Elasticsearch Integration
Connect Elasticsearch to enable the AI agent to search logs and analyze data during investigations.
Capabilities
| Capability | Description |
|---|---|
| Search Logs | Query log data with filters |
| Aggregate Data | Run aggregations and analytics |
| Browse Indices | Access available indices |
Prerequisites
- Access to your Elasticsearch deployment's Kibana UI
- Permission to create API keys in Kibana
- The Elasticsearch endpoint URL (not the Kibana URL)
Setup
Go to your Elastic Cloud console and open Kibana for the deployment you want to connect.
Do not use the API keys from the Elastic Cloud console (Organization → API Keys). Those keys are for managing cloud deployments, not for accessing cluster data. You must create the API key inside Kibana.
- In Kibana, navigate to Security → API Keys
- Click Create API key
- Give it a name (e.g.,
autoheal-readonly) - Under Role descriptors, paste the following JSON to grant read-only access:
{
"autoheal-read-role": {
"cluster": ["monitor"],
"indices": [
{
"names": ["*"],
"privileges": ["read", "monitor", "view_index_metadata"],
"allow_restricted_indices": false
}
]
}
}
- Click Create API key
- Copy the API key — you will only see it once
No base64 encoding is needed. Paste the API key exactly as Kibana gives it to you.
In the Elastic Cloud console, find your deployment and copy the Elasticsearch endpoint URL.
It looks like: https://my-cluster.es.us-east-1.aws.found.io:9243
Use the Elasticsearch endpoint, not the Kibana endpoint. The Kibana URL will not work.
- Go to Integrations → Elasticsearch
- Enter a name for this instance (e.g., "Production ES")
- Paste the Elasticsearch endpoint URL
- Select API Key as the authentication method
- Paste the API key from Kibana
Click Test Connection to verify, then Save.
Authentication Options
API Key (Recommended)
Create an API key inside Kibana (Security → API Keys) with the role policy shown above. Paste it directly into Autoheal — no encoding needed.
Basic Auth
Use a username and password with read access to the required indices. This is useful if your organization manages Elasticsearch credentials centrally.
Required Permissions
The API key role grants these permissions:
| Permission | Scope | Why It's Needed |
|---|---|---|
monitor | Cluster | Test connection and check cluster health |
read | All indices | Search and read log data |
monitor | All indices | View index stats |
view_index_metadata | All indices | List and browse index mappings |
To restrict access to specific indices, replace "*" in the role policy with a list of index patterns (e.g., ["logs-*", "metrics-*"]).
Example Queries
Search for errors in the application logs from the last hour
Find all 500 errors in the nginx logs
Show me logs containing "OutOfMemoryError"
Troubleshooting
Test Connection fails with 'security_exception'
This usually means the API key was created in the wrong place.
- Do not use API keys from Elastic Cloud console (Organization → API Keys) — those are for cloud management only.
- Create the API key inside Kibana → Security → API Keys for your specific deployment.
'Unable to authenticate with provided credentials'
- Verify you copied the full API key from Kibana (it's only shown once at creation time).
- Make sure you're not base64 encoding the key — paste it exactly as Kibana provided it.
- If the key was lost, create a new one in Kibana.
Using the wrong endpoint
- Use the Elasticsearch endpoint URL, not the Kibana URL.
- The Elasticsearch endpoint typically looks like
https://my-cluster.es.us-east-1.aws.found.io:9243. - The Kibana URL (containing
kb.) will not work for data access.
Agent can't read indices or data
- Ensure the API key was created with the role policy that includes
readandview_index_metadataprivileges. - Check that the
namesfield in the role covers the indices you need (use["*"]for all indices).