Loading

Security settings in Kibana

You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.

Authentication security settings

You configure authentication settings in the xpack.security.authc namespace.

For example:

xpack.security.authc:
    providers:
      basic.basic1:
          order: 0
          ...

      saml.saml1:
          order: 1
          ...

      saml.saml2:
          order: 2
          ...

      pki.realm3:
          order: 3
          ...
    ...
  1. Specifies the type of authentication provider (for example, basic, token, saml, oidc, kerberos, pki) and the provider name. This setting is mandatory.
  2. Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory.
  3. Specifies the settings for the SAML authentication provider with a saml1 name.
  4. Specifies the settings for the SAML authentication provider with a saml2 name.

Valid settings for all authentication providers

The valid settings in the xpack.security.authc.providers namespace vary depending on the authentication provider type. For more information, refer to Authentication.

xpack.security.authc.providers.<provider-type>.<provider-name>.enabled

Supported on:

Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.

Datatype: bool

xpack.security.authc.providers.<provider-type>.<provider-name>.order

Supported on:

Order of the provider in the authentication chain and on the Login Selector UI.

Datatype: int

xpack.security.authc.providers.<provider-type>.<provider-name>.description

Supported on:

Custom description of the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.hint

Supported on:

Custom hint for the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.icon

Supported on:

Custom icon for the provider entry displayed on the Login Selector UI.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.origin

Supported on:

Specifies the origin(s) where the provider will appear to users in the Login Selector UI. Each origin must be a valid URI only containing an origin. By default, providers are not restricted to specific origins.

Datatype: string

For example:

xpack.security.authc:
  providers:
    basic.basic1:
      origin: [http://localhost:5601, http://127.0.0.1:5601]
      ...

    saml.saml1:
      origin: https://elastic.co
      ...
xpack.security.authc.providers.<provider-type>.<provider-name>.showInSelector

Supported on:

Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to false doesn't remove the provider from the authentication chain.

Datatype: bool

Note

You are unable to set this setting to false for basic and token authentication providers.

xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message

Supported on:

Access agreement text in Markdown format. For more information, refer to Access agreement.

Datatype: string

xpack.security.authc.providers.<provider-type>.<provider-name>.session.idleTimeout

Supported on:

Ensures that user sessions will expire after a period of inactivity. Setting this to 0 will prevent sessions from expiring because of inactivity. By default, this setting is equal to xpack.security.session.idleTimeout.

Datatype: string

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.authc.providers.<provider-type>.<provider-name>.session.lifespan

Supported on:

Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to 0, user sessions could stay active indefinitely. By default, this setting is equal to xpack.security.session.lifespan.

Datatype: string

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

SAML authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers.saml.<provider-name>.realm

Supported on:

SAML realm in Elasticsearch that provider should use.

Datatype: string

xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize

Supported on:

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

Datatype: string

Supported on:

Determines if the provider should treat the RelayState parameter as a deep link in Kibana during Identity Provider initiated log in. By default, this setting is set to false. The link specified in RelayState should be a relative, URL-encoded Kibana URL. For example, the /app/dashboards#/list link in RelayState parameter would look like this: RelayState=%2Fapp%2Fdashboards%23%2Flist.

Datatype: bool

Default: false

xpack.security.authc.saml.maxRedirectURLSize

Supported on:

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

Datatype: string

Discontinued SAML settings

The following settings are available in Elastic Cloud for all supported versions before 8.0:

xpack.security.authProviders

Supported on:

Set to saml to instruct Kibana to use SAML SSO as the authentication method.

Datatype: string

xpack.security.public.protocol

Supported on:

Set to HTTP or HTTPS. To access Kibana, HTTPS protocol is recommended.

Datatype: enum

Options:

  • http
  • https
xpack.security.public.hostname

Supported on:

Set to a fully qualified hostname to connect your users to the proxy server.

Datatype: string

xpack.security.public.port

Supported on:

The port number that connects your users to the proxy server (for example, 80 for HTTP or 443 for HTTPS).

Datatype: int

Supported on:

Specifies if Kibana should treat the RelayState parameter as a deep link when Identity Provider Initiated login flow is used.

Datatype: bool

server.xsrf.whitelist

Supported on:

Explicitly allows the SAML authentication URL within Kibana, so that the Kibana server doesn't reject external authentication messages that originate from your Identity Provider. This setting is renamed to server.xsrf.allowlist in version 8.0.0.

Datatype: string

OpenID Connect authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers.oidc.<provider-name>.realm

Supported on:

OpenID Connect realm in Elasticsearch that the provider should use.

Datatype: string

Anonymous authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

For more information, refer to Anonymous authentication.

Note

You can configure only one anonymous provider per Kibana instance.

xpack.security.authc.providers.anonymous.<provider-name>.credentials

Supported on:

Credentials that Kibana should use internally to authenticate anonymous requests to Elasticsearch.

