In a production environment, you should restrict access to the X-Pack reporting endpoints to authorized users. This requires that you:
- Enable X-Pack security on your Elasticsearch cluster.
- Configure an SSL certificate for Kibana.
Configure Watcher to trust the Kibana server’s certificate by adding it to the Watcher truststore on each node:
Import the Kibana server certificate into the Watcher truststore using Java Keytool:
keytool -importcert -keystore watcher-truststore.jks -file server.crt
If the truststore doesn’t already exist, it is created.
-
Make sure the
watcher.http.ssl.truststore.pathsetting inelasticsearch.ymlspecifies the location of the Watcher truststore.
- Add one or more users who have the permissions necessary to use Kibana and X-Pack reporting.
Once you’ve enabled SSL for Kibana, all requests to the X-Pack reporting endpoints
must include valid credentials. For example, the following watch submits
requests as the built-in elastic user:
For example, the following watch generates a report that contains the Error Monitoring dashboard and emails the report every hour:
PUT _xpack/watcher/watch/error_report
{
"trigger" : {
"schedule": {
"interval": "1h"
}
},
"actions" : {
"email_admin" : { 
"email": {
"to": "'Recipient Name <recipient@example.com>'",
"subject": "Error Monitoring Report",
"attachments" : {
"error_report.pdf" : {
"reporting" : {
"url": "http://0.0.0.0:5601/api/reporting/generate/dashboard/Error-Monitoring?_g=(time:(from:now-1d%2Fd,mode:quick,to:now))", 
"retries":6, 
"interval":"1s", 
"auth":{ 
"basic":{
"username":"elastic",
"password":"changeme"
}
}
}
}
}
}
}
}
}
| You must configure at least one email account to enable Watcher to send email. |
| This is an example Generation URL. You can copy and paste the URL for any report from the Kibana UI. |
| Optional, default is 40 |
| Optional, default is 15s |
| Provide user credentials for a user with permission to access Kibana and X-Pack reporting. |
For more information about configuring watches, see How Watcher Work.