty.com/v2/enqueue`.
- For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type) specifies the ServiceNow instance URL.
- For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies the Swimlane instance URL.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
An application ID that varies by connector:
- For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies a Swimlane application identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A client identifier that varies by connector:
- For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies a GUID format value that corresponds to the client ID, which is a part of OAuth 2.0 client credentials authentication.
- For a [ServiceNow ITOM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), or [ServiceNow SIR connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type) specifies the client identifier assigned to the OAuth application.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type) with basic authentication, specifies the request URL for the Elastic Alerts trigger in xMatters.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a stringified JSON payload with Mustache variables that is sent to the create comment URL to create a case comment. The required variable is `case.description`.
Datatype: `string`
The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API HTTP request method to create a case comment in the third-party system.
Datatype: `string`
Default: `put`
Options:
- `post`
- `put`
- `patch`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a REST API URL string to create a case comment by ID in the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a stringified JSON payload with Mustache variables that is sent to the create case URL to create a case. Required variables are `case.title` and `case.description`.
Datatype: `string`
The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API HTTP request method to create a case in the third-party system.
Datatype: `string`
Default: `post`
Options:
- `post`
- `put`
- `patch`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a REST API URL string to create a case in the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a string from the response body of the create case method that corresponds to the external service identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The default model to use for requests, which varies by connector:
- For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), current support is for the Anthropic Claude models.
- Elastic Cloud Serverless: Generally available Defaults to `us.anthropic.claude-sonnet-4-5-20250929-v1:0`.
- Elastic Stack: Generally available since 9.2 Defaults to `us.anthropic.claude-sonnet-4-5-20250929-v1:0`.
- Elastic Stack: Generally available in 9.1 Defaults to `us.anthropic.claude-3-7-sonnet-20250219-v1:0`.
- Elastic Stack: Generally available in 9.0 Defaults to `anthropic.claude-3-5-sonnet-20240620-v1:0`.
- For a [Google Gemini connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/gemini-action-type), current support is for the Gemini models.
- Elastic Cloud Serverless: Generally available Defaults to `gemini-2.5-pro`.
- Elastic Stack: Generally available since 9.1 Defaults to `gemini-2.5-pro`.
- Elastic Stack: Generally available in 9.0 Defaults to `gemini-1.5-pro-002`.
- For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), it is optional and applicable only when `xpack.actions.preconfigured..config.apiProvider` is `OpenAI`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [index connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/index-action-type), a field that indicates when the document was indexed.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the from address for all emails sent by the connector. It must be specified in `user@host-name` format.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a string from the response body of the get case method that corresponds to the external service title.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a REST API URL string with an external service ID Mustache variable to get the case from the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For an [email](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), or [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies whether a user and password are required inside the secrets configuration.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
For a [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type) or [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a set of key-value pairs sent as headers with the request.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the host name of the service provider.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [index connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/index-action-type), specifies the Elasticsearch index.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies whether to use basic or OAuth authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the key ID assigned to the JWT verifier map of your OAuth application. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies field mappings.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the alert identifier. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case identifier. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case name. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case comments. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the case description. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), field mapping for the rule name. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies a field mapping for the severity. You must provide `fieldtype`, `id`, `key`, and `name` values.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), specifies the HTTP request method, either `post` or `put`. Defaults to `post`.
Datatype: `enum`
Default: `post`
Options:
- `post`
- `put`
Self-managed Elastic deployments: Generally available
For an [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the IBM Resilient organization identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the port to connect to on the service provider.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Jira connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type), specifies the Jira project key.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies whether the connection will use TLS when connecting to the service provider. If not true, the connection will initially connect over TCP then attempt to switch to TLS via the SMTP STARTTLS command.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the name of the email service. For example, `elastic_cloud`, `exchange_server`, `gmail`, `other`, `outlook365`, or `ses`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies a GUID format value that corresponds to a tenant ID, which is a part of OAuth 2.0 client credentials authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a stringified JSON payload with Mustache variables that is sent to the update case URL to update a case. Required variables are `case.title` and `case.description`.
Datatype: `string`
The JSON is validated after the Mustache variables have been placed when the REST method runs. You should manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API HTTP request method to update the case in the third-party system.
Datatype: `enum`
Default: `put`
Options:
- `post`
- `put`
- `patch`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies the REST API URL to update the case by ID in the third-party system.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname in the URL is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
A configuration URL that varies by connector:
- For a [D3 Security connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/d3security-action-type), specifies the D3 Security API request URL.
- For a [Tines connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/tines-action-type), specifies the Tines tenant URL.
- For a [webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), specifies the web service request URL.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the user identifier. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type), specifies whether it uses HTTP basic authentication.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type) or [ServiceNow SIR connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), specifies whether the connector uses the Table API or the Import Set API. If set to `false`, the Elastic application should be installed in ServiceNow.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
For a [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a URL string with either the external service ID or external service title Mustache variable to view a case in the external system.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Torq connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/torq-action-type), specifies the endpoint URL of the Elastic Security integration in Torq.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The name of the preconfigured connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Sensitive configuration details, such as username, password, and keys, which are specific to the connector type.
Datatype: `string`
Sensitive properties, such as passwords, should be stored in the [Kibana keystore](https://www.elastic.co/docs/deploy-manage/security/secure-settings#creating-keystore).
Self-managed Elastic deployments: Generally available
For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), specifies the AWS access key for authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
An API key secret that varies by connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A credentials secret that varies by connector:
- For a [Google Gemini connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/gemini-action-type), specifies the GCP service account credentials JSON file for authentication.
- For a [OpenAI connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/openai-action-type), specifies the OpenAI or Azure OpenAI API key for authentication.
- For an [Opsgenie connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/opsgenie-action-type), specifies the Opsgenie API authentication key for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the authentication key ID for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [IBM Resilient connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/resilient-action-type), specifies the authentication key secret for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [Jira](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type) or [Swimlane connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/swimlane-action-type), specifies the API authentication token for HTTP basic authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A client secret that varies by connector:
- For an [email connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), specifies the client secret that you generated for your app in the app registration portal. It is required when the email service is `exchange_server`, which uses OAuth 2.0 client credentials authentication.
- For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the client secret assigned to the OAuth application. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
The client secret must be URL-encoded.
Self-managed Elastic deployments: Generally available
An email address that varies by connector:
- For a [Jira connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/jira-action-type), specifies the account email for HTTP basic authentication.
- For a [Tines connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/tines-action-type), specifies the email used to sign in to Tines.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A password secret that varies by connector:
- For an [email](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), or [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a password that is required when `xpack.actions.preconfigured..config.hasAuth` is `true`.
- For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies a password that is required when `xpack.actions.preconfigured..config.isOAuth` is `false`.
- For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type), specifies a password that is required when `xpack.actions.preconfigured..config.usesBasic` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the RSA private key. It is required when `xpack.actions.preconfigured..config.isOAuth` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies the password for the RSA private key.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For a [PagerDuty connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pagerduty-action-type), specifies the 32 character PagerDuty Integration Key for an integration on a service, also referred to as the routing key.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [Amazon Bedrock connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/bedrock-action-type), specifies the AWS secret for authentication.
Datatype: `string`
Self-managed Elastic deployments: Generally available
For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type) with URL authentication, specifies the request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is used only when `xpack.actions.preconfigured..config.usesBasic` is `false`.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
A token secret that varies by connector:
- For a [D3 Security connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/d3security-action-type), specifies the D3 Security token.
- For a [Slack connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/slack-action-type), specifies the Slack bot user OAuth token.
- For a [Tines connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/tines-action-type), specifies the Tines API token.
- For a [Torq connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/torq-action-type), specifies the secret of the webhook authentication header.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A user name secret that varies by connector:
- For an [email](https://www.elastic.co/docs/reference/kibana/connectors-kibana/email-action-type), [webhook](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type), or [Case Management webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/cases-webhook-action-type), specifies a user name that is required when `xpack.actions.preconfigured..config.hasAuth` is `true`.
- For an [xMatters connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/xmatters-action-type), specifies a user name that is required when `xpack.actions.preconfigured..config.usesBasic` is `true`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A URL that varies by connector:
- For a [Microsoft Teams connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/teams-action-type), specifies the URL of the incoming webhook.
- For a [Slack connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/slack-action-type), specifies the Slack webhook URL.
Datatype: `string`
If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts.
Self-managed Elastic deployments: Generally available
For a [ServiceNow ITSM](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-action-type), [ServiceNow SIR](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-sir-action-type), or [ServiceNow ITOM connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/servicenow-itom-action-type), specifies a user name that is required when `xpack.actions.preconfigured..config.isOAuth` is `false`.
Datatype: `string`
Elastic Stack: Generally available since 9.1
Self-managed Elastic deployments: Generally available
Disable PFX file support for SSL client authentication. When set to `false`, the application will not accept PFX certificate files and will require separate certificate and private key files instead. Only applies to the [Webhook connector](https://www.elastic.co/docs/reference/kibana/connectors-kibana/webhook-action-type).
Datatype: `bool`
Default: `true`
### Alerting settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies whether to skip writing alerts and scheduling actions if rule processing was cancelled due to a timeout. This setting can be overridden by individual rule types.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the maximum number of rules to run per minute.
Datatype: `int`
Default: `32000`
In Serverless, the maximum number of rules to run per minute is set to `400` and can't be configured.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the minimum schedule interval for rules. This minimum is applied to all rules created or updated after you set this value. The time is formatted as a number and a time unit (`s`, `m`, `h`, or `d`). For example, `20m`, `24h`, `7d`. This duration cannot exceed `1d`.
Datatype: `string`
Default: `1m`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the behavior when a new or changed rule has a schedule interval less than the value defined in `xpack.alerting.rules.minimumScheduleInterval.value`. If `false`, rules with schedules less than the interval will be created but warnings will be logged. If `true`, rules with schedules less than the interval cannot be created.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of actions that a rule can generate each time detection checks run.
Datatype: `int`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum number of alerts that a rule can generate each time detection checks run.
