|
| 1 | +[[tls-certificate-alert]] |
| 2 | += Create a TLS certificate rule |
| 3 | + |
| 4 | +++++ |
| 5 | +<titleabbrev>TLS certificate</titleabbrev> |
| 6 | +++++ |
| 7 | + |
| 8 | +In {kib}, you can create a rule that notifies you when one or more of your monitors |
| 9 | +has a TLS certificate expiring within a specified threshold, or when it exceeds an age limit. |
| 10 | + |
| 11 | +There are two types of TLS certificate rule: |
| 12 | + |
| 13 | +* <<tls-rule-synthetics>> for use with <<monitor-uptime-synthetics,Elastic Synthetics>>. |
| 14 | +* deprecated:[8.15.0] <<tls-rule-uptime>> for use with the {uptime-app}. |
| 15 | + |
| 16 | +[discrete] |
| 17 | +[[tls-rule-synthetics]] |
| 18 | +== Synthetics TLS certificate rule |
| 19 | + |
| 20 | +Within the Synthetics UI, create a **TLS certificate** rule to receive notifications |
| 21 | +based on errors and outages. |
| 22 | + |
| 23 | +[discrete] |
| 24 | +[[tls-rule-synthetics-conditions]] |
| 25 | +=== Conditions |
| 26 | + |
| 27 | +You can specify the following thresholds for your rule: |
| 28 | + |
| 29 | +[cols="1,1"] |
| 30 | +|=== |
| 31 | +| *Expiration threshold* |
| 32 | +| The `HAS A CERTIFICATE EXPIRING WITHIN DAYS` condition specifies when you are notified |
| 33 | +about certificates that are approaching expiration dates. |
| 34 | + |
| 35 | +| *Age limit* |
| 36 | +| The `OR OLDER THAN DAYS` condition specifies when you are notified about certificates |
| 37 | +that have been valid for too long. |
| 38 | +|=== |
| 39 | + |
| 40 | +The *Rule schedule* defines how often to evaluate the condition. |
| 41 | + |
| 42 | +You can also set *Advanced options* such as the number of consecutive runs that must meet the rule conditions before |
| 43 | +an alert occurs. |
| 44 | + |
| 45 | +In this example, the conditions are met when any of the TLS certificates on sites we’re monitoring |
| 46 | +is expiring within 30 days or is older than 730 days. These conditions are evaluated every 6 hours, |
| 47 | +and you will only receive an alert when the conditions are met three times consecutively. |
| 48 | + |
| 49 | +[role="screenshot"] |
| 50 | +image::images/tls-rule-synthetics-conditions.png[Conditions and advanced options defining a Synthetics TLS certificate rule,width=600] |
| 51 | + |
| 52 | +[discrete] |
| 53 | +[[tls-rule-synthetics-action-types]] |
| 54 | +=== Action types |
| 55 | + |
| 56 | +Extend your rules by connecting them to actions that use the following supported built-in integrations. |
| 57 | + |
| 58 | +include::../shared/alerting-and-rules/alerting-connectors.asciidoc[] |
| 59 | + |
| 60 | +After you select a connector, you must set the action frequency. |
| 61 | +You can choose to create a summary of alerts on each check interval or on a custom interval. |
| 62 | +For example, send email notifications that summarize the new, ongoing, and recovered alerts each hour: |
| 63 | + |
| 64 | +[role="screenshot"] |
| 65 | +image::images/tls-rule-synthetics-action-types-summary.png[width=600] |
| 66 | + |
| 67 | +Alternatively, you can set the action frequency such that you choose how often the action runs |
| 68 | +(for example, at each check interval, only when the alert status changes, or at a custom action interval). |
| 69 | +In this case, you must also select the specific threshold condition that affects when actions run: |
| 70 | +the _Synthetics TLS certificate_ changes or when it is _Recovered_ (went from down to up). |
| 71 | + |
| 72 | +[role="screenshot"] |
| 73 | +image::images/tls-rule-synthetics-action-types-each-alert.png[width=600] |
| 74 | + |
| 75 | +You can also further refine the conditions under which actions run by specifying that actions only run |
| 76 | +when they match a KQL query or when an alert occurs within a specific time frame: |
| 77 | + |
| 78 | +* *If alert matches query*: Enter a KQL query that defines field-value pairs or query conditions that must |
| 79 | + be met for notifications to send. The query only searches alert documents in the indices specified for the rule. |
