88e6d24d77
* [DOCS] Removed ss above spatial references * Removed above from n numeral formatting page
474 lines
26 KiB
Text
474 lines
26 KiB
Text
[[settings]]
|
||
== Configuring {kib}
|
||
|
||
The {kib} server reads properties from the `kibana.yml` file on startup. The
|
||
location of this file differs depending on how you installed {kib}. For example,
|
||
if you installed {kib} from an archive distribution (`.tar.gz` or `.zip`), by
|
||
default it is in `$KIBANA_HOME/config`. By default, with package distributions
|
||
(Debian or RPM), it is in `/etc/kibana`.
|
||
|
||
The default host and port settings configure {kib} to run on `localhost:5601`. To change this behavior and allow remote users to connect, you'll need to update your `kibana.yml` file. You can also enable SSL and set a
|
||
variety of other options. Finally, environment variables can be injected into
|
||
configuration using `${MY_ENV_VAR}` syntax.
|
||
|
||
.Kibana configuration settings
|
||
|
||
`console.enabled:`:: *Default: true* Set to false to disable Console. Toggling
|
||
this will cause the server to regenerate assets on the next startup, which may
|
||
cause a delay before pages start being served.
|
||
|
||
`cpu.cgroup.path.override:`:: Override for cgroup cpu path when mounted in a
|
||
manner that is inconsistent with `/proc/self/cgroup`
|
||
|
||
`cpuacct.cgroup.path.override:`:: Override for cgroup cpuacct path when mounted
|
||
in a manner that is inconsistent with `/proc/self/cgroup`
|
||
|
||
`csp.rules:`:: A template
|
||
https://w3c.github.io/webappsec-csp/[content-security-policy] that disables
|
||
certain unnecessary and potentially insecure capabilities in the browser. We
|
||
strongly recommend that you keep the default CSP rules that ship with {kib}.
|
||
|
||
`csp.strict:`:: *Default: `false`* Blocks access to {kib} to any browser that
|
||
does not enforce even rudimentary CSP rules. In practice, this will disable
|
||
support for older, less safe browsers like Internet Explorer.
|
||
See <<csp-strict-mode, Content Security Policy>> for more information.
|
||
|
||
`csp.warnLegacyBrowsers:`:: *Default: `true`* Shows a warning message after
|
||
loading {kib} to any browser that does not enforce even rudimentary CSP rules,
|
||
though {kib} is still accessible. This configuration is effectively ignored
|
||
when `csp.strict` is enabled.
|
||
|
||
`elasticsearch.customHeaders:`:: *Default: `{}`* Header names and values to send
|
||
to Elasticsearch. Any custom headers cannot be overwritten by client-side
|
||
headers, regardless of the `elasticsearch.requestHeadersWhitelist` configuration.
|
||
|
||
`elasticsearch.hosts:`:: *Default: `[ "http://localhost:9200" ]`* The URLs of the {es} instances to use for all your queries. All nodes
|
||
listed here must be on the same cluster.
|
||
+
|
||
To enable SSL/TLS for outbound connections to {es}, use the `https` protocol in this setting.
|
||
|
||
`elasticsearch.logQueries:`:: *Default: `false`* Logs queries sent to
|
||
Elasticsearch. Requires `logging.verbose` set to `true`. This is useful for
|
||
seeing the query DSL generated by applications that currently do not have an
|
||
inspector, for example Timelion and Monitoring.
|
||
|
||
`elasticsearch.pingTimeout:`::
|
||
*Default: the value of the `elasticsearch.requestTimeout` setting* Time in
|
||
milliseconds to wait for {es} to respond to pings.
|
||
|
||
`elasticsearch.preserveHost:`:: *Default: true* When this setting’s value is
|
||
true, {kib} uses the hostname specified in the `server.host` setting. When the
|
||
value of this setting is `false`, {kib} uses the hostname of the host that
|
||
connects to this {kib} instance.
|
||
|
||
`elasticsearch.requestHeadersWhitelist:`:: *Default: `[ 'authorization' ]`* List
|
||
of {kib} client-side headers to send to {es}. To send *no* client-side
|
||
headers, set this value to [] (an empty list).
