Is it possible to create a cluster and each node configure rules and when an alert is heard in a node, this alert is replicated to a master node? But I didn't want alerts from other nodes or master's alerts to be replicated to other nodes. I want the nodes to only communicate alerts to the master node, I'm trying to do this with elasticsearch on premises.
Welcome to our community!
That's not possible as alerts are managed at a cluster level, even if only a single node actions it. Can you elaborate why you want this?
I have a company and I wanted to install an elasticsearch on all clients, but I wanted all elasticsearch to be connected to another elastic so that I could manage it better. But the alerts from each elasticsearch could not mix.
Unfortunately Elasticsearch is not architected like that.
Is there any way to install a cluster and each node is a client and each node has its own alerts?
You could use Search across clusters | Elasticsearch Guide [8.7] | Elastic from a single "main" cluster.
Isn't there a way that I have only one cluster?
Not really, no.
How across clusters solve my problem ?
It won't solve, but cross cluster search enables you to search on multiple different elasticsearch cluster from one central elasticsearch cluster.
There is nothing that would enables you to manage different clusters from a central cluster, it was not designed to work like this, so what you want to do is not possible.
However, if you are talking about Kibana Alerts, them you may use Spaces so each client will only see its own alerts, if you have multiple tenants (clients) you should already be using Spaces.
Kibana Alerts are per space, so if a Client on space A creates an alert, this will only show up on the space A.
Not sure what you are trying to implement, but I recommend that you check the Elastic license with your legal team to see if what you are trying to implement is allowed.
From what I understood you are offering Elasticsearch as a managed service, and according to the license this is not allowed.
- You may not provide the products to others as a managed service
If I have several elasticsearchs and want to connect them to a kibana and assign a space to each elasticsearch, will the kibana alerts be different?
No, this is not possible, elasticsearch was not designed to work like this, Kibana will only connect to one cluster, you can't connect Kibana to multiple clusters.
If you have multiple elasticsearch clusters each one of them will need a Kibana and you will need to access each Kibana if you want to manage the cluster.
It is not possible to manage multiple clusters from a central location, you can only search on them or replicate the data if you have a paid license, but all the manage actions are done per cluster.
I'm talking about a cluster. Is it possible to connect a cluster with several nodes and assign a space per node and each space in kibana says the alerts of that node?
Spaces are a Kibana feature, it was designed to help you organize your data views, dashboards, alerts etc.
The data from spaces are stored in system indices that you should not worry about them, it is created and managed by Kibana, where they are going to be stored should not be an issue.
Also, Kibana can connects to only one node at time, so if you have multiple clients, every one will use the same Kibana that will be connected to the same Elasticsearch node, you should however configure the permissions of each client to access only its indices and see only its own space, you can read more about spaces in the documentation.
It is not clear what kind of alerts you are talking about, Kibana alerts are alerts created based on the data you have in your cluster, it doesn't matter in which node the data is stored.
I have a cluster with several clients and I want each client to have its own space and I can only see the alerts from its node. I'm talking about the alerts that are in the security tab.
You can, you will need to create an space for each Client, and using this space your client will be able to create alerts on the data they have access, this alert will only be present in the space where it was created.
But as I said, the node does not matter, what matter is the data the client has access.
For example, if I have packekbeat installed by each client and assign a space to each client, will the data I receive from packetbeat go to that space? And how do you assign a customer to a space?
As I said, spaces are a Kibana feature, they only exist in Kibana, your data won't go to any space, they will go into indices.
In each spaces you will configure the data views for the indices you want to show in that space, and in the user roles you assign the indices that the user can see and the spaces it can access.
I suggest that you read the role management documentation and the spaces documentation.
Another thing is, if you are installing one packetbeat per client you will need to edit the name of the indice that packetbeat (or any other beat) will use, if you use the default indice name all your clients will see all the data.
If everything goes to an index, how do I filter the client's information later?
When you create a role you specify which indices each role can access, this is explained in the role management documentation linked above.
If this will work for you depends on how you are organizing your data in the indices, if you have multiple clients you have basically two options:
- Use indices per client, something like
clientName-indiceName-*, then in the role for this client you will give access to all indices starting with
- Use document level security, but this is more complex and it is a paid feature, so it doesn't work with the basic free license.
Please read the linked documentation from the previous posts.
Also, you didn't provide any information about what kind of service you are providing to your clients and how you are providing it, I would suggest that you open a new topic if you have more questions about it, also, check the Elastic license to see if what you are doing is allowed.