Datatype: string

For example:

xpack.security.authc.providers.anonymous.anonymous1:
  credentials:
    username: "anonymous_service_account"
    password: "anonymous_service_account_password"

HTTP authentication settings

There is a very limited set of cases when you'd want to change these settings. For more information, refer to HTTP authentication.

xpack.security.authc.http.enabled

Supported on:

Determines if HTTP authentication should be enabled. By default, this setting is set to true.

Datatype: bool

Default: true

xpack.security.authc.http.autoSchemesEnabled

Supported on:

Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to true.

Datatype: bool

Default: true

xpack.security.authc.http.schemes[]

Supported on:

List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to ['apikey', 'bearer'] to support HTTP authentication with the ApiKey and Bearer schemes.

Datatype: string

Default: ['apikey', 'bearer']

Login user interface settings

xpack.security.loginAssistanceMessage

Supported on:

Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.

Datatype: string

xpack.security.loginHelp

Supported on:

Adds a message accessible at the login UI with additional help information for the login process.

Datatype: string

xpack.security.authc.selector.enabled

Supported on:

Determines if the login selector UI should be enabled. By default, this setting is set to true if more than one authentication provider is configured.

Datatype: bool

Configure a default access agreement

xpack.security.accessAgreement.message

Supported on:

This setting specifies the access agreement text in Markdown format that will be used as the default access agreement for all providers that do not specify a value for xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message. For more information, refer to Access agreement.

Datatype: string

xpack.security.cookieName

Supported on:

Sets the name of the cookie used for the session. The default value is "sid".

Datatype: string

Default: sid

xpack.security.encryptionKey

Supported on:

An arbitrary string of 32 characters or more that is used to encrypt session information. Do not expose this key to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn't the same for all instances of Kibana.

Datatype: string

xpack.security.secureCookies

Supported on:

Sets the secure flag of the session cookie. The default value is false. It is automatically set to true if server.ssl.enabled is set to true. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).

Datatype: bool

Default: false

xpack.security.sameSiteCookies

Supported on:

Sets the SameSite attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are Strict, Lax, None. This is not set by default, which modern browsers will treat as Lax. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to None. Setting this value to None requires cookies to be sent over a secure connection by setting xpack.security.secureCookies: true.

Datatype: enum

Options:

  • Strict
  • Lax
  • None
xpack.security.session.idleTimeout

Supported on:

Ensures that user sessions will expire after a period of inactivity. This and xpack.security.session.lifespan are both highly recommended. You can also specify this setting for every provider separately. If this is set to 0, then sessions will never expire due to inactivity. By default, this value is 3 days.

Datatype: string

Default: 3d

Note

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.lifespan

Supported on:

Ensures that user sessions will expire after the defined time period. This behavior is also known as an "absolute timeout". If this is set to 0, user sessions could stay active indefinitely. This and xpack.security.session.idleTimeout are both highly recommended. You can also specify this setting for every provider separately. By default, this value is 30 days for on-prem installations, and 24 hours for Elastic Cloud installations.

Datatype: string

Default: 30d (on-prem), 24h (Elastic Cloud)

Tip

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.cleanupInterval

Supported on:

Sets the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.

Datatype: string

Default: 1h

Tip

Use a string of <count>[ms\|s\|m\|h\|d\|w\|M\|Y] (e.g. 20m, 24h, 7d, 1w).

xpack.security.session.concurrentSessions.maxSessions

Supported on:

Set the maximum number of sessions each user is allowed to have active at any given time. By default, no limit is applied. If set, the value of this option should be an integer between 1 and 1000. When the limit is exceeded, the oldest session is automatically invalidated. It is available in Elastic Cloud 8.7.0 and later versions.

Datatype: int

Encrypted saved objects settings

These settings control the encryption of saved objects with sensitive data. For more details, refer to Secure saved objects.

xpack.encryptedSavedObjects.encryptionKey

Supported on:

An arbitrary string of at least 32 characters that is used to encrypt sensitive properties of saved objects before they're stored in Elasticsearch. If not set, Kibana will generate a random key on startup, but certain features won't be available until you set the encryption key explicitly.

Datatype: string

xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys

Supported on:

An optional list of previously used encryption keys. Like xpack.encryptedSavedObjects.encryptionKey, these must be at least 32 characters in length. Kibana doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key.

Datatype: string

Audit logging settings

You can enable audit logging to support compliance, accountability, and security. When enabled, Kibana will capture:

  • Who performed an action
  • What action was performed
  • When the action occurred

For more details and a reference of audit events, refer to Audit logs.

xpack.security.audit.enabled

Supported on:

Set to true to enable audit logging. Default: false

Datatype: bool

Default: false

For example:

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: ./logs/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10
  layout:
    type: json
  1. This appender is the default and will be used if no appender.* config options are specified.
  2. Rotates log files every 24 hours.
  3. Keeps maximum of 10 log files before deleting older ones.
xpack.security.audit.appender

Supported on:

Optional. Specifies where audit logs should be written to and how they should be formatted. If no appender is specified, a default appender will be used (see above).