Datatype: `int`
Default: `1000`
The exact number of alerts your cluster can safely handle depends on your cluster configuration and workload. While it is technically possible to increase this value above 1000, doing so is not recommended and not supported. Increasing this limit can significantly affect Kibana and Elasticsearch performance and memory usage. Carefully evaluate the impact on your deployment before making this change.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the default timeout for tasks associated with all types of rules. The time is formatted as a number and a time unit (`ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `Y`). For example, `20m`, `24h`, `7d`, `1w`. Default: `5m`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Overrides the configs under `xpack.alerting.rules.run` for the rule type with the given ID. List the rule identifier and its settings in an array of objects.
Datatype: `string`
For example:
```yaml
xpack.alerting.rules.run:
timeout: '5m'
ruleTypeOverrides:
- id: '.index-threshold'
timeout: '15m'
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Overrides the configs under `xpack.alerting.rules.run.actions` for the connector type with the given ID. List the connector type identifier and its settings in an array of objects.
Datatype: `string`
For example:
```yaml
xpack.alerting.rules.run:
actions:
max: 10
connectorTypeOverrides:
- id: '.server-log'
max: 5
```
## kibana-fleet-settings.yml
By default, Fleet is enabled. To use Fleet, you also need to configure Kibana and Elasticsearch hosts.
Many Fleet settings can also be configured directly through the Fleet UI. See [Fleet UI settings](https://www.elastic.co/docs/reference/fleet/fleet-settings) for details.
Go to the [Fleet](https://www.elastic.co/docs/reference/fleet/index) docs for more information about Fleet.
### General Fleet settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` (default) to enable Fleet.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set to `true` to indicate Fleet is running in an air-gapped environment. Refer to [Air-gapped environments](https://www.elastic.co/docs/reference/fleet/air-gapped) for details. Enabling this flag helps Fleet skip needless requests and improve the user experience for air-gapped environments.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Allow to configure batch size for creating and updating Fleet user artifacts. Examples include creation of Trusted Applications and Endpoint Exceptions in Security. It is available in Elastic Cloud 8.9.0 and later versions.
Datatype: `int`
### Elastic Package Manager settings
Self-managed Elastic deployments: Generally available
The address to use to reach the Elastic Package Manager registry.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The proxy address to use to reach the Elastic Package Manager registry if an internet connection is not directly available. Refer to [Air-gapped environments](https://www.elastic.co/docs/reference/fleet/air-gapped) for details.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The path on disk to the GPG key used to verify Elastic Package Manager packages. If the Elastic public key is ever reissued as a security precaution, you can use this setting to specify the new key.
Datatype: `string`
### Fleet settings
The `xpack.fleet.agents.elasticsearch.*` settings are intended for a quickstart setup. For more advanced use cases, use the `xpack.fleet.outputs` setting to preconfigure outputs.
Self-managed Elastic deployments: Generally available
Hostnames used by Elastic Agent for accessing Fleet Server.
If configured in your `kibana.yml`, this setting is grayed out and unavailable in the Fleet UI. To make this setting editable in the UI, do not configure it in the configuration file.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Hostnames used by Elastic Agent for accessing Elasticsearch.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Hash pin used for certificate verification. The pin is a base64-encoded string of the SHA-256 fingerprint.
Datatype: `string`
### Preconfiguration settings (for advanced use cases)
Use these settings to pre-define integrations, agent policies, and Fleet Server hosts or proxies that you want Fleet to load up by default.
These settings are not supported to pre-configure the Endpoint and Cloud Security integration.
Self-managed Elastic deployments: Generally available
List of integrations that are installed when the Fleet app starts up for the first time.
Datatype: `string`
```yaml
xpack.fleet.packages:
- name: apache
version: 0.5.0
xpack.fleet.agentPolicies:
- name: Preconfigured Policy
id: preconfigured-policy
namespace: test
package_policies:
- package:
name: system
name: System Integration
namespace: test
id: preconfigured-system
inputs:
system-system/metrics:
enabled: true
vars:
'[system.hostfs]': home/test
streams:
'[system.core]':
enabled: true
vars:
period: 20s
system-winlog:
enabled: false
```
Self-managed Elastic deployments: Generally available
Required. Name of the integration from the package registry.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required.Either an exact semantic version, or the keyword `latest` to fetch the latest integration version.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of agent policies that are configured when the Fleet app starts.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Unique ID for this policy. The ID may be a number or string.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the agent policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Text description of this policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. String identifying this policy's namespace.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. List of keywords that specify the monitoring data to collect. Valid values include `['logs']`, `['metrics']`, and `['logs', 'metrics']`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. If `true`, monitoring will be enabled, but logs/metrics collection will be disabled. Use this if you want to keep agent's monitoring server alive even when logs/metrics aren't being collected.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true`, this policy is not editable by the user and can only be changed by updating the Kibana config.
Datatype: `bool`
Elastic Stack: Deprecated since 8.1
Self-managed Elastic deployments: Deprecated since 8.1
Optional. If `true`, this policy is the default agent policy.
Datatype: `bool`
Deprecated in 8.1.0.
Elastic Stack: Deprecated since 8.1
Self-managed Elastic deployments: Deprecated since 8.1
Optional. If `true`, this policy is the default Fleet Server agent policy.
Datatype: `bool`
Deprecated in 8.1.0.
Self-managed Elastic deployments: Generally available
Optional. ID of the output to send data. (Need to be identical to `monitoring_output_id`)
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. ID of the output to send monitoring data. (Need to be identical to `data_output_id`)
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. ID of the fleet server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. List of integration policies to add to this policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Unique ID of the integration policy. The ID may be a number or string.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Name of the integration policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Integration that this policy configures.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Name of the integration associated with this policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Text string describing this integration policy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
String identifying this policy's namespace.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Map of input for the integration. Follows the same schema as the package policy API inputs, with the exception that any object in `vars` can be passed `frozen: true` in order to prevent that specific `var` from being edited by the user.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of outputs that are configured when the Fleet app starts.
Certain types of outputs have additional required and optional settings. Refer to [Output settings](https://www.elastic.co/docs/reference/fleet/fleet-settings#output-settings) in the Fleet and Elastic Agent Guide for the full list of settings for each output type.
If configured in your `kibana.yml`, output settings are grayed out and unavailable in the Fleet UI. To make these settings editable in the UI, do not configure them in the configuration file.
Datatype: `string`
The `xpack.fleet.outputs` settings are intended for advanced configurations such as having multiple outputs. We recommend not enabling the `xpack.fleet.agents.elasticsearch.host` settings when using `xpack.fleet.outputs`.
```yaml
xpack.fleet.outputs:
- id: my-logstash-output-with-a-secret
name: preconfigured logstash output with a secret
type: logstash
hosts: ["localhost:9999"]
ssl:
certificate: xxxxxxxxxx
secrets:
ssl:
key: securekey
```
Self-managed Elastic deployments: Generally available
Required. Unique ID for this output. The ID should be a string.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Type of Output.
Datatype: `enum`
Options:
- `elasticsearch`
- `logstash`
- `kafka`
- `remote_elasticsearch`
Self-managed Elastic deployments: Generally available
Optional.Array that contains the list of host for that output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. If `true`, the output specified in `xpack.fleet.outputs` will be the one used to send agent data unless there is another one configured specifically for the agent policy.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true`, the output specified in `xpack.fleet.outputs` will be the one used to send agent monitoring data unless there is another one configured specifically for the agent policy.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true`, the output specified in `xpack.fleet.outputs` will not appear in the UI, and can only be managed via `kibana.yml` or the Fleet API.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. Extra config for that output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Unique ID of a proxy to access the output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Set to enable authentication using the Secure Sockets Layer (SSL) protocol.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The SSL certificate that Elastic Agents use to authenticate with the output. Include the full contents of the certificate here.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Certificate authority (CA) used to issue the certificate.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Include here any values for preconfigured outputs that should be stored as secrets. A secret value is replaced in the `kibana.yml` settings file with a reference, with the original value stored externally as a secure hash. Note that this type of secret storage requires all configured Fleet Servers to be on version 8.12.0 or later.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The private certificate key that Elastic Agents use to authenticate with the output.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of Fleet Server hosts that are configured when the Fleet app starts.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Unique ID for the host server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the host server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Array of one or more host URLs that Elastic Agents will use to connect to Fleet Server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Whether or not this host should be the default to use for Fleet Server.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. If `true` the host will not appear in the UI, and can only be managed through `kibana.yml` or the Fleet API.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Optional. Unique ID of the proxy to access the Fleet Server host.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of proxies to access Fleet Server that are configured when the Fleet app starts.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Unique ID of the proxy to access the Fleet Server host.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. Name of the proxy to access the Fleet Server host.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Required. URL that Elastic Agents use to connect to the proxy to access Fleet Server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Map of headers to use with the proxy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Key to use for the proxy header.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Value to use for the proxy header.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. Certificate authority (CA) used to issue the certificate.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. The name of the certificate used to authenticate the proxy.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional. The certificate key used to authenticate the proxy.
Datatype: `string`
Elastic Stack: Deprecated since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of experimental feature flag to enable in Fleet.
It is available in Elastic Cloud 8.6.0 and later versions.
From 9.3.0 onwards, use `xpack.fleet.experimentalFeatures` to explicitly enable or disable experimental features.
Datatype: `string`
From 9.3.0 onwards, use `xpack.fleet.experimentalFeatures` to explicitly enable or disable experimental features.
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set experimental feature flags to `true` or `false` to enable or disable them, respectively.
Datatype: `string`
Experimental features should not be enabled in production environments. The features in this section are experimental and may be changed or removed completely in future releases. Elastic will make a best effort to fix any issues, but experimental features are not supported to the same level as generally available (GA) features.
```yaml
xpack.fleet.experimentalFeatures:
useSpaceAwareness: false
enableAgentPrivilegeLevelChange: true
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` (default), to enable the automatic creation of global `logs-*` and `metrics-*` data views.
Datatype: `bool`
Default: `true`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the interval of the automatic upgrade task for Fleet-managed Elastic Agents. Defaults to `30m`.
Datatype: `string`
Default: `30m`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the retry delays of the automatic upgrade task for Fleet-managed Elastic Agents. The array's length indicates the maximum number of retries. Defaults to `['30m', '1h', '2h', '4h', '8h', '16h', '24h']`.
