Version: Search Guard 5 / This is an older version of Search Guard. Switch to Latest version
Using Search Guard with X-Pack Alerting
Search Guard is compatible with the X-Pack Alerting component.
This documentation assumes that you already installed and configured Kibana and the Search Guard Kibana plugin.
Elasticsearch: Install X-Pack and enable Alerting
Install X-Pack on every node in your Elasticsearch Cluster. Please refer to the official X-Pack documentation regarding installation instructions.
In elasticsearch.yml
, disable X-Pack Security and enable X-Pack Alerting:
xpack.security.enabled: false
xpack.watcher.enabled: true
...
Elasticsearch: Add the alerting user
If you’re using Elasticsearch 5.5.0 with Search Guard v14 and above, you can simply map a new or existing user to the sg_alerting
role. For Search Guard v12 and below, add the following role definition to sg_roles.yml
, and map a user to it.
In addition to the sg_alerting
role, the user should also be assigned to the sg_kibana
role.
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?kibana*':
'*':
- READ
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
Kibana: Install X-Pack
As with Elasticsearch, install X-Pack on Kibana. Please refer to the official X-Pack documentation regarding installation instructions.
Kibana: Enable X-Pack Alerting
In kibana.yml
, disable X-Pack Security and enable X-Pack Alerting:
xpack.security.enabled: false
xpack.watcher.enabled: true
...