Search Guard 7.x-40.0.0
Release Date: 22.01.2020
Signals Alerting GA
Search Guard v40 now comes with the GA version of Signals, the free Enterprise Alerting solution for Elasticsearch.
- Create an unlimited amount of watches
- Create datafeeds from the local or remote Elasticsearch clusters
- Create datafeeds from HTTP endpoints
- Combine and transform data by using Painless scripting
- Create conditions and severity levels to control execution of actions
- Throttle or acknowledge watches
- Create notifications via
- Write data back to the local or remote Elasticsearch clusters
- Get notified once a condition has been resolved
Signals can be configured by
- using the REST API
- using the Kibana Signals UI
Signals is enabled by default
When you start your Elasticsearch cluster with Search Guard v40 and above, Signals will be enabled by default.
As long as you do not use Signals, e.g. by creating a watch, there is no performance overhead on your cluster whatsoever. However, Signals will create corresponding indices that it needs to run.
If you do no want to use Signals, you can disable it completely by adding the following setting to your
Signals configuration indices
As Search Guard, Signals stores all configuration settings in protected Elasticsearch indices. Upon startup, Signals will create five indexes, all starting with the prefix
Since those indices store confidential information, for regular users they are only accessible by using the REST API. In order to fully access the indices, please use an Admin TLS certificate with tools like curl or sgamin.
The Signals configuration indices are implemented and behave in the same way as the Search Guard configuration index
Using wildcard index queries
If you are using wildcard queries, you have two choices:
Exclude the protected Signals indices manually
Exclude the indices automatically
Search Guard can exclude both the Search Guard and Signals configuration indices automatically from wildcard or
_all requests. For backwards compatibility this features is not enabled by default, but will become default in future.
To enable add the following line to elasticsearch.yml:
To disable Signals completely, including index creation, add the following line to
elasticsearch.yml before starting ES with Search Guard 40 installed:
Configuring index names
Even though, it should be rarely needed, it is possible to configure the names of the indexes created by Signals. The index names Signals uses can be controlled by the following settings in elasticsearch.yml:
signals.index_names.watches: "<indexname>" signals.index_names.watches_state: "<indexname>" signals.index_names.watches_trigger_state: "<indexname>" signals.index_names.accounts: "<indexname>"
Please note that changing index names after having started to use Signals is not supported and may lead to failing watches.