Search Guard 7.x-40.0.0

Release Date: 22.01.2020

Signals Alerting GA

Search Guard v40 now comes with the GA version of Signals, the free Enterprise Alerting solution for Elasticsearch.

Signals Highlights:

Signals can be configured by

  • using the REST API
  • using the Kibana Signals UI

Breaking changes

Signals is enabled by default

When you start your Elasticsearch cluster with Search Guard v40 and above, Signals will be enabled by default.

As long as you do not use Signals, e.g. by creating a watch, there is no performance overhead on your cluster whatsoever. However, Signals will create corresponding indices that it needs to run.

If you do no want to use Signals, you can disable it completely by adding the following setting to your elasticsearch.yml:

signals.enabled: false

Signals configuration indices

As Search Guard, Signals stores all configuration settings in protected Elasticsearch indices. Upon startup, Signals will create five indexes, all starting with the prefix .signals_.

Since those indices store confidential information, for regular users they are only accessible by using the REST API. In order to fully access the indices, please use an Admin TLS certificate with tools like curl or sgamin.

The Signals configuration indices are implemented and behave in the same way as the Search Guard configuration index

Using wildcard index queries

If you are using wildcard queries, you have two choices:

Exclude the protected Signals indices manually

For example:*,-.signals*,-searchguard/_settings?pretty

Exclude the indices automatically

Search Guard can exclude both the Search Guard and Signals configuration indices automatically from wildcard or _all requests. For backwards compatibility this features is not enabled by default, but will become default in future.

To enable add the following line to elasticsearch.yml:

searchguard.filter_sgindex_from_all_requests: true

To disable Signals completely, including index creation, add the following line to elasticsearch.yml before starting ES with Search Guard 40 installed:

signals.enabled: false

Configuring index names

Even though, it should be rarely needed, it is possible to configure the names of the indexes created by Signals. The index names Signals uses can be controlled by the following settings in elasticsearch.yml: "<indexname>"
signals.index_names.watches_state: "<indexname>"
signals.index_names.watches_trigger_state: "<indexname>"
signals.index_names.accounts: "<indexname>"

Please note that changing index names after having started to use Signals is not supported and may lead to failing watches.