Datatype: `string`
Default: `['30m', '1h', '2h', '4h', '8h', '16h', '24h']`
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Configure the time-to-live (TTL) for integration rollback availability. This setting controls how long the rollback option remains available after an integration is upgraded. The value must be specified in a duration format (for example, `7d`, `14d`, `168h`, or `1w`). Defaults to `7d` (7 days). For more information, refer to [Roll back an integration](https://www.elastic.co/docs/reference/fleet/roll-back-integration).
Datatype: `string`
Default: `7d`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of revisions to maintain for a Fleet agent policy. Defaults to `10`.
Datatype: `int`
Default: `10`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The time interval for performing cleanups of Fleet agent policy revisions. The value must be specified in a duration format (for example, `30m`, `1h`, `1d`). Defaults to `1h` (1 hour).
Datatype: `string`
Default: `1h`
Elastic Stack: Generally available since 9.1
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of Fleet agent policies to clean up revisions from per interval. Defaults to `100`.
Datatype: `int`
Default: `100`
## kibana-general-settings.yml
Use these settings to configure general features available in Kibana.
### General settings
Self-managed Elastic deployments: Generally available
Toggling this causes the server to regenerate assets on the next startup, which may cause a delay before pages start being served. Set to `false` to disable Console.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Propagate request-specific metadata to Elasticsearch server by way of the `x-opaque-id` header.
It is available in Elastic Cloud 8.1.0 and later versions.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
Controls whether to enable the newsfeed system for the Kibana UI notification center. Set to `false` to disable the newsfeed system.
Datatype: `bool`
Default: `true`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
Indicates which roles to configure the Kibana process with, which will effectively run Kibana in different modes. Valid options are `background_tasks` and `ui`, or `*` to select all roles.
Datatype: `string`
Default: `*`
Self-managed Elastic deployments: Generally available
Choose the default email connector for user notifications. As of `8.6.0`, Kibana is shipping with a new notification mechanism that will send email notifications for various user actions, e.g. assigning a *Case* to a user. To enable notifications, an email connector must be [preconfigured](https://www.elastic.co/docs/reference/kibana/connectors-kibana/pre-configured-connectors) in the system via `kibana.yml`, and the notifications plugin must be configured to point to the ID of that connector.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Set the interval in milliseconds to sample system and process performance metrics. The minimum value is 100.
Datatype: `int`
Default: `5000`
Self-managed Elastic deployments: Generally available
Override for cgroup cpu path when mounted in a manner that is inconsistent with `/proc/self/cgroup`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Override for cgroup cpuacct path when mounted in a manner that is inconsistent with `/proc/self/cgroup`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The path where Kibana stores persistent data not saved in Elasticsearch.
Datatype: `string`
Default: `data`
Self-managed Elastic deployments: Generally available
Add sources for the [Permissions Policy `report-to` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the path where Kibana creates the process ID file.
Datatype: `string`
Self-managed Elastic deployments: Generally available
If authentication is enabled, setting this to `true` enables unauthenticated users to access the Kibana server status API and status page.
Datatype: `bool`
Default: `false`
### Content Security Policy (CSP) settings
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `script-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
Datatype: `string`
Elastic Stack: Deprecated since 8.7
Self-managed Elastic deployments: Generally available
Set this to `false` to add the [`unsafe-eval`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions) source expression to the `script-src` directive.
When `csp.disableUnsafeEval` is set to `true`, Kibana will use a custom version of the Handlebars template library. Handlebars is used in various locations in the Kibana frontend where custom templates can be supplied by the user when for instance setting up a visualisation. If you experience any issues rendering Handlebars templates, please set this setting to `false` and [open an issue](https://github.com/elastic/kibana/issues/new/choose) in the Kibana GitHub repository.
Datatype: `bool`
Default: `true`
Deprecated in 8.7.0. Use `csp.script_src: ['unsafe-eval']` instead if you wish to enable `unsafe-eval`. This config option will have no effect in a future version.
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `worker-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `style-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `connect-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `default-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `font-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `frame-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `img-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src).
Datatype: `string`
Elastic Stack: Generally available since 9.3
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `frame-ancestors` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).
Datatype: `string`
The `frame-ancestors` directive can also be configured by using [`server.securityResponseHeaders.disableEmbedding`](#server-securityResponseHeaders-disableEmbedding). In that case, that takes precedence and any values in `csp.frame_ancestors` are ignored.
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `form-action` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action) in reporting mode.
Datatype: `string`
Elastic Stack: Deprecated since 9.3
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/object-src) in reporting mode.
Datatype: `string`
This setting is deprecated in favor of `csp.object_src`.
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `report-uri` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Add sources for the [Content Security Policy `report-to` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Blocks Kibana access to any browser that does not enforce even rudimentary CSP rules. In practice, this disables support for older, less safe browsers like Internet Explorer.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Shows a warning message after loading Kibana to any browser that does not enforce even rudimentary CSP rules, though Kibana is still accessible. This configuration is effectively ignored when [`csp.strict`](#csp-strict) is enabled.
Datatype: `bool`
Default: `true`
### Elasticsearch connection settings
Self-managed Elastic deployments: Generally available
Header names and values to send to Elasticsearch. Any custom headers cannot be overwritten by client-side headers, regardless of the [`elasticsearch.requestHeadersWhitelist`](#elasticsearch-requestHeadersWhitelist) configuration.
Datatype: `string`
Default: `{}`
Self-managed Elastic deployments: Generally available
The URLs of the Elasticsearch instances to use for all your queries. All nodes listed here must be on the same cluster.
To enable SSL/TLS for outbound connections to Elasticsearch, use the `https` protocol in this setting.
Datatype: `string`
Default: `[ "http://localhost:9200" ]`
Self-managed Elastic deployments: Generally available
The URL through which Elasticsearch is publicly accessible, if any. This will be shown to users in Kibana when they need connection details for your Elasticsearch cluster.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of the [`elasticsearch.requestTimeout`](#elasticsearch-requestTimeout) setting.
Datatype: `int`
Self-managed Elastic deployments: Generally available
List of Kibana client-side headers to send to Elasticsearch. To send **no** client-side headers, set this value to [] (an empty list). Removing the `authorization` header from being whitelisted means that you cannot use [basic authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#basic-authentication) in Kibana.
Datatype: `string`
Default: `[ 'authorization', 'es-client-authentication' ]`
Self-managed Elastic deployments: Generally available
Time in milliseconds to wait for responses from the back end or Elasticsearch. This value must be a positive integer.
Datatype: `int`
Default: `30000`
Self-managed Elastic deployments: Generally available
Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
Datatype: `int`
Default: `30000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies whether Kibana should use compression for communications with Elasticsearch.
It is available in Elastic Cloud 8.3.0 and later versions.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Time in milliseconds between requests to check Elasticsearch for an updated list of nodes.
Datatype: `string`
Default: `false`
Self-managed Elastic deployments: Generally available
Attempt to find other Elasticsearch nodes on startup.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Update the list of Elasticsearch nodes immediately following a connection fault.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum number of sockets that can be used for communications with Elasticsearch.
It is available in Elastic Cloud 8.2.0 and later versions.
Datatype: `int`
Default: `Infinity`
Self-managed Elastic deployments: Generally available
Either `false` or a `byteSize` value. When set, responses from Elasticsearch with a size higher than the defined limit will be rejected. This is intended to be used as a circuit-breaker mechanism to avoid memory errors in case of unexpectedly high responses coming from Elasticsearch.
Datatype: `string`
Default: `false`
Self-managed Elastic deployments: Generally available
The maximum number of idle sockets to keep open between Kibana and Elasticsearch. If more sockets become idle, they will be closed.
Datatype: `int`
Default: `256`
Self-managed Elastic deployments: Generally available
The timeout for idle sockets kept open between Kibana and Elasticsearch. If the socket is idle for longer than this timeout, it will be closed. If you have a transparent proxy between Kibana and Elasticsearch be sure to set this value lower than or equal to the proxy's timeout.
Datatype: `string`
Default: `60s`
Self-managed Elastic deployments: Generally available
If your Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
If your Elasticsearch is protected with basic authentication, this setting provides the password that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
Datatype: `string`
Self-managed Elastic deployments: Generally available
If your Elasticsearch is protected with basic authentication, this token provides the credentials that the Kibana server uses to perform maintenance on the Kibana index at startup. This setting is an alternative to `elasticsearch.username` and `elasticsearch.password`.
Datatype: `string`
### Elasticsearch SSL settings
Self-managed Elastic deployments: Generally available
Controls Kibana behavior in regard to presenting a client certificate when requested by Elasticsearch. This setting applies to all outbound SSL/TLS connections to Elasticsearch, including requests that are proxied for end users.
Datatype: `bool`
Default: `false`
When Elasticsearch uses certificates to authenticate end users with a PKI realm and [`elasticsearch.ssl.alwaysPresentCertificate`](#elasticsearch-ssl-alwaysPresentCertificate) is `true`, proxied requests may be executed as the identity that is tied to the Kibana server.
Self-managed Elastic deployments: Generally available
Path to a PEM-encoded X.509 client certificate. This is used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting to take effect, the `xpack.security.http.ssl.client_authentication` setting in Elasticsearch must be also be set to `"required"` or `"optional"` to request a client certificate from Kibana.
Datatype: `string`
This setting cannot be used in conjunction with [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Path to the corresponding private key for the PEM-encoded X.509 client certificate specified via [`elasticsearch.ssl.certificate`](#elasticsearch-ssl-cert-key). These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting to take effect, the `xpack.security.http.ssl.client_authentication` setting in Elasticsearch must be also be set to `"required"` or `"optional"` to request a client certificate from Kibana.
Datatype: `string`
This setting cannot be used in conjunction with [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates, which make up a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch.
In addition to this setting, trusted certificates may be specified via [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path) and/or [`elasticsearch.ssl.truststore.path`](#elasticsearch-ssl-truststore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The password that decrypts the private key that is specified via [`elasticsearch.ssl.key`](#elasticsearch-ssl-cert-key). This value is optional, as the key may not be encrypted.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 keystore that contains an X.509 client certificate and it's corresponding private key. These are used by Kibana to authenticate itself when making outbound SSL/TLS connections to Elasticsearch. For this setting, you must also set the `xpack.security.http.ssl.client_authentication` setting in Elasticsearch to `"required"` or `"optional"` to request a client certificate from Kibana.