|
||
Removing the `authorization` header from being whitelisted means that you cannot
|
||
use <<basic-authentication, basic authentication>> in {kib}.
|
||
|
||
`elasticsearch.requestTimeout:`:: *Default: 30000* Time in milliseconds to wait
|
||
for responses from the back end or {es}. This value must be a positive
|
||
integer.
|
||
|
||
`elasticsearch.shardTimeout:`:: *Default: 30000* Time in milliseconds for
|
||
{es} to wait for responses from shards. Set to 0 to disable.
|
||
|
||
`elasticsearch.sniffInterval:`:: *Default: false* Time in milliseconds between
|
||
requests to check {es} for an updated list of nodes.
|
||
|
||
`elasticsearch.sniffOnConnectionFault:`:: *Default: false* Update the list of
|
||
{es} nodes immediately following a connection fault.
|
||
|
||
`elasticsearch.sniffOnStart:`:: *Default: false* Attempt to find other
|
||
{es} nodes on startup.
|
||
|
||
`elasticsearch.ssl.alwaysPresentCertificate:`:: *Default: false* Controls {kib}'s behavior in regard to presenting a client certificate when
|
||
requested by {es}. This setting applies to all outbound SSL/TLS connections to {es}, including requests that are proxied for end users.
|
||
+
|
||
WARNING: If {es} uses certificates to authenticate end users with a PKI realm and `elasticsearch.ssl.alwaysPresentCertificate` is `true`,
|
||
proxied requests may be executed as the identity that is tied to the {kib} server.
|
||
|
||
`elasticsearch.ssl.certificate:` and `elasticsearch.ssl.key:`:: Paths to a PEM-encoded X.509 client certificate and its corresponding
|
||
private key. These are used by {kib} to authenticate itself when making outbound SSL/TLS connections to {es}. For this setting to take
|
||
effect, the `xpack.security.http.ssl.client_authentication` setting in {es} must be also be set to `"required"` or `"optional"` to request a
|
||
client certificate from {kib}.
|
||
+
|
||
NOTE: These settings cannot be used in conjunction with `elasticsearch.ssl.keystore.path`.
|
||
|
||
`elasticsearch.ssl.certificateAuthorities:`:: Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates which make up a
|
||
trusted certificate chain for {es}. This chain is used by {kib} to establish trust when making outbound SSL/TLS connections to {es}.
|
||
+
|
||
In addition to this setting, trusted certificates may be specified via `elasticsearch.ssl.keystore.path` and/or
|
||
`elasticsearch.ssl.truststore.path`.
|
||
|
||
`elasticsearch.ssl.keyPassphrase:`:: The password that will be used to decrypt the private key that is specified via
|
||
`elasticsearch.ssl.key`. This value is optional, as the key may not be encrypted.
|
||
|
||
`elasticsearch.ssl.keystore.path:`:: Path to a PKCS#12 keystore that contains an X.509 client certificate and its corresponding private key.
|
||
These are used by {kib} to authenticate itself when making outbound SSL/TLS connections to {es}. For this setting to take effect, the
|
||
`xpack.security.http.ssl.client_authentication` setting in {es} must also be set to `"required"` or `"optional"` to request a client
|
||
certificate from {kib}.
|
||
+
|
||
--
|
||
If the keystore contains any additional certificates, those will be used as a trusted certificate chain for {es}. This chain is used by
|
||
{kib} to establish trust when making outbound SSL/TLS connections to {es}. In addition to this setting, trusted certificates may be
|
||
specified via `elasticsearch.ssl.certificateAuthorities` and/or `elasticsearch.ssl.truststore.path`.
|
||
|
||
NOTE: This setting cannot be used in conjunction with `elasticsearch.ssl.certificate` or `elasticsearch.ssl.key`.
|
||
--
|
||
|
||
`elasticsearch.ssl.keystore.password:`:: The password that will be used to decrypt the keystore that is specified via
|
||
`elasticsearch.ssl.keystore.path`. If the keystore has no password, leave this unset. If the keystore has an empty password, set this to
|
||
`""`.
|
||
|
||
`elasticsearch.ssl.truststore.path:`:: Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates
|
||
which make up a trusted certificate chain for {es}. This chain is used by {kib} to establish trust when making outbound SSL/TLS connections
|
||
to {es}.