| 80 | +* *If alert is generated during timeframe*: Set timeframe details. Notifications are only sent if alerts are |
| 81 | + generated within the timeframe you define. |
| 82 | + |
| 83 | +[role="screenshot"] |
| 84 | +image::images/tls-rule-synthetics-action-types-more-options.png[width=600] |
| 85 | + |
| 86 | +[discrete] |
| 87 | +[[tls-rule-synthetics-action-variables]] |
| 88 | +==== Action variables |
| 89 | + |
| 90 | +Use the default notification message or customize it. |
| 91 | +You can add more context to the message by clicking the icon above the message text box |
| 92 | +and selecting from a list of available variables. |
| 93 | + |
| 94 | +[role="screenshot"] |
| 95 | +image::images/tls-rule-synthetics-action-variables.png[width=600] |
| 96 | + |
| 97 | +The following variables are specific to this rule type. |
| 98 | +You an also specify {kibana-ref}/rule-action-variables.html[variables common to all rules]. |
| 99 | + |
| 100 | +`context.checkedAt`:: Timestamp of the monitor run. |
| 101 | +`context.hostName`:: Hostname of the location from which the check is performed. |
| 102 | +`context.labels`:: Labels associated with the monitor. |
| 103 | +`context.lastErrorMessage`:: Monitor last error message. |
| 104 | +`context.lastErrorStack`:: Monitor last error stack trace. |
| 105 | +`context.locationId`:: Location ID from which the check is performed. |
| 106 | +`context.locationName`:: Location name from which the check is performed. |
| 107 | +`context.locationNames`:: Location names from which the checks are performed. |
| 108 | +`context.monitorType`:: Type (for example, HTTP/TCP) of the monitor. |
| 109 | +`context.monitorUrl`:: URL of the monitor. |
| 110 | +`context.reason`:: A concise description of the reason for the alert. |
| 111 | +`context.recoveryReason`:: A concise description of the reason for the recovery. |
| 112 | +`context.serviceName`:: Service name associated with the monitor. |
| 113 | +`context.status`:: Monitor status (for example, "down"). |
| 114 | +`context.viewInAppUrl`:: Open alert details and context in Synthetics app. |
| 115 | + |
| 116 | +[discrete] |
| 117 | +[[tls-rule-uptime]] |
| 118 | +== Uptime TLS rule |
| 119 | + |
| 120 | +deprecated[8.15.0] |
| 121 | + |
| 122 | +Within the {uptime-app}, create a **TLS certificate** rule to receive notifications |
| 123 | +based on errors and outages. |
| 124 | + |
| 125 | +[discrete] |
| 126 | +[[tls-rule-uptime-filters]] |
| 127 | +=== Filters |
| 128 | + |
| 129 | +The *Filter by* section controls the scope of the rule. |
| 130 | +The rule will only check monitors that match the filters defined in this section. |
| 131 | + |
| 132 | +[discrete] |
| 133 | +[[tls-alert-conditions]] |
| 134 | +=== Conditions |
| 135 | + |
| 136 | +You can specify the following thresholds for your rule: |
| 137 | + |
| 138 | +[cols="1,1"] |
| 139 | +|=== |
| 140 | +| *Expiration threshold* |
| 141 | +| The `HAS A CERTIFICATE EXPIRING WITHIN DAYS` threshold specifies when you are notified |
| 142 | +about certificates that are approaching expiration dates. |
| 143 | + |
| 144 | +| *Age limit* |
| 145 | +| The `OR OLDER THAN DAYS` threshold specifies when you are notified about certificates |
| 146 | +that have been valid for too long. |
| 147 | +|=== |
| 148 | + |
| 149 | +In this example, the conditions are met when any of the TLS certificates on sites we’re monitoring |
| 150 | +is expiring within 30 days or is older than 730 days. These conditions are evaluated every 6 hours, |
| 151 | +and you will only receive an alert when the conditions are met three times consecutively. |
| 152 | + |
| 153 | +[role="screenshot"] |
| 154 | +image::images/tls-rule-uptime-conditions.png[Monitor status rule] |
| 155 | + |
| 156 | +[discrete] |
| 157 | +[[action-types-certs]] |
| 158 | +=== Action types |
| 159 | + |
| 160 | +Extend your rules by connecting them to actions that use the following |
| 161 | +supported built-in integrations. Actions are {kib} services or integrations with |