If the keystore contains any additional certificates, they are used as a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch. In addition to this setting, trusted certificates may be specified via [`elasticsearch.ssl.certificateAuthorities`](#elasticsearch-ssl-certificateAuthorities) and/or [`elasticsearch.ssl.truststore.path`](#elasticsearch-ssl-truststore-path).
Datatype: `string`
This setting cannot be used in conjunction with [`elasticsearch.ssl.certificate`](#elasticsearch-ssl-cert-key) or [`elasticsearch.ssl.key`](#elasticsearch-ssl-cert-key).
Self-managed Elastic deployments: Generally available
The password that decrypts the keystore specified via [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path). If the keystore has no password, leave this as blank. If the keystore has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates, which make up a trusted certificate chain for Elasticsearch. This chain is used by Kibana to establish trust when making outbound SSL/TLS connections to Elasticsearch.
In addition to this setting, trusted certificates may be specified via [`elasticsearch.ssl.certificateAuthorities`](#elasticsearch-ssl-certificateAuthorities) and/or [`elasticsearch.ssl.keystore.path`](#elasticsearch-ssl-keystore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The password that decrypts the trust store specified via [`elasticsearch.ssl.truststore.path`](#elasticsearch-ssl-truststore-path). If the trust store has no password, leave this as blank. If the trust store has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Controls the verification of the server certificate that Kibana receives when making an outbound SSL/TLS connection to Elasticsearch. Valid values are `"full"`, `"certificate"`, and `"none"`. Using `"full"` performs hostname verification, using `"certificate"` skips hostname verification, and using `"none"` skips verification entirely.
Datatype: `enum`
Default: `full`
Options:
- `full`
- `certificate`
- `none`
### Logging settings
Self-managed Elastic deployments: Generally available
The `root` logger is a [dedicated logger](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#dedicated-loggers) and is pre-configured. The `root` logger logs at `info` level by default. If any other logging configuration is specified, `root` *must* also be explicitly configured.
Datatype: `string`
Self-managed Elastic deployments: Generally available
A list of logging appenders to forward the root level logger instance to. By default `root` is configured with the `default` appender that logs to stdout with a `pattern` layout. This is the configuration that all custom loggers will use unless they're re-configured explicitly. You can override the default behavior by configuring a different [appender](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#logging-appenders) to apply to `root`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Level at which a log record should be logged. Supported levels are: *all*, *fatal*, *error*, *warn*, *info*, *debug*, *trace*, *off*. Levels are ordered from *all* (highest) to *off* and a log record will be logged it its level is higher than or equal to the level of its logger, otherwise the log record is ignored. Use this value to [change the overall log level](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#change-overall-log-level).
Datatype: `enum`
Default: `info`
Options:
- `all`
- `fatal`
- `error`
- `warn`
- `info`
- `debug`
- `trace`
- `off`
Set to `all` to log all events, including system usage information and all requests. Set to `off` to silence all logs. You can also use the logging [cli commands](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kib-advanced-logging#logging-cli-migration) to set log level to `verbose` or silence all logs.
The following example shows a valid verbose `logging.root` configuration:
```text
logging:
appenders:
console_appender:
type: console
layout:
type: pattern
highlight: true
root:
appenders: [console_appender]
level: all
```
Self-managed Elastic deployments: Generally available
Allows you to [customize a specific logger instance](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#customize-specific-log-records).
Datatype: `string`
Self-managed Elastic deployments: Generally available
[Appenders](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#logging-appenders) define how and where log messages are displayed (eg. **stdout** or console) and stored (eg. file on the disk).
Datatype: `string`
### Map settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `false` to disable connections to Elastic Maps Service. When `includeElasticMapsService` is turned off, only tile layer configured by [`map.tilemap.url`](#tilemap-url) is available in [Maps](https://www.elastic.co/docs/explore-analyze/visualize/maps).
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the URL of a self hosted [hosted Elastic Maps Service](https://www.elastic.co/docs/explore-analyze/visualize/maps/maps-connect-to-ems#elastic-maps-server)
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The map attribution string. Provide attributions in markdown and use `\|` to delimit attributions, for example: `"[attribution 1](https://www.attribution1)\|[attribution 2](https://www.attribution2)"`.
Datatype: `string`
Default: `"© [Elastic Maps Service](https://www.elastic.co/elastic-maps-service)"`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum zoom level.
Datatype: `int`
Default: `10`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The minimum zoom level.
Datatype: `int`
Default: `1`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
An array of subdomains used by the tile service. Specify the position of the subdomain the URL with the token `{{s}}`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The URL to the service that Kibana uses as the default basemap in [maps](https://www.elastic.co/docs/explore-analyze/visualize/maps) and [vega maps](https://www.elastic.co/docs/explore-analyze/visualize/custom-visualizations-with-vega#vega-with-a-map). By default, Kibana sets a basemap from the [Elastic Maps Service](https://www.elastic.co/docs/explore-analyze/visualize/maps/maps-connect-to-ems), but users can point to their own Tile Map Service. For example: `"https://tiles.elastic.co/v2/default/{{z}}/{{x}}/{{y}}.png?elastic_tile_service_tos=agree&my_app_name=kibana"`
Datatype: `string`
### Migrations settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Defines the number of documents migrated at a time. The higher the value, the faster the Saved Objects migration process performs at the cost of higher memory consumption. If upgrade migrations results in Kibana crashing with an out of memory exception or fails due to an Elasticsearch `circuit_breaking_exception`, use a smaller `batchSize` value to reduce the memory pressure.
Datatype: `int`
Default: `1000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Discard saved objects with unknown types during a migration. Must be set to the target version, for example: `8.4.0`. Default: undefined.
It is available in Elastic Cloud 8.4.0 and later versions.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Discard corrupt saved objects, as well as those that cause transform errors during a migration. Must be set to the target version, for example: `8.4.0`. Default: undefined.
It is available in Elastic Cloud 8.4.0 and later versions.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Defines the maximum payload size for indexing batches of upgraded saved objects to avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch. This value should be lower than or equal to your Elasticsearch cluster's `http.max_content_length` configuration option.
Datatype: `string`
Default: `100mb`
Self-managed Elastic deployments: Generally available
The number of times migrations retry temporary failures, such as a network timeout, 503 status code, or `snapshot_in_progress_exception`. When upgrade migrations frequently fail after exhausting all retry attempts with a message such as `Unable to complete the [...] step after 15 attempts, terminating.`, increase the setting value.
Datatype: `int`
Default: `15`
Elastic Stack: Generally available since 9.2
Self-managed Elastic deployments: Generally available
Skip logging migration progress unless there are any errors. Set to `false` when troubleshooting migration issues and not automatically shown.
Datatype: `bool`
Default: `true`
### Saved Objects settings
Self-managed Elastic deployments: Generally available
The maximum count of saved objects that can be imported or exported. This setting exists to prevent the Kibana server from running out of memory when handling large numbers of saved objects. It is recommended to only raise this setting if you are confident your server can hold this many objects in memory.
Datatype: `int`
Default: `10000`
Self-managed Elastic deployments: Generally available
The maximum byte size of a saved objects import that the Kibana server will accept. This setting exists to prevent the Kibana server from running out of memory when handling a large import payload. Note that this setting overrides the more general [`server.maxPayload`](#server-maxPayload) for saved object imports only.
Datatype: `int`
Default: `26214400`
### Search and autocomplete settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the max number of documents loaded by each shard to generate autocomplete suggestions. Allowed values are between 1 and 10000000.
Datatype: `int`
Default: `100000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the time in milliseconds to wait for autocomplete suggestions from Elasticsearch. Allowed values are between 1 and 1200000.
Datatype: `int`
Default: `1000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Time in milliseconds to wait for autocomplete suggestions from Elasticsearch. This value must be a whole number greater than zero.
Datatype: `int`
Default: `1000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Maximum number of documents loaded by each shard to generate autocomplete suggestions. This value must be a whole number greater than zero.
Datatype: `int`
Default: `100000`
To reload the logging settings, send a SIGHUP signal to Kibana. For more logging configuration options, see the [Configure Logging in Kibana](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging) guide.
### Server settings
Self-managed Elastic deployments: Generally available
Enables you to specify a path to mount Kibana at if you are running behind a proxy. Use the [`server.rewriteBasePath`](#server-rewriteBasePath) setting to tell Kibana if it should remove the basePath from requests it receives, and to prevent a deprecation warning at startup. This setting cannot end in a slash (`/`).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The publicly available URL that end-users access Kibana at. Must include the protocol, hostname, port (if different than the defaults for `http` and `https`, 80 and 443 respectively), and the [`server.basePath`](#server-basePath) (when that setting is configured explicitly). This setting cannot end in a slash (`/`).
Datatype: `string`
Self-managed Elastic deployments: Generally available
This setting specifies the host of the back end server. To allow remote users to connect, set the value to the IP address or DNS name of the Kibana server. Use `0.0.0.0` to make Kibana listen on all IPs (public and private).
Datatype: `string`
Default: `"localhost"`
Self-managed Elastic deployments: Generally available
The number of milliseconds to wait for additional data before restarting the [`server.socketTimeout`](#server-socketTimeout) counter.
Datatype: `int`
Default: `120000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
The maximum payload size in bytes for incoming server requests.
Datatype: `int`
Default: `1048576`
Self-managed Elastic deployments: Generally available
A human-readable display name that identifies this Kibana instance.
Datatype: `string`
Default: `"your-hostname"`
Self-managed Elastic deployments: Generally available
Kibana is served by a back end server. This setting specifies the port to use.
Datatype: `int`
Default: `5601`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
The HTTP protocol to use, either `http1` or `http2`. Set to `http1` to opt out of `HTTP/2` support when TLS is enabled. Use of `http1` may impact browser loading performance especially for dashboards with many panels. Default is `http2` if TLS is enabled, otherwise `http1`.
Datatype: `enum`
Options:
- `http1`
- `http2`
By default, enabling `http2` requires a valid `h2c` configuration, meaning that TLS must be enabled via [`server.ssl.enabled`](#server-ssl-enabled) and [`server.ssl.supportedProtocols`](#server-ssl-supportedProtocols), if specified, must contain at least `TLSv1.2` or `TLSv1.3`. Strict validation of the `h2c` setup can be disabled by adding `server.http2.allowUnsecure: true` to the configuration.