Datatype: string

xpack.security.audit.appender.type

Supported on:

Required. Specifies where audit logs should be written to. Allowed values are console, file, or rolling-file.

Refer to file appender and rolling file appender for appender specific settings.

Datatype: enum

Options:

  • console
  • file
  • rolling-file
xpack.security.audit.appender.layout.type

Supported on:

Required. Specifies how audit logs should be formatted. Allowed values are json or pattern.

Refer to pattern layout for layout specific settings.

Datatype: enum

Options:

  • json
  • pattern
Tip

We recommend using json format to allow ingesting Kibana audit logs into Elasticsearch using Filebeat.

File appender

The file appender writes to a file and can be configured using the following settings:

xpack.security.audit.appender.fileName

Supported on:

Required. Full file path the log file should be written to.

Datatype: string

Rolling file appender

The rolling-file appender writes to a file and rotates it using a rolling strategy, when a particular policy is triggered:

xpack.security.audit.appender.fileName

Supported on:

Required. Full file path the log file should be written to.

Datatype: string

xpack.security.audit.appender.policy.type

Supported on:

Specifies when a rollover should occur. Allowed values are size-limit and time-interval. Default: time-interval.

Refer to size limit policy and time interval policy for policy specific settings.

Datatype: enum

Default: time-interval

Options:

  • size-limit
  • time-interval
xpack.security.audit.appender.strategy.type

Supported on:

Specifies how the rollover should occur. Only allowed value is currently numeric. Default: numeric

Refer to numeric strategy for strategy specific settings.

Datatype: enum

Default: numeric

Options:

  • numeric

Size limit triggering policy

The size-limit triggering policy will rotate the file when it reaches a certain size:

xpack.security.audit.appender.policy.size

Supported on:

Maximum size the log file should reach before a rollover should be performed. Default: 100mb

Datatype: string

Default: 100mb

Time interval triggering policy

The time-interval triggering policy will rotate the file every given interval of time:

xpack.security.audit.appender.policy.interval

Supported on:

How often a rollover should occur. Default: 24h

Datatype: string

Default: 24h

xpack.security.audit.appender.policy.modulate

Supported on:

Whether the interval should be adjusted to cause the next rollover to occur on the interval boundary. Default: true

Datatype: bool

Default: true

Numeric rolling strategy

The numeric rolling strategy will suffix the log file with a given pattern when rolling over, and will retain a fixed number of rolled files:

xpack.security.audit.appender.strategy.pattern

Supported on:

Suffix to append to the file name when rolling over. Must include %i. Default: -%i

Datatype: string

Default: -%i

xpack.security.audit.appender.strategy.max

Supported on:

Maximum number of files to keep. Once this number is reached, oldest files will be deleted. Default: 7

Datatype: int

Default: 7

Pattern layout

The pattern layout outputs a string, formatted using a pattern with special placeholders, which will be replaced with data from the actual log message:

xpack.security.audit.appender.layout.pattern

Supported on:

Optional. Specifies how the log line should be formatted. Default: [%date][%level][%logger]%meta %message

Datatype: string

Default: [%date][%level][%logger]%meta %message

xpack.security.audit.appender.layout.highlight

Supported on:

Optional. Set to true to enable highlighting log messages with colors.

Datatype: bool

Ignore filters

xpack.security.audit.ignore_filters[]

Supported on:

List of filters that determine which events should be excluded from the audit log. An event will get filtered out if at least one of the provided filters matches.

Datatype: string

For example:

xpack.security.audit.ignore_filters:
- actions: [http_request]
- categories: [database]
  types: [creation, change, deletion]
- spaces: [default]
- users: [elastic, kibana_system]
  1. Filters out HTTP request events
  2. Filters out any data write events
  3. Filters out events from the default space
  4. Filters out events from the elastic and kibana_system users
xpack.security.audit.ignore_filters[].actions[]

Supported on:

List of values matched against the event.action field of an audit event. Refer to Audit logs for a list of available events.

Datatype: string

xpack.security.audit.ignore_filters[].categories[]

Supported on:

List of values matched against the event.category field of an audit event. Refer to ECS categorization field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].outcomes[]

Supported on:

List of values matched against the event.outcome field of an audit event. Refer to ECS outcome field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].spaces[]

Supported on:

List of values matched against the kibana.space_id field of an audit event. This represents the space id in which the event took place.

Datatype: string

xpack.security.audit.ignore_filters[].types[]

Supported on:

List of values matched against the event.type field of an audit event. Refer to ECS type field for allowed values.

Datatype: string

xpack.security.audit.ignore_filters[].users[]

Supported on:

List of values matched against the user.name field of an audit event. This represents the username associated with the audit event.

Datatype: string