|
||
+
|
||
In addition to this setting, trusted certificates may be specified via `elasticsearch.ssl.certificateAuthorities` and/or
|
||
`elasticsearch.ssl.keystore.path`.
|
||
|
||
`elasticsearch.ssl.truststore.password:`:: The password that will be used to decrypt the trust store specified via
|
||
`elasticsearch.ssl.truststore.path`. If the trust store has no password, leave this unset. If the trust store has an empty password, set
|
||
this to `""`.
|
||
|
||
`elasticsearch.ssl.verificationMode:`:: *Default: `"full"`* Controls the verification of the server certificate that {kib} receives when
|
||
making an outbound SSL/TLS connection to {es}. Valid values are `"full"`, `"certificate"`, and `"none"`. Using `"full"` will perform
|
||
hostname verification, using `"certificate"` will skip hostname verification, and using `"none"` will skip verification entirely.
|
||
|
||
`elasticsearch.startupTimeout:`:: *Default: 5000* Time in milliseconds to wait
|
||
for {es} at {kib} startup before retrying.
|
||
|
||
`elasticsearch.username:` and `elasticsearch.password:`:: When {es}
|
||
is protected with basic authentication, these settings provide the username and
|
||
password that the {kib} server uses to perform maintenance on the {kib} index
|
||
at startup. Your {kib} users still need to authenticate with {es},
|
||
which is proxied through the {kib} server.
|
||
|
||
`interpreter.enableInVisualize`:: *Default: true* Enables use of interpreter in
|
||
Visualize.
|
||
|
||
`kibana.defaultAppId:`:: *Default: "home"* The default application to load.
|
||
|
||
`kibana.index:`:: *Default: ".kibana"* {kib} uses an index in {es} to
|
||
store saved searches, visualizations, and dashboards. {kib} creates a new index
|
||
if the index doesn’t already exist. If you configure a custom index, the name must
|
||
be lowercase, and conform to {es} {ref}/indices-create-index.html[index name limitations].
|
||
+
|
||
When running multiple tenants of {kib} by changing the `kibana.index` in your `kibana.yml`,
|
||
you cannot use the `kibana_user` or `kibana_dashboard_only_user` roles
|
||
to grant access to {kib}.
|
||
You must create custom roles that authorize the user for that specific tenant.
|
||
Although multi-tenant installations are supported, the recommended approach
|
||
to securing access to {kib} segments is to grant users access to specific spaces.
|
||
|
||
`kibana.autocompleteTimeout:`:: *Default: "1000"* Time in milliseconds to wait
|
||
for autocomplete suggestions from {es}. This value must be a whole number
|
||
greater than zero.
|
||
|
||
`kibana.autocompleteTerminateAfter:`:: *Default: "100000"* Maximum number of
|
||
documents loaded by each shard to generate autocomplete suggestions. This value
|
||
must be a whole number greater than zero.
|
||
|
||
`logging.dest:`:: *Default: `stdout`* Enables you specify a file where {kib}
|
||
stores log output.
|
||
|
||
`logging.json:`:: *Default: false* Logs output as JSON. When set to `true`, the
|
||
logs will be formatted as JSON strings that include timestamp, log level, context, message
|
||
text and any other metadata that may be associated with the log message itself.
|
||
If `logging.dest.stdout` is set and there is no interactive terminal ("TTY"), this setting
|
||
will default to `true`.
|
||
|
||
`logging.quiet:`:: *Default: false* Set the value of this setting to `true` to
|
||
suppress all logging output other than error messages.
|
||
|
||
`logging.rotate:`:: [experimental] Specifies the options for the logging rotate feature.
|
||
When not defined, all the sub options defaults would be applied.
|
||
The following example shows a valid logging rotate configuration:
|
||
+
|
||
--
|
||
logging.rotate:
|
||
enabled: true
|
||
everyBytes: 10485760
|
||
keepFiles: 10
|
||
--
|
||
|
||
`logging.rotate.enabled:`:: [experimental] *Default: false* Set the value of this setting to `true` to
|
||
enable log rotation. If you do not have a `logging.dest` set that is different from `stdout`
|
||
that feature would not take any effect.