Self-managed Elastic deployments: Generally available
Sets the grace period for Kibana to attempt to resolve any ongoing HTTP requests after receiving a `SIGTERM`/`SIGINT` signal, and before shutting down. Any new HTTP requests received during this period are rejected, because the incoming socket is closed without further processing.
Datatype: `string`
Default: `30s`
Self-managed Elastic deployments: Generally available
The number of milliseconds to wait before closing an inactive socket.
Datatype: `int`
Default: `120000`
Self-managed Elastic deployments: Generally available
Sets the maximum time allowed for the client to transmit the request payload (body) before giving up and responding with a Request Timeout (408) error response.
Datatype: `int`
Default: `20000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Header names and values to send on all responses to the client from the Kibana server.
Datatype: `string`
Default: `{}`
Self-managed Elastic deployments: Generally available
Sets whether or not the `X-Opaque-Id` header should be trusted from any IP address for identifying requests in logs and forwarded to Elasticsearch.
Datatype: `bool`
Self-managed Elastic deployments: Generally available
A list of IPv4 and IPv6 address which the `X-Opaque-Id` header should be trusted from. Normally this would be set to the IP addresses of the load balancers or reverse-proxy that end users use to access Kibana. If any are set, [`server.requestId.allowFromAnyIp`](#server-requestId-allowFromAnyIp) must also be set to `false.`
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies whether Kibana should rewrite requests that are prefixed with [`server.basePath`](#server-basePath) or require that they are rewritten by your reverse proxy.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The unique identifier for this Kibana instance. It must be a valid UUIDv4. It gets automatically generated on the first startup if not specified and persisted in the `data` path.
Datatype: `string`
### Server compression settings
Self-managed Elastic deployments: Generally available
Set to `false` to disable HTTP compression for all responses.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies an array of trusted hostnames, such as the Kibana host, or a reverse proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header. This setting may not be used when [`server.compression.enabled`](#server-compression) is set to `false`.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable brotli (br) compression format. Browsers not supporting brotli compression will fallback to using gzip instead. This setting may not be used when [`server.compression.enabled`](#server-compression) is set to `false`.
It is available in Elastic Cloud 8.6.0 and later versions.
Datatype: `bool`
Default: `false`
### Server CORS settings
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
Set to `true` to allow cross-origin API calls.
Datatype: `bool`
Default: `false`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
Set to `true` to allow browser code to access response body whenever request performed with user credentials.
Datatype: `bool`
Default: `false`
Elastic Stack: Preview
Self-managed Elastic deployments: Generally available
List of origins permitted to access resources. You must specify explicit hostnames and not use `server.cors.allowOrigin: ["*"]` when `server.cors.allowCredentials: true`.
Datatype: `string`
Default: `["*"]`
### Server rate limiter settings
Self-managed Elastic deployments: Generally available
Enables rate-limiting of requests to the Kibana server based on Node.js' Event Loop Utilization. If the average event loop utilization for the specified term exceeds the configured threshold, the server will respond with a `429 Too Many Requests` status code.
This functionality should be used carefully as it may impact the server's availability. The configuration options vary per environment, so it is recommended to enable this option in a testing environment first, adjust the rate-limiter configuration, and then roll it out to production.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The Event Loop Utilization (ELU) threshold for rate-limiting requests to the Kibana server. The ELU is a value between 0 and 1, representing the average event loop utilization over the specified term. If the average ELU exceeds this threshold, the server will respond with a `429 Too Many Requests` status code.
In a multi-instance environment with autoscaling, this value is usually between 0.6 and 0.8 to give the autoscaler enough time to react. This value can be higher in a single-instance environment but should not exceed 1.0. In general, the lower the value, the more aggressive the rate limiting. And the highest possible option should be used to prevent the Kibana server from being terminated.
Datatype: `float`
Self-managed Elastic deployments: Generally available
This value is one of `short`, `medium`, or `long`, representing the term over which the average event loop utilization is calculated. It uses exponential moving averages (EMA) to smooth out the utilization values. Each term corresponds to `15s`, `30s`, and `60s`, respectively.
The term value also changes the way the rate limiter sees the trend in the load:
- `short`: `elu.short > server.rateLimiter.term`;
- `medium`: `elu.short > server.rateLimiter.elu AND elu.medium > server.rateLimiter.elu`;
- `long`: `elu.short > server.rateLimiter.elu AND elu.medium > server.rateLimiter.elu AND elu.long > server.rateLimiter.elu`.
This behavior prevents requests from being throttled if the load starts decreasing. In general, the shorter the term, the more aggressive the rate limiting. In the multi-instance environment, the `medium` term makes the most sense as it gives the Kibana server enough time to spin up a new instance and prevents the existing instances from being terminated.
Datatype: `enum`
Options:
- `short`
- `medium`
- `long`
### Server security response headers
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Strict-Transport-Security`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or `null`. To disable, set to `null`.
Datatype: `string`
Default: `null`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`X-Content-Type-Options`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are `nosniff` or `null`. To disable, set to `null`.
Datatype: `string`
Default: `"nosniff"`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Referrer-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are `no-referrer`, `no-referrer-when-downgrade`, `origin`, `origin-when-cross-origin`, `same-origin`, `strict-origin`, `strict-origin-when-cross-origin`, `unsafe-url`, or `null`. To disable, set to `null`.
Datatype: `string`
Default: `"strict-origin-when-cross-origin"`
Elastic Stack: Preview
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Permissions-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or `null`. Refer to the [`Permissions-Policy` documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) for defined directives, values, and text format. To disable, set to `null`.
Datatype: `string`
Default: `camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()`
Elastic Stack: Preview
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Permissions-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are any text value or `null`. Refer to the [`Permissions-Policy` documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) for defined directives, values, and text format.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) and [`X-Frame-Options`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) headers are configured to disable embedding Kibana in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors: 'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Controls whether the [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) header is used in all responses to the client from the Kibana server, and specifies what value is used. Allowed values are `unsafe-none`, `same-origin-allow-popups`, `same-origin`, or `null`. To disable, set to `null`.
It is available in Elastic Cloud 8.7.0 and later versions.
Datatype: `enum`
Default: `"same-origin"`
Options:
- `unsafe-none`
- `same-origin-allow-popups`
- `same-origin`
- `null`
### Server SSL settings
Self-managed Elastic deployments: Generally available
Path to a PEM-encoded X.509 server certificate. This is used by Kibana to establish trust when receiving inbound SSL/TLS connections from users.
Datatype: `string`
This setting cannot be used in conjunction with [`server.ssl.keystore.path`](#server-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Path to the corresponding private key for the PEM-encoded X.509 server certificate specified via [`server.ssl.certificate`](#server-ssl-cert-key). This is used by Kibana to establish trust when receiving inbound SSL/TLS connections from users.
Datatype: `string`
This setting cannot be used in conjunction with [`server.ssl.keystore.path`](#server-ssl-keystore-path).
Self-managed Elastic deployments: Generally available
Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates which make up a trusted certificate chain for Kibana. This chain is used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. If PKI authentication is enabled, this chain is also used by Kibana to verify client certificates from end users.
In addition to this setting, trusted certificates may be specified via [`server.ssl.keystore.path`](#server-ssl-keystore-path) and/or [`server.ssl.truststore.path`](#server-ssl-truststore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.1.1/man1/ciphers.md#CIPHER-LIST-FORMAT).
Datatype: `string`
Default: `TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA`
Self-managed Elastic deployments: Generally available
Controls the behavior in Kibana for requesting a certificate from client connections. Valid values are `"required"`, `"optional"`, and `"none"`. Using `"required"` will refuse to establish the connection unless a client presents a certificate, using `"optional"` will allow a client to present a certificate if it has one, and using `"none"` will prevent a client from presenting a certificate.
Datatype: `enum`
Default: `"none"`
Options:
- `required`
- `optional`
- `none`
Self-managed Elastic deployments: Generally available
Enables SSL/TLS for inbound connections to Kibana. When set to `true`, a certificate and its corresponding private key must be provided. These can be specified via [`server.ssl.keystore.path`](#server-ssl-keystore-path) or the combination of [`server.ssl.certificate`](#server-ssl-cert-key) and [`server.ssl.key`](#server-ssl-cert-key).
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
The password that decrypts the private key that is specified via [`server.ssl.key`](#server-ssl-cert-key). This value is optional, as the key may not be encrypted.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 keystore that contains an X.509 server certificate and its corresponding private key. If the keystore contains any additional certificates, those will be used as a trusted certificate chain for Kibana. All of these are used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. The certificate chain is also used by Kibana to verify client certificates from end users when PKI authentication is enabled.
In addition to this setting, trusted certificates may be specified via [`server.ssl.certificateAuthorities`](#server-ssl-certificateAuthorities) and/or [`server.ssl.truststore.path`](#server-ssl-truststore-path).
Datatype: `string`
This setting cannot be used in conjunction with [`server.ssl.certificate`](#server-ssl-cert-key) or [`server.ssl.key`](#server-ssl-cert-key).
Self-managed Elastic deployments: Generally available
The password that will be used to decrypt the keystore specified via [`server.ssl.keystore.path`](#server-ssl-keystore-path). If the keystore has no password, leave this unset. If the keystore has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates which make up a trusted certificate chain for Kibana. This chain is used by Kibana to establish trust when receiving inbound SSL/TLS connections from end users. If PKI authentication is enabled, this chain is also used by Kibana to verify client certificates from end users.
In addition to this setting, trusted certificates may be specified via [`server.ssl.certificateAuthorities`](#server-ssl-certificateAuthorities) and/or [`server.ssl.keystore.path`](#server-ssl-keystore-path).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The password that will be used to decrypt the trust store specified via [`server.ssl.truststore.path`](#server-ssl-truststore-path). If the trust store has no password, leave this unset. If the trust store has an empty password, set this to `""`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Kibana binds to this port and redirects all http requests to https over the port configured as [`server.port`](#server-port).
Datatype: `int`
Self-managed Elastic deployments: Generally available
An array of supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. Enabling `TLSv1.1` would require both setting the `--tls-min-1.1` option in the `node.options` configuration and adding `TLSv1.1` to `server.ssl.supportedProtocols`. `HTTP/2` requires the use of minimum `TLSv1.2` for secure connections.
