In a production environment, you should restrict access to the X-Pack reporting endpoints to authorized users. This requires that you:
- Enable X-Pack security on your Elasticsearch cluster.
- Configure an SSL certificate for Kibana.
Configure Watcher to trust the Kibana server’s certificate by adding it to the Watcher truststore on each node:
Import the Kibana server certificate into the Watcher truststore using Java Keytool:
keytool -importcert -keystore watcher-truststore.jks -file server.crt
If the truststore doesn’t already exist, it is created.
-
Make sure the
watcher.http.ssl.truststore.pathsetting inelasticsearch.ymlspecifies the location of the Watcher truststore.
- Add one or more users who have the permissions necessary to use Kibana and X-Pack reporting.
Once you’ve enabled SSL for Kibana, all requests to the X-Pack reporting endpoints
must include valid credentials. For example, the following watch submits
requests as the built-in elastic user:
PUT _xpack/watcher/watch/error_report
{
"trigger" : {
"schedule": {
"interval": "1h"
}
},
"actions" : {
"email_admin" : {
"email": {
"to": "'Recipient Name <recipient@example.com>'",
"subject": "Error Monitoring Report",
"attachments" : {
"error_report.pdf" : {
"http" : {
"content_type" : "application/pdf",
"request" : {
"method": "POST",
"scheme": "https", 
"headers": {
"kbn-xsrf": "reporting"
},
"auth": { 
"basic": {
"username": "elastic",
"password": "changeme"
}
},
"read_timeout": "300s",
"url": "https://0.0.0.0:5601/api/reporting/generate/dashboard/Error-Monitoring?_g=(time:(from:now-1d%2Fd,mode:quick,to:now))&sync"
}
}
}
}
}
}
}
}
| You must connect to the X-Pack reporting endpoints via HTTPS when SSL is enabled. |
| Provide user credentials for a user with permission to access Kibana and X-Pack reporting. For more information, see Setting up a Reporting Role. |