|
||
|
||
`logging.rotate.everyBytes:`:: [experimental] *Default: 10485760* The maximum size of a log file (that is `not an exact` limit). After the
|
||
limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB) and
|
||
this option should be in the range of 102400 (100KB) to 1073741824 (1GB).
|
||
|
||
`logging.rotate.keepFiles:`:: [experimental] *Default: 7* The number of most recent rotated log files to keep
|
||
on disk. Older files are deleted during log rotation. The default value is 7. The `logging.rotate.keepFiles`
|
||
option has to be in the range of 2 to 1024 files.
|
||
|
||
`logging.rotate.pollingInterval:`:: [experimental] *Default: 10000* The number of milliseconds for the polling strategy in case
|
||
the `logging.rotate.usePolling` is enabled. That option has to be in the range of 5000 to 3600000 milliseconds.
|
||
|
||
`logging.rotate.usePolling:`:: [experimental] *Default: false* By default we try to understand the best way to monitoring
|
||
the log file. However, there is some systems where it could not be always accurate. In those cases, if needed,
|
||
the `polling` method could be used enabling that option.
|
||
|
||
`logging.silent:`:: *Default: false* Set the value of this setting to `true` to
|
||
suppress all logging output.
|
||
|
||
`logging.timezone`:: *Default: UTC* Set to the canonical timezone id
|
||
(for example, `America/Los_Angeles`) to log events using that timezone. A list of timezones can
|
||
be referenced at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
|
||
|
||
[[logging-verbose]]`logging.verbose:`:: *Default: false* Set the value of this
|
||
setting to `true` to log all events, including system usage information and all
|
||
requests. Supported on {ece}.
|
||
|
||
`map.includeElasticMapsService:`:: *Default: true*
|
||
To disable connections to Elastic Maps Service, set to `false`.
|
||
When `includeElasticMapsService` is turned off, only the vector layers configured by `map.regionmap`,
|
||
and the tile layer configured by `map.tilemap.url`, are available in the <<maps,Maps application>>,
|
||
<<coordinate-map,Coordinate map visualizations>>, and <<region-map,Region map visualizations>>.
|
||
|
||
`map.proxyElasticMapsServiceInMaps:`:: *Default: false*
|
||
Set to true to proxy all <<maps,Maps application>> Elastic Maps Service requests through the {kib} server.
|
||
This setting does not impact <<coordinate-map,Coordinate map visualizations>> and <<region-map,Region map visualizations>>.
|
||
|
||
[[regionmap-settings]] `map.regionmap:`:: Specifies additional vector layers for
|
||
use in <<region-map,Region Map>> visualizations. Supported on {ece}. Each layer
|
||
object points to an external vector file that contains a geojson
|
||
FeatureCollection. The file must use the
|
||
https://en.wikipedia.org/wiki/World_Geodetic_System[WGS84 coordinate reference system (ESPG:4326)]
|
||
and only include polygons. If the file is hosted on a separate domain from
|
||
Kibana, the server needs to be CORS-enabled so Kibana can download the file.
|
||
[[region-map-configuration-example]]
|
||
The following example shows a valid region map configuration.
|
||
+
|
||
--
|
||
map
|
||
includeElasticMapsService: false
|
||
regionmap:
|
||
layers:
|
||
- name: "Departments of France"
|
||
url: "http://my.cors.enabled.server.org/france_departements.geojson"
|
||
attribution: "INRAP"
|
||
fields:
|
||
- name: "department"
|
||
description: "Full department name"
|
||
- name: "INSEE"
|
||
description: "INSEE numeric identifier"
|
||
--
|
||
|
||
[[regionmap-ES-map]]`map.includeElasticMapsService:`:: Specifies
|
||
the option to include layers from the Elastic Maps Service in the vector
|
||
layer option list. Supported on {ece}. When off, only the configured layers are included.
|
||
The default is `true`. This option also specifies if the tile-service from the Elastic Maps Service is available.
|
||
|
||
[[regionmap-attribution]]`map.regionmap.layers[].attribution:`:: Optional.
|
||
References the originating source of the geojson file. Supported on {ece}.
|
||
|
||
[[regionmap-fields]]`map.regionmap.layers[].fields[]:`:: Mandatory. Each layer
|
||
can contain multiple fields to indicate what properties from the geojson
|
||
features you wish to expose. This <<region-map-configuration-example,region map example>> shows how to define multiple
|
||
properties. Supported on {ece}.