Datatype: `string`
Default: `TLSv1.2, TLSv1.3`
### Server XSRF settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
It is not recommended to disable protections for arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. The [`server.xsrf.allowlist`](#settings-xsrf-allowlist) setting requires the following format:
```text
*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections.
```
It is available in Elastic Cloud 8.0.0 and later versions.
Datatype: `string`
Default: `[]`
Self-managed Elastic deployments: Generally available
Setting this to `true` will completely disable Cross-site request forgery protection in Kibana. This is not recommended.
Datatype: `bool`
Default: `false`
### Telemetry settings
Self-managed Elastic deployments: Generally available
When `false`, users cannot change the opt-in status through [Advanced Settings](https://www.elastic.co/docs/reference/kibana/advanced-settings), and Kibana only looks at the value of [`telemetry.optIn`](#settings-telemetry-optIn) to determine whether to send telemetry data or not.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set to `false` to stop sending any telemetry data to Elastic. Reporting your cluster statistics helps us improve your user experience. When `false`, the telemetry data is never sent to Elastic.
This setting can be changed at any time in [Advanced Settings](https://www.elastic.co/docs/reference/kibana/advanced-settings). To prevent users from changing it, set [`telemetry.allowChangingOptInStatus`](#telemetry-allowChangingOptInStatus) to `false`.
Datatype: `bool`
Default: `true`
### UI and visualization settings
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to stop showing messages and tours that highlight new features.
Datatype: `bool`
Default: `false`
Elastic Stack: Planned
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to stop showing elements requesting user feedback.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Starting from version 7.11, a new datatable visualization is used. Set to `true` to enable the legacy version. In version 8.0 and later, the old implementation is removed and this setting is no longer supported.
Datatype: `bool`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
For 7.7 version and later, set to `false` to disable Vega vizualizations.
Datatype: `bool`
Default: `true`
Elastic Stack: Deprecated since 8.0
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to allow Vega vizualizations to use data from sources other than the linked Elasticsearch cluster. In version 8.0 and later, the `vega.enableExternalUrls` is not supported. Use `vis_type_vega.enableExternalUrls` instead.
Datatype: `bool`
In version 8.0 and later, this setting is not supported. Use `vis_type_vega.enableExternalUrls` instead.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set this value to true to allow Vega to use any URL to access external data sources and images. When false, Vega can only get data from Elasticsearch.
Datatype: `bool`
Default: `false`
### Feature and plugin settings
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Cross-Cluster Replication UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Enables the **Explore underlying data** option that allows you to open **Discover** from a dashboard panel and view the panel data.
When you create visualizations using the **Lens** drag-and-drop editor, you can use the toolbar to open and explore your data in **Discover**. For more information, check out [Explore the data in Discover](https://www.elastic.co/docs/explore-analyze/visualize/lens#explore-lens-data-in-discover).
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Enables you to view the underlying documents in a data series from a dashboard panel.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Index Lifecycle Policies UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Index Management UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the License Management UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Remote Clusters UI.
Datatype: `bool`
Default: `true`
Elastic Stack: Deprecated since 8.11
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Rollup Jobs UI.
Datatype: `bool`
Default: `true`
Rollups are deprecated and will be removed in a future version. Use [downsampling](https://www.elastic.co/docs/manage-data/data-store/data-streams/downsampling-time-series-data-stream) instead.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Allow to configure the max file upload size for use with the Upload File Response action available with the Defend Integration. To learn more, check [Endpoint Response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions).
It is available in Elastic Cloud 8.9.0 and later versions.
Datatype: `string`
Elastic Stack: Generally available since 9.2
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to disable the automatic installation of Elastic Defend SIEM rules when a new Endpoint integration policy is created. Introduced with v9.2.4.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Snapshot and Restore UI.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Set this value to false to disable the Upgrade Assistant UI.
Datatype: `bool`
Default: `true`
## kibana-logging-settings.yml
You do not need to configure any additional settings to use the logging features in Kibana. Logging is enabled by default and will log at `info` level using the `pattern` layout, which outputs logs to `stdout`.
However, if you are planning to ingest your logs using Elasticsearch or another tool, we recommend using the `json` layout, which produces logs in ECS format. In general, `pattern` layout is recommended when raw logs will be read by a human, and `json` layout when logs will be read by a machine.
The logging configuration is validated against the predefined schema and if there are any issues with it, Kibana will fail to start with the detailed error message.
Kibana relies on three high-level entities to set the logging service: appenders, loggers, and root. These can be configured in the `logging` namespace in `kibana.yml`.
- Appenders define where log messages are displayed (stdout or console) and their layout (`pattern` or `json`). They also allow you to specify if you want the logs stored and, if so, where (file on the disk).
- Loggers define what logging settings, such as the level of verbosity and the appenders, to apply to a particular context. Each log entry context provides information about the service or plugin that emits it and any of its sub-parts, for example, `metrics.ops` or `elasticsearch.query`.
- Root is a logger that applies to all the log entries in Kibana.
For details on audit logging settings, refer to the [Kibana security settings](/elastic/docs-builder/tree/main/testing/security-settings#audit-logging-settings).
### Logging settings
The following table serves as a quick reference for different logging configuration keys. Note that these are not stand-alone settings and may require additional logging configuration. See the [Configure Logging in Kibana](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging) guide and complete [examples](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples) for common configuration use cases.
Self-managed Elastic deployments: Generally available
Unique appender identifier.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Appender to use for logging records to **stdout**. By default, uses the `[%date][%level][%logger] %message %error` **pattern** layout. To use a **json**, set the [layout type to `json`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#log-in-json-ecs-example).
Elastic Stack: Generally available since 9.1 `%error` is present since Stack version 9.1.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Allows you to specify a fileName to write log records to disk. To write [all log records to file](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#log-to-file-example), add the file appender to `root.appenders`. If configured, you also need to specify [`logging.appenders.file.pathName`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-log-settings-examples#log-to-file-example).
Datatype: `string`
Self-managed Elastic deployments: Generally available
Similar to [Log4j's](https://logging.apache.org/log4j/2.x/) `RollingFileAppender`, this appender will log to a file and rotate if following a rolling strategy when the configured policy triggers. There are currently two policies supported: [`size-limit`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#size-limit-triggering-policy) and [`time-interval`](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#time-interval-triggering-policy).
Datatype: `string`
Self-managed Elastic deployments: Generally available
The appender type determines where the log messages are sent. Required.
Datatype: `enum`
Options:
- `console`
- `file`
- `rewrite`
- `rolling-file`
Self-managed Elastic deployments: Generally available
Determines the filepath where the log messages are written to for file and rolling-file appender types. Required for appenders that write to file.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specify the triggering policy for when a rollover should occur for the `rolling-file` type appender.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specify the time interval for rotating a log file for a `time-interval` type `rolling-file` appender.
Datatype: `string`
Default: `24h`
Self-managed Elastic deployments: Generally available
Specify the size limit at which the policy should trigger a rollover for a `size-limit` type `rolling-file` appender.
Datatype: `string`
Default: `100mb`
Self-managed Elastic deployments: Generally available
Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Rolling file strategy type. Only `numeric` is currently supported.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The suffix to append to the file path when rolling. Must include `%i`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
The maximum number of files to keep. The maximum is `100`.
Datatype: `int`
Default: `7`
Self-managed Elastic deployments: Generally available
Determines how the log messages are displayed. Required.
Datatype: `enum`
Options:
- `pattern`: Provides human-readable output.
- `json`: Provides ECS-compliant output.
Self-managed Elastic deployments: Generally available
Optional boolean to highlight log messages in color. Applies to `pattern` layout only.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
Optional [string pattern](https://www.elastic.co/docs/deploy-manage/monitor/logging-configuration/kibana-logging#pattern-layout) for placeholders that will be replaced with data from the actual log message. Applicable to pattern type layout only.
Datatype: `string`
Self-managed Elastic deployments: Generally available
List of specific appenders to apply to `root`. Defaults to `console` with `pattern` layout.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specify default verbosity for all log messages to fall back to if not specifically configured at the individual logger level. The `all` and `off` levels can be used only in configuration and are just handy shortcuts that allow you to log every log record or disable logging entirely or for a specific logger.
Datatype: `enum`
Default: `info`
Options:
- `all`
- `fatal`
- `error`
- `warn`
- `info`
- `debug`
- `trace`
- `off`
Self-managed Elastic deployments: Generally available
Specific logger instance.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specify verbosity of log messages for a logger context. Optional and inherits the verbosity of any ancestor logger, up to the `root` logger `level`.
Datatype: `enum`
Options:
- `all`
- `fatal`
- `error`
- `warn`
- `info`
- `debug`
- `trace`
- `off`
Self-managed Elastic deployments: Generally available
Determines the appender to apply to a specific logger context as an array. Optional and falls back to the appender(s) of the `root` logger if not specified.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Optional boolean to log debug messages when a deprecated API is called.
Datatype: `bool`
Default: `false`
## kibana-monitoring-settings.yml
By default, **Stack Monitoring** is enabled, but data collection is disabled. When you first start Kibana monitoring, you are prompted to enable data collection. If you are using Elastic Stack security features, you must be signed in as a user with the `cluster:manage` privilege to enable data collection. The built-in `superuser` role has this privilege and the built-in `elastic` user has this role.
You can adjust how monitoring data is collected from Kibana and displayed in Kibana by configuring settings in the `kibana.yml` file. There are also `monitoring.ui.elasticsearch.*` settings, which support the same values as [Kibana configuration settings](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings).
To control how data is collected from your Elasticsearch nodes, you configure [`xpack.monitoring.collection` settings](https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/monitoring-settings) in `elasticsearch.yml`. To control how monitoring data is collected from Logstash, configure monitoring settings in `logstash.yml`.
For more information, check out [Monitor a cluster](https://www.elastic.co/docs/deploy-manage/monitor).
### General monitoring settings
Elastic Stack: Deprecated since 7.11
Self-managed Elastic deployments: Deprecated
When enabled, sends email notifications for Watcher alerts to the specified email address.
Datatype: `bool`
Default: `true`
Deprecated in 7.11.
Elastic Stack: Deprecated since 7.11
Elastic Cloud Hosted: Deprecated, Self-managed Elastic deployments: Deprecated
When enabled, specifies the email address where you want to receive cluster alert notifications.