| 162 | +third-party systems that run as background tasks on the {kib} server when rule conditions are met. |
| 163 | + |
| 164 | +You can configure action types on the <<configure-uptime-alert-connectors,Settings>> page. |
| 165 | + |
| 166 | +include::../shared/alerting-and-rules/alerting-connectors.asciidoc[] |
| 167 | + |
| 168 | +After you select a connector, you must set the action frequency. |
| 169 | +You can choose to create a summary of alerts on each check interval or on a custom interval. |
| 170 | +For example, send email notifications that summarize the new, ongoing, and recovered alerts each hour: |
| 171 | + |
| 172 | +[role="screenshot"] |
| 173 | +image::images/tls-rule-uptime-action-types-summary.png[width=600] |
| 174 | + |
| 175 | +Alternatively, you can set the action frequency such that you choose how often the action runs |
| 176 | +(for example, at each check interval, only when the alert status changes, or at a custom action interval). |
| 177 | +In this case, you must also select the specific threshold condition that affects when actions run: |
| 178 | +_Uptime TLS Alert_ or _Recovered_ (went from down to up). |
| 179 | + |
| 180 | +[role="screenshot"] |
| 181 | +image::images/tls-rule-uptime-action-types-each-alert.png[width=600] |
| 182 | + |
| 183 | +You can also further refine the conditions under which actions run by specifying that actions only run |
| 184 | +when they match a KQL query or when an alert occurs within a specific time frame: |
| 185 | + |
| 186 | +* *If alert matches query*: Enter a KQL query that defines field-value pairs or query conditions that must |
| 187 | + be met for notifications to send. The query only searches alert documents in the indices specified for the rule. |
| 188 | +* *If alert is generated during timeframe*: Set timeframe details. Notifications are only sent if alerts are |
| 189 | + generated within the timeframe you define. |
| 190 | + |
| 191 | +[role="screenshot"] |
| 192 | +image::images/tls-rule-uptime-action-types-more-options.png[width=600] |
| 193 | + |
| 194 | +[discrete] |
| 195 | +[[action-variables-certs]] |
| 196 | +==== Action variables |
| 197 | + |
| 198 | +Use the default notification message or customize it. |
| 199 | +You can add more context to the message by clicking the icon above the message text box |
| 200 | +and selecting from a list of available variables. |
| 201 | + |
| 202 | +[role="screenshot"] |
| 203 | +image::images/tls-rule-uptime-default-message.png[Default notification message for TLS rules with open "Add variable" popup listing available action variables,width=600] |
| 204 | + |
| 205 | +The following variables are specific to this rule type. |
| 206 | +You an also specify {kibana-ref}/rule-action-variables.html[variables common to all rules]. |
| 207 | + |
| 208 | +`context.agingCommonNameAndDate`:: The common names and expiration date/time of the detected certs. |
| 209 | +`context.agingCount`:: The number of detected certs that are becoming too old. |
| 210 | +`context.alertDetailsUrl`:: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured. |
| 211 | +`context.count`:: The number of certs detected by the alert executor. |
| 212 | +`context.currentTriggerStarted`:: Timestamp indicating when the current trigger state began, if alert is triggered. |
| 213 | +`context.expiringCommonNameAndDate`:: The common names and expiration date/time of the detected certs. |
| 214 | +`context.expiringCount`:: The number of expiring certs detected by the alert. |
| 215 | +`context.firstCheckedAt`:: Timestamp indicating when this alert first checked. |
| 216 | +`context.firstTriggeredAt`:: Timestamp indicating when the alert first triggered. |
| 217 | +`context.isTriggered`:: Flag indicating if the alert is currently triggering. |
| 218 | +`context.lastCheckedAt`:: Timestamp indicating the alert's most recent check time. |
| 219 | +`context.lastResolvedAt`:: Timestamp indicating the most recent resolution time for this alert. |
| 220 | +`context.lastTriggeredAt`:: Timestamp indicating the alert's most recent trigger time. |
0 commit comments