|
||
|
||
[[regionmap-field-description]]`map.regionmap.layers[].fields[].description:`::
|
||
Mandatory. The human readable text that is shown under the Options tab when
|
||
building the Region Map visualization. Supported on {ece}.
|
||
|
||
[[regionmap-field-name]]`map.regionmap.layers[].fields[].name:`:: Mandatory.
|
||
This value is used to do an inner-join between the document stored in
|
||
{es} and the geojson file. For example, if the field in the geojson is
|
||
called `Location` and has city names, there must be a field in {es}
|
||
that holds the same values that {kib} can then use to lookup for the geoshape
|
||
data. Supported on {ece}.
|
||
|
||
[[regionmap-name]]`map.regionmap.layers[].name:`:: Mandatory. A description of
|
||
the map being provided. Supported on {ece}.
|
||
|
||
[[regionmap-url]]`map.regionmap.layers[].url:`:: Mandatory. The location of the
|
||
geojson file as provided by a webserver. Supported on {ece}.
|
||
|
||
[[tilemap-settings]] `map.tilemap.options.attribution:`::
|
||
*Default: `"© [Elastic Maps Service](https://www.elastic.co/elastic-maps-service)"`*
|
||
The map attribution string. Supported on {ece}.
|
||
|
||
[[tilemap-max-zoom]]`map.tilemap.options.maxZoom:`:: *Default: 10* The maximum
|
||
zoom level. Supported on {ece}.
|
||
|
||
[[tilemap-min-zoom]]`map.tilemap.options.minZoom:`:: *Default: 1* The minimum
|
||
zoom level. Supported on {ece}.
|
||
|
||
[[tilemap-subdomains]]`map.tilemap.options.subdomains:`:: An array of subdomains
|
||
used by the tile service. Specify the position of the subdomain the URL with the
|
||
token `{s}`. Supported on {ece}.
|
||
|
||
[[tilemap-url]]`map.tilemap.url:`:: The URL to the tileservice that {kib} uses
|
||
to display map tiles in tilemap visualizations. Supported on {ece}. By default,
|
||
{kib} reads this url from an external metadata service, but users can still
|
||
override this parameter to use their own Tile Map Service. For example:
|
||
`"https://tiles.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana"`
|
||
|
||
`ops.interval:`:: *Default: 5000* Set the interval in milliseconds to sample
|
||
system and process performance metrics. The minimum value is 100.
|
||
|
||
`newsfeed.enabled:` :: *Default: `true`* Controls whether to enable the newsfeed
|
||
system for the {kib} UI notification center. Set to `false` to disable the
|
||
newsfeed system.
|
||
|
||
`path.data:`:: *Default: `data`* The path where {kib} stores persistent data
|
||
not saved in {es}.
|
||
|
||
`pid.file:`:: Specifies the path where {kib} creates the process ID file.
|
||
|
||
`server.basePath:`:: Enables you to specify a path to mount {kib} at if you are
|
||
running behind a proxy. Use the `server.rewriteBasePath` setting to tell {kib}
|
||
if it should remove the basePath from requests it receives, and to prevent a
|
||
deprecation warning at startup. This setting cannot end in a slash (`/`).
|
||
|
||
[[server-compression]]`server.compression.enabled:`:: *Default: `true`* Set to `false` to disable HTTP compression for all responses.
|
||
|
||
`server.compression.referrerWhitelist:`:: *Default: none* Specifies an array of trusted hostnames, such as the {kib} host, or a reverse
|
||
proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request's `Referer` header.
|
||
This setting may not be used when `server.compression.enabled` is set to `false`.
|
||
|
||
`server.customResponseHeaders:`:: *Default: `{}`* Header names and values to
|
||
send on all responses to the client from the {kib} server.
|
||
|
||
`server.host:`:: *Default: "localhost"* This setting specifies the host of the
|
||
back end server. To allow remote users to connect, set the value to the IP address or DNS name of the {kib} server.
|
||
|
||
`server.keepaliveTimeout:`:: *Default: "120000"* The number of milliseconds to wait for additional data before restarting
|
||
the `server.socketTimeout` counter.