Datatype: `string`
Deprecated in 7.11.
Self-managed Elastic deployments: Generally available
Set to `true` (default) to enable [cross-cluster search](https://www.elastic.co/docs/solutions/search/cross-cluster-search) of your monitoring data. The [`remote_cluster_client`](https://www.elastic.co/docs/deploy-manage/remote-clusters/remote-clusters-settings) role must exist on each node.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the location of the Elasticsearch cluster where your monitoring data is stored.
By default, this is the same as [`elasticsearch.hosts`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-hosts). This setting enables you to use a single Kibana instance to search and visualize data in your production cluster as well as monitor data sent to a dedicated monitoring cluster.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the username used by Kibana monitoring to establish a persistent connection in Kibana to the Elasticsearch monitoring cluster and to verify licensing status on the Elasticsearch monitoring cluster when using `monitoring.ui.elasticsearch.hosts`.
All other requests performed by **Stack Monitoring** to the monitoring Elasticsearch cluster uses the authenticated user's credentials, which must be the same on both the Elasticsearch monitoring cluster and the Elasticsearch production cluster.
If not set, Kibana uses the value of the [`elasticsearch.username`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-user-passwd) setting.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the password used by Kibana monitoring to establish a persistent connection in Kibana to the Elasticsearch monitoring cluster and to verify licensing status on the Elasticsearch monitoring cluster when using `monitoring.ui.elasticsearch.hosts`.
All other requests performed by **Stack Monitoring** to the monitoring Elasticsearch cluster use the authenticated user's credentials, which must be the same on both the Elasticsearch monitoring cluster and the Elasticsearch production cluster.
If not set, Kibana uses the value of the [`elasticsearch.password`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-user-passwd) setting.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies a [service account token](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-service-token) for the Elasticsearch cluster where your monitoring data is stored when using `monitoring.ui.elasticsearch.hosts`. This setting is an alternative to using `monitoring.ui.elasticsearch.username` and `monitoring.ui.elasticsearch.password`.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies the time in milliseconds to wait for Elasticsearch to respond to internal health checks. By default, it matches the [`elasticsearch.pingTimeout`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-pingTimeout) setting, which has a default value of `30000`.
Datatype: `int`
Default: `30000`
Self-managed Elastic deployments: Generally available
Shares the same configuration as [`elasticsearch.ssl`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#elasticsearch-ssl-cert-key). These settings configure encrypted communication between Kibana and the monitoring cluster.
Datatype: `string`
### Monitoring collection settings
These settings control how data is collected from Kibana.
Self-managed Elastic deployments: Generally available
Set to `true` (default) to enable data collection from the Kibana NodeJS server for Kibana dashboards to be featured in **Stack Monitoring**.
Datatype: `bool`
Default: `true`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the number of milliseconds to wait in between data sampling on the Kibana NodeJS server for the metrics that are displayed in the Kibana dashboards. Defaults to `10000` (10 seconds).
Datatype: `int`
Default: `10000`
### Monitoring UI settings
These settings adjust how **Stack Monitoring** displays monitoring data. However, the defaults work best in most circumstances. For more information about configuring Kibana, see [Setting Kibana server properties](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings).
Self-managed Elastic deployments: Generally available
Specifies the number of log entries to display in **Stack Monitoring**. Defaults to `10`. The maximum value is `50`.
Datatype: `int`
Default: `10`
Self-managed Elastic deployments: Generally available
Set to `false` to hide **Stack Monitoring**. The monitoring back-end continues to run as an agent for sending Kibana stats to the monitoring cluster. Defaults to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Specifies the name of the indices that are shown on the [**Logs**](https://www.elastic.co/docs/deploy-manage/monitor/monitoring-data/elasticsearch-metrics#logs-monitor-page) page in **Stack Monitoring**. The default value is `filebeat-*`.
Datatype: `string`
Default: `filebeat-*`
Elastic Stack: Deprecated since 8.15
Self-managed Elastic deployments: Deprecated
Used as a workaround to avoid querying `metricbeat-*` indices which are now no longer queried.
Datatype: `string`
Default: `metricbeat-*`
This setting was deprecated in 8.15.0.
Self-managed Elastic deployments: Generally available
Specifies the number of term buckets to return out of the overall terms list when performing terms aggregations to retrieve index and node metrics. For more information about the `size` parameter, see [Terms Aggregation](https://www.elastic.co/docs/reference/aggregations/search-aggregations-bucket-terms-aggregation#search-aggregations-bucket-terms-aggregation-size). Defaults to `10000`.
Datatype: `int`
Default: `10000`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the minimum number of seconds that a time bucket in a chart can represent. Defaults to 10. If you modify the `monitoring.ui.collection.interval` in `elasticsearch.yml`, use the same value in this setting.
Datatype: `int`
Default: `10`
Self-managed Elastic deployments: Generally available
Specifies how many seconds can pass before the Kibana status reports are considered stale. Defaults to `120`.
Datatype: `int`
Default: `120`
### Monitoring UI container settings
**Stack Monitoring** exposes the Cgroup statistics that we collect for you to make better decisions about your container performance, rather than guessing based on the overall machine performance. If you are not running your applications in a container, then Cgroup statistics are not useful.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
For Elasticsearch clusters that are running in containers, this setting changes the **Node Listing** to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the **Node Overview** page instead of the overall operating system's CPU utilization. Defaults to `false`.
Datatype: `bool`
Default: `false`
Self-managed Elastic deployments: Generally available
For Logstash nodes that are running in containers, this setting changes the Logstash **Node Listing** to display the CPU utilization based on the reported Cgroup statistics. It also adds the calculated Cgroup CPU utilization to the Logstash node detail pages instead of the overall operating system's CPU utilization. Defaults to `false`.
Datatype: `bool`
Default: `false`
## kibana-security-settings.yml
You do not need to configure any additional settings to use the Elastic Stack security features in Kibana. They are enabled by default.
### Authentication security settings
You configure authentication settings in the `xpack.security.authc` namespace.
For example:
```yaml
xpack.security.authc:
providers:
basic.basic1:
order: 0
...
saml.saml1:
order: 1
...
saml.saml2:
order: 2
...
pki.realm3:
order: 3
...
...
```
1. Specifies the type of authentication provider (for example, `basic`, `token`, `saml`, `oidc`, `kerberos`, `pki`) and the provider name. This setting is mandatory.
2. Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory.
3. Specifies the settings for the SAML authentication provider with a `saml1` name.
4. Specifies the settings for the SAML authentication provider with a `saml2` name.
### Valid settings for all authentication providers
The valid settings in the `xpack.security.authc.providers` namespace vary depending on the authentication provider type. For more information, refer to [Authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/user-authentication).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.
Datatype: `bool`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Order of the provider in the authentication chain and on the Login Selector UI.
Datatype: `int`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Custom description of the provider entry displayed on the Login Selector UI.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Custom hint for the provider entry displayed on the Login Selector UI.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Custom icon for the provider entry displayed on the Login Selector UI.
Datatype: `string`
Elastic Stack: Generally available since 9.3
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the origin(s) where the provider will appear to users in the Login Selector UI. Each origin must be a valid URI only containing an origin. By default, providers are not restricted to specific origins.
Datatype: `string`
For example:
```yaml
xpack.security.authc:
providers:
basic.basic1:
origin: [http://localhost:5601, http://127.0.0.1:5601]
...
saml.saml1:
origin: https://elastic.co
...
```
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to `false` doesn't remove the provider from the authentication chain.
Datatype: `bool`
You are unable to set this setting to `false` for `basic` and `token` authentication providers.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Access agreement text in Markdown format. For more information, refer to [Access agreement](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/access-agreement).
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after a period of inactivity. Setting this to `0` will prevent sessions from expiring because of inactivity. By default, this setting is equal to [`xpack.security.session.idleTimeout`](#xpack-session-idleTimeout).
Datatype: `string`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to `0`, user sessions could stay active indefinitely. By default, this setting is equal to [`xpack.security.session.lifespan`](#xpack-session-lifespan).
Datatype: `string`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
### SAML authentication provider settings
In addition to [the settings that are valid for all providers](#authentication-provider-settings), you can specify the following settings:
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
SAML realm in Elasticsearch that provider should use.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Determines if the provider should treat the `RelayState` parameter as a deep link in Kibana during Identity Provider initiated log in. By default, this setting is set to `false`. The link specified in `RelayState` should be a relative, URL-encoded Kibana URL. For example, the `/app/dashboards#/list` link in `RelayState` parameter would look like this: `RelayState=%2Fapp%2Fdashboards%23%2Flist`.
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.
Datatype: `string`
### Discontinued SAML settings
The following settings are available in Elastic Cloud for all supported versions before 8.0:
Elastic Stack: Unavailable
Elastic Cloud Hosted: Removed
Set to `saml` to instruct Kibana to use SAML SSO as the authentication method.
Datatype: `string`
Elastic Stack: Unavailable
Elastic Cloud Hosted: Removed
Set to HTTP or HTTPS. To access Kibana, HTTPS protocol is recommended.
Datatype: `enum`
Options:
- `http`
- `https`
Elastic Stack: Unavailable
Elastic Cloud Hosted: Removed
Set to a fully qualified hostname to connect your users to the proxy server.
Datatype: `string`
Elastic Stack: Unavailable
Elastic Cloud Hosted: Removed
The port number that connects your users to the proxy server (for example, 80 for HTTP or 443 for HTTPS).
Datatype: `int`
Elastic Stack: Unavailable
Elastic Cloud Hosted: Removed
Specifies if Kibana should treat the `RelayState` parameter as a deep link when Identity Provider Initiated login flow is used.
Datatype: `bool`
Elastic Stack: Unavailable
Elastic Cloud Hosted: Removed
Explicitly allows the SAML authentication URL within Kibana, so that the Kibana server doesn't reject external authentication messages that originate from your Identity Provider. This setting is renamed to `server.xsrf.allowlist` in version 8.0.0.
Datatype: `string`
### OpenID Connect authentication provider settings
In addition to [the settings that are valid for all providers](#authentication-provider-settings), you can specify the following settings:
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
OpenID Connect realm in Elasticsearch that the provider should use.
