Not able to configure Alerts in Kibana

Hi, I'm using a docker compose file for ELK setup and using the latest version (above 7) for kibana. Now I set the xpack.encryptedSavedObjects.encryptionKey parameter in the kibana.yml so that i can use the alert and actions feature. But even after that I'm not able to create alert. Can anyone help me please?

PS. I genertaed the 32 character encryption key using python uuid module

Hi @Akanksha_Pandey Welcome to the community

Exactly which version of Kibana are you using? I ask because the image above is not a very recent version. The version can be found on the Stack Management home screen.

Also I assume you restarted Kibana after you made the change, and you shift reloaded the Kibana App in the browser.

Just FYI, In newer / lastest versions enabling security / TLS is required to use Kibana Alerts.

It is still OK to use some of these older versions... but if you are interested in Kibana alerts a lot of new capabilities have been added since they were Beta.

The current version of the Elastic Stack is 7.13.0

Hi @stephenb Thanks for responding.

My Kibana version is 7.9.2

Yes, I restarted Kibana after making the changes and reloaded the Kibana App in the browser as well.

Please tell me what should I do/what I'm doing wrong. It's very urgent

Can you share your kibana.yml

Just as a reminder this is a volunteer forum, so there is no gauruntee of any / or a timely answer.

sure. Here, I have removed elasticsearch username, password, encryption key due to security purpose.

In the future please don't paste screenshots as they are hard to read and cannot be searched on, and do not show up on all devices.

Plus I cannot tell if that's the whole file.

It looks correct assuming you put the encryption key back in.

Did you restart elasticsearch as well?

Sorry for the inconvenience.

Yes, I restarted elastic search as well and encryption key was also present.

And this is the whole kibana.yml file

Hmmmm then there is something else going on as I just took a fresh 7.9.2 stack and only added this line and it came up fine. And Alerts are allowed.

xpack.encryptedSavedObjects.encryptionKey: "asdflkjs-asds-sadf-sadf-sadfasdfsadf"

Seems like your perhaps docker compose is perhaps not picking up the latest kibana.yml

Here is my compose how I do it.

---
version: '3'
services:
  elasticsearch:
    container_name: es01
    image: docker.elastic.co/elasticsearch/elasticsearch:${TAG}
    environment: ['ES_JAVA_OPTS=-Xms2g -Xmx2g','bootstrap.memory_lock=true','discovery.type=single-node']
    ports:
      - 9200:9200
    networks:
      - elastic
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536

  kibana:
    image: docker.elastic.co/kibana/kibana:${TAG}
    container_name: kib01
    environment:
      XPACK_APM_SERVICEMAPENABLED: "true"
      XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: aslkdjfhs-sdfsd-safd-sffd-sdfsadffsafdsdf
    ports:
      - 5601:5601
    networks:
      - elastic

networks:
  elastic:

I added the encryption key in docker-compose.yaml file but it still didn't work

services: 
  elasticsearch: 
    build:
      context: elasticsearch/
    container_name: elasticsearch
    volumes:
      - type: bind
        source: ./elasticsearch/conf/elasticsearch.yml
        target: /usr/share/elasticsearch/conf/elasticsearch.yml
        read_only: true
      - type: volume
        source: elasticsearch
        target: /usr/share/elasticsearch/data
    ports:
      - "9200:9200"
    environment:
      ES_JAVA_OPTS: "-Xmx2g -Xms2g"
      ELASTIC_PASSWORD: 
      ELASTIC_USERNAME : 
      # Use single node discovery in order to disable production mode and avoid bootstrap checks.
      # see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
      discovery.type: single-node
    networks:
      - elastic
    restart: always
  
  logstash:
    container_name: logstash
    build: 
      context: logstash/
    # command: logstash -f /conf/logstash.conf
    volumes:
      - type: bind
        source: ./logstash/conf/logstash.yml
        target: /usr/share/logstash/conf/logstash.yml
        read_only: true
      - type: bind
        source: ./logstash/pipeline
        target: /usr/share/logstash/pipeline
        read_only: true
    ports:
     - "5043:5043"
     - "5044:5044"
    environment:
      LS_JAVA_OPTS: "-Xmx1g -Xms1g"
    networks:
      - elastic
    depends_on:
     - elasticsearch
    restart: always

  kibana:
    build:
      context: kibana/
    container_name: 
    environment:
      XPACK_APM_SERVICEMAPENABLED: "true"
      XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: " "
    volumes:
      - type: bind
        source: ./kibana/conf/kibana.yml
        target: /usr/share/kibana/conf/kibana.yml
        read_only: true
    ports:
      - "5601:5601"
    networks:
        - elastic
    depends_on:
      - elasticsearch
    restart: always

Is there any other way to add the encryption key- maybe using the devtools in the Kibana app?

With your docker compose are you using start / stop or up / down

Try bring down then up (You will lose your DATA)

You are doing this right... you have something else going on.

I'm using this command: docker-compose up --build

This is a production server. If I bring it down- data will be lost

Should I try this: docker-compose stop and then start the container?

I used Ctrl-C to stop the container and started by using this command: docker-compose up --build

docker-compose down
This will destroy the containers
then wait
docker-compose up
This will re-create them.

up = Create
down = Destroy
start = Start
stop = Stop

The typical sequence is to do up

Then you can stop with a control c

Then you can use stop and start as many times as you want

Then you use down to destroy the container when you're done

How to bring down the 3 containers (kibana, logstash, elasticsearch) using docker-compose down? And there are other conatiners as well running on the server. Will they be also stopped?

I don't know your entire docker architecture / infrastructure

Perhaps you need to read more about docker, I'm not a docker expert.

I use

docker-compose -f my-compose.yml [up, down,start, stop]

I can't really comment on the other containers etc if you use the -f option it should apply just that docker compose

If you want new containers you need to use down

My suspicion when you're just using stop and start it's not picking up the new settings because the container is already built.

Or yes you can rebuild it I think but but the settings are not part of that so I think just down then up should work

@Akanksha_Pandey
BTW I was just working on another issues and for me confirmed the settings did not get picked up unless destroyed the container and recreated it i.e.
docker-compose down
then
docker-compose up

@stephenb Sorry for the late response as my limit to send messages here was exceeded. I was prompted to send the message after 22 hours

Yes, you are right. That was the actual issue. I'm able to create the alert when I put the encryption key in docker-compose.yaml file instead of kibana.yml. And recreated the container using docker-compose up -d then docker-compose up --build

Thanks a lot! You saved me :slightly_smiling_face:

1 Like