|
||
|
||
`server.maxPayloadBytes:`:: *Default: 1048576* The maximum payload size in bytes
|
||
for incoming server requests.
|
||
|
||
`server.name:`:: *Default: "your-hostname"* A human-readable display name that
|
||
identifies this {kib} instance.
|
||
|
||
`server.port:`:: *Default: 5601* {kib} is served by a back end server. This
|
||
setting specifies the port to use.
|
||
|
||
`server.rewriteBasePath:`:: *Default: false* Deprecated setting that specifies if {kib} should
|
||
rewrite requests that are prefixed with `server.basePath`, or require that they
|
||
are rewritten by your reverse proxy.
|
||
|
||
`server.socketTimeout:`:: *Default: "120000"* The number of milliseconds to wait before closing an
|
||
inactive socket.
|
||
|
||
`server.ssl.certificate:` and `server.ssl.key:`:: Paths to a PEM-encoded X.509 server certificate and its corresponding private key. These
|
||
are used by {kib} to establish trust when receiving inbound SSL/TLS connections from end users.
|
||
+
|
||
NOTE: These settings cannot be used in conjunction with `server.ssl.keystore.path`.
|
||
|
||
`server.ssl.certificateAuthorities:`:: Paths to one or more PEM-encoded X.509 certificate authority (CA) certificates which make up a
|
||
trusted certificate chain for {kib}. This chain is used by {kib} to establish trust when receiving inbound SSL/TLS connections from end
|
||
users. If PKI authentication is enabled, this chain is also used by {kib} to verify client certificates from end users.
|
||
+
|
||
In addition to this setting, trusted certificates may be specified via `server.ssl.keystore.path` and/or `server.ssl.truststore.path`.
|
||
|
||
`server.ssl.cipherSuites:`::
|
||
*Default: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*.
|
||
Details on the format, and the valid options, are available via the
|
||
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT[OpenSSL cipher list format documentation].
|
||
|
||
`server.ssl.clientAuthentication:`:: *Default: `"none"`* Controls {kib}’s behavior in regard to requesting a certificate from client
|
||
connections. Valid values are `"required"`, `"optional"`, and `"none"`. Using `"required"` will refuse to establish the connection unless a
|
||
client presents a certificate, using `"optional"` will allow a client to present a certificate if it has one, and using `"none"` will
|
||
prevent a client from presenting a certificate.
|
||
|
||
`server.ssl.enabled:`:: *Default: `false`* Enables SSL/TLS for inbound connections to {kib}. When set to `true`, a certificate and its
|
||
corresponding private key must be provided. These can be specified via `server.ssl.keystore.path` or the combination of
|
||
`server.ssl.certificate` and `server.ssl.key`.
|
||
|
||
`server.ssl.keyPassphrase:`:: The password that will be used to decrypt the private key that is specified via `server.ssl.key`. This value
|
||
is optional, as the key may not be encrypted.
|
||
|
||
`server.ssl.keystore.path:`:: Path to a PKCS#12 keystore that contains an X.509 server certificate and its corresponding private key. If the
|
||
keystore contains any additional certificates, those will be used as a trusted certificate chain for {kib}. All of these are used by {kib}
|
||
to establish trust when receiving inbound SSL/TLS connections from end users. The certificate chain is also used by {kib} to verify client
|
||
certificates from end users when PKI authentication is enabled.
|
||
+
|
||
--
|
||
In addition to this setting, trusted certificates may be specified via `server.ssl.certificateAuthorities` and/or
|
||
`server.ssl.truststore.path`.
|
||
|
||
NOTE: This setting cannot be used in conjunction with `server.ssl.certificate` or `server.ssl.key`.
|
||
--
|
||
|
||
`server.ssl.keystore.password:`:: The password that will be used to decrypt the keystore specified via `server.ssl.keystore.path`. If the
|
||
keystore has no password, leave this unset. If the keystore has an empty password, set this to `""`.
|
||
|
||
`server.ssl.truststore.path:`:: Path to a PKCS#12 trust store that contains one or more X.509 certificate authority (CA) certificates which
|
||
make up a trusted certificate chain for {kib}. This chain is used by {kib} to establish trust when receiving inbound SSL/TLS connections
|
||
from end users. If PKI authentication is enabled, this chain is also used by {kib} to verify client certificates from end users.