Datatype: `string`
### Anonymous authentication provider settings
In addition to [the settings that are valid for all providers](#authentication-provider-settings), you can specify the following settings:
For more information, refer to [Anonymous authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#anonymous-authentication).
You can configure only one anonymous provider per Kibana instance.
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Credentials that Kibana should use internally to authenticate anonymous requests to Elasticsearch.
Datatype: `string`
For example:
```yaml
xpack.security.authc.providers.anonymous.anonymous1:
credentials:
username: "anonymous_service_account"
password: "anonymous_service_account_password"
```
### HTTP authentication settings
There is a very limited set of cases when you'd want to change these settings. For more information, refer to [HTTP authentication](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#http-authentication).
Self-managed Elastic deployments: Generally available
Determines if HTTP authentication should be enabled. By default, this setting is set to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to `true`.
Datatype: `bool`
Default: `true`
Self-managed Elastic deployments: Generally available
List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to `['apikey', 'bearer']` to support HTTP authentication with the [`ApiKey`](https://www.elastic.co/docs/deploy-manage/api-keys/elasticsearch-api-keys) and [`Bearer`](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication#http-authentication) schemes.
Datatype: `string`
Default: `['apikey', 'bearer']`
### Login user interface settings
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Adds a message accessible at the login UI with additional help information for the login process.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Determines if the login selector UI should be enabled. By default, this setting is set to `true` if more than one authentication provider is configured.
Datatype: `bool`
### Configure a default access agreement
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
This setting specifies the access agreement text in Markdown format that will be used as the default access agreement for all providers that do not specify a value for `xpack.security.authc.providers...accessAgreement.message`. For more information, refer to [Access agreement](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/access-agreement).
Datatype: `string`
### Session and cookie security settings
Self-managed Elastic deployments: Generally available
Sets the name of the cookie used for the session. The default value is `"sid"`.
Datatype: `string`
Default: `sid`
Self-managed Elastic deployments: Generally available
An arbitrary string of 32 characters or more that is used to encrypt session information. Do **not** expose this key to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn't the same for all instances of Kibana.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Sets the `secure` flag of the session cookie. The default value is `false`. It is automatically set to `true` if [`server.ssl.enabled`](https://www.elastic.co/docs/reference/kibana/configuration-reference/general-settings#server-ssl-enabled) is set to `true`. Set this to `true` if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).
Datatype: `bool`
Default: `false`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the `SameSite` attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are `Strict`, `Lax`, `None`. This is **not set** by default, which modern browsers will treat as `Lax`. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to `None`. Setting this value to `None` requires cookies to be sent over a secure connection by setting [`xpack.security.secureCookies`](#xpack-security-secureCookies): `true`.
Datatype: `enum`
Options:
- `Strict`
- `Lax`
- `None`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after a period of inactivity. This and [`xpack.security.session.lifespan`](#xpack-session-lifespan) are both highly recommended. You can also specify this setting for [every provider separately](#xpack-security-provider-session-idleTimeout). If this is set to `0`, then sessions will never expire due to inactivity. By default, this value is 3 days.
Datatype: `string`
Default: `3d`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to `0`, user sessions could stay active indefinitely. This and [`xpack.security.session.idleTimeout`](#xpack-session-idleTimeout) are both highly recommended. You can also specify this setting for [every provider separately](#xpack-security-provider-session-lifespan). By default, this value is 30 days for on-prem installations, and 24 hours for Elastic Cloud installations.
Datatype: `string`
Default: `30d (on-prem), 24h (Elastic Cloud)`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Sets the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.
Datatype: `string`
Default: `1h`
Use a string of `[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. *20m*, *24h*, *7d*, *1w*).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set the maximum number of sessions each user is allowed to have active at any given time. By default, no limit is applied. If set, the value of this option should be an integer between `1` and `1000`. When the limit is exceeded, the oldest session is automatically invalidated.
It is available in Elastic Cloud 8.7.0 and later versions.
Datatype: `int`
### Encrypted saved objects settings
These settings control the encryption of saved objects with sensitive data. For more details, refer to [Secure saved objects](https://www.elastic.co/docs/deploy-manage/security/secure-saved-objects).
Self-managed Elastic deployments: Generally available
An arbitrary string of at least 32 characters that is used to encrypt sensitive properties of saved objects before they're stored in Elasticsearch. If not set, Kibana will generate a random key on startup, but certain features won't be available until you set the encryption key explicitly.
Datatype: `string`
Self-managed Elastic deployments: Generally available
An optional list of previously used encryption keys. Like [`xpack.encryptedSavedObjects.encryptionKey`](#xpack-encryptedSavedObjects-encryptionKey), these must be at least 32 characters in length. Kibana doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key.
Datatype: `string`
### Audit logging settings
You can enable audit logging to support compliance, accountability, and security. When enabled, Kibana will capture:
- Who performed an action
- What action was performed
- When the action occurred
For more details and a reference of audit events, refer to [Audit logs](https://www.elastic.co/docs/reference/kibana/kibana-audit-events).
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Set to `true` to enable audit logging. **Default:** `false`
Datatype: `bool`
Default: `false`
For example:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: rolling-file
fileName: ./logs/audit.log
policy:
type: time-interval
interval: 24h
strategy:
type: numeric
max: 10
layout:
type: json
```
1. This appender is the default and will be used if no `appender.*` config options are specified.
2. Rotates log files every 24 hours.
3. Keeps maximum of 10 log files before deleting older ones.
Self-managed Elastic deployments: Generally available
Optional. Specifies where audit logs should be written to and how they should be formatted. If no appender is specified, a default appender will be used (see above).
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
Required. Specifies where audit logs should be written to. Allowed values are `console`, `file`, or `rolling-file`.
Refer to [file appender](#audit-logging-file-appender) and [rolling file appender](#audit-logging-rolling-file-appender) for appender specific settings.
Datatype: `enum`
Options:
- `console`
- `file`
- `rolling-file`
Self-managed Elastic deployments: Generally available
Required. Specifies how audit logs should be formatted. Allowed values are `json` or `pattern`.
Refer to [pattern layout](#audit-logging-pattern-layout) for layout specific settings.
Datatype: `enum`
Options:
- `json`
- `pattern`
We recommend using `json` format to allow ingesting Kibana audit logs into Elasticsearch using Filebeat.
### File appender
The `file` appender writes to a file and can be configured using the following settings:
Self-managed Elastic deployments: Generally available
Required. Full file path the log file should be written to.
Datatype: `string`
### Rolling file appender
The `rolling-file` appender writes to a file and rotates it using a rolling strategy, when a particular policy is triggered:
Self-managed Elastic deployments: Generally available
Required. Full file path the log file should be written to.
Datatype: `string`
Self-managed Elastic deployments: Generally available
Specifies when a rollover should occur. Allowed values are `size-limit` and `time-interval`. **Default:** `time-interval`.
Refer to [size limit policy](#audit-logging-size-limit-policy) and [time interval policy](#audit-logging-time-interval-policy) for policy specific settings.
Datatype: `enum`
Default: `time-interval`
Options:
- `size-limit`
- `time-interval`
Self-managed Elastic deployments: Generally available
Specifies how the rollover should occur. Only allowed value is currently `numeric`. **Default:** `numeric`
Refer to [numeric strategy](#audit-logging-numeric-strategy) for strategy specific settings.
Datatype: `enum`
Default: `numeric`
Options:
- `numeric`
### Size limit triggering policy
The `size-limit` triggering policy will rotate the file when it reaches a certain size:
Self-managed Elastic deployments: Generally available
Maximum size the log file should reach before a rollover should be performed. **Default:** `100mb`
Datatype: `string`
Default: `100mb`
### Time interval triggering policy
The `time-interval` triggering policy will rotate the file every given interval of time:
Self-managed Elastic deployments: Generally available
How often a rollover should occur. **Default:** `24h`
Datatype: `string`
Default: `24h`
Self-managed Elastic deployments: Generally available
Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary. **Default:** `true`
Datatype: `bool`
Default: `true`
### Numeric rolling strategy
The `numeric` rolling strategy will suffix the log file with a given pattern when rolling over, and will retain a fixed number of rolled files:
Self-managed Elastic deployments: Generally available
Suffix to append to the file name when rolling over. Must include `%i`. **Default:** `-%i`
Datatype: `string`
Default: `-%i`
Self-managed Elastic deployments: Generally available
Maximum number of files to keep. Once this number is reached, oldest files will be deleted. **Default:** `7`
Datatype: `int`
Default: `7`
### Pattern layout
The `pattern` layout outputs a string, formatted using a pattern with special placeholders, which will be replaced with data from the actual log message:
Self-managed Elastic deployments: Generally available
Optional. Specifies how the log line should be formatted. **Default:** `[%date][%level][%logger]%meta %message`
Datatype: `string`
Default: `[%date][%level][%logger]%meta %message`
Self-managed Elastic deployments: Generally available
Optional. Set to `true` to enable highlighting log messages with colors.
Datatype: `bool`
### Ignore filters
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of filters that determine which events should be excluded from the audit log. An event will get filtered out if at least one of the provided filters matches.
Datatype: `string`
For example:
```yaml
xpack.security.audit.ignore_filters:
- actions: [http_request]
- categories: [database]
types: [creation, change, deletion]
- spaces: [default]
- users: [elastic, kibana_system]
```
1. Filters out HTTP request events
2. Filters out any data write events
3. Filters out events from the `default` space
4. Filters out events from the `elastic` and `kibana_system` users
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.action` field of an audit event. Refer to [Audit logs](https://www.elastic.co/docs/reference/kibana/kibana-audit-events) for a list of available events.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.category` field of an audit event. Refer to [ECS categorization field](https://www.elastic.co/docs/reference/ecs-allowed-values-event-category) for allowed values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.outcome` field of an audit event. Refer to [ECS outcome field](https://www.elastic.co/docs/reference/ecs-allowed-values-event-outcome) for allowed values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `kibana.space_id` field of an audit event. This represents the space id in which the event took place.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `event.type` field of an audit event. Refer to [ECS type field](https://www.elastic.co/docs/reference/ecs-allowed-values-event-type) for allowed values.
Datatype: `string`
Elastic Cloud Hosted: Generally available, Self-managed Elastic deployments: Generally available
List of values matched against the `user.name` field of an audit event. This represents the `username` associated with the audit event.
Datatype: `string`