|
||
+
|
||
In addition to this setting, trusted certificates may be specified via `server.ssl.certificateAuthorities` and/or
|
||
`server.ssl.keystore.path`.
|
||
|
||
`server.ssl.truststore.password:`:: The password that will be used to decrypt the trust store specified via `server.ssl.truststore.path`. If
|
||
the trust store has no password, leave this unset. If the trust store has an empty password, set this to `""`.
|
||
|
||
`server.ssl.redirectHttpFromPort:`:: {kib} binds to this port and redirects
|
||
all http requests to https over the port configured as `server.port`.
|
||
|
||
`server.ssl.supportedProtocols:`:: *Default: TLSv1.1, TLSv1.2* An array of
|
||
supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
|
||
|
||
`server.xsrf.whitelist:`:: It is not recommended to disable protections for
|
||
arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. There are some
|
||
scenarios where whitelisting is required, however, such as
|
||
<<kibana-authentication, SAML and OpenID Connect Single Sign-On setups>>.
|
||
The `server.xsrf.whitelist` setting requires the following format:
|
||
|
||
[source,text]
|
||
|
||
----
|
||
*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections.
|
||
----
|
||
|
||
`status.allowAnonymous:`:: *Default: false* If authentication is enabled,
|
||
setting this to `true` enables unauthenticated users to access the {kib} server
|
||
status API and status page.
|
||
|
||
`telemetry.allowChangingOptInStatus`:: *Default: true*. If `true`,
|
||
users are able to change the telemetry setting at a later time in
|
||
<<advanced-options, Advanced Settings>>. If `false`,
|
||
{kib} looks at the value of `telemetry.optIn` to determine whether to send
|
||
telemetry data or not. `telemetry.allowChangingOptInStatus` and `telemetry.optIn`
|
||
cannot be `false` at the same time.
|
||
|
||
`telemetry.optIn`:: *Default: true* If `true`, telemetry data is sent to Elastic.
|
||
If `false`, collection of telemetry data is disabled.
|
||
To enable telemetry and prevent users from disabling it,
|
||
set `telemetry.allowChangingOptInStatus` to `false` and `telemetry.optIn` to `true`.
|
||
|
||
`telemetry.enabled`:: *Default: true* Reporting your cluster statistics helps
|
||
us improve your user experience. Your data is never shared with anyone. Set to
|
||
`false` to disable telemetry capabilities entirely. You can alternatively opt
|
||
out through the *Advanced Settings* in {kib}.
|
||
|
||
`vis_type_vega.enableExternalUrls:`:: *Default: false* Set this value to true to allow Vega to use any URL to access external data sources and images. If false, Vega can only get data from {es}.
|
||
|
||
`xpack.license_management.enabled`:: *Default: true* Set this value to false to
|
||
disable the License Management user interface.
|
||
|
||
`xpack.rollup.enabled:`:: *Default: true* Set this value to false to disable the
|
||
Rollup user interface.
|
||
|
||
`i18n.locale`:: *Default: en* Set this value to change the {kib} interface language. Valid locales are: `en`, `zh-CN`, `ja-JP`.
|
||
|
||
include::{docdir}/settings/alert-action-settings.asciidoc[]
|
||
include::{docdir}/settings/apm-settings.asciidoc[]
|
||
include::{docdir}/settings/dev-settings.asciidoc[]
|
||
include::{docdir}/settings/graph-settings.asciidoc[]
|
||
include::{docdir}/settings/infrastructure-ui-settings.asciidoc[]
|
||
include::{docdir}/settings/i18n-settings.asciidoc[]
|
||
include::{docdir}/settings/logs-ui-settings.asciidoc[]
|
||
include::{docdir}/settings/ml-settings.asciidoc[]
|
||
include::{docdir}/settings/monitoring-settings.asciidoc[]
|
||
include::{docdir}/settings/reporting-settings.asciidoc[]
|
||
include::secure-settings.asciidoc[]
|
||
include::{docdir}/settings/security-settings.asciidoc[]
|
||
include::{docdir}/settings/spaces-settings.asciidoc[]
|