Credits, kudos and thanx to the guys making https://kifarunix.com/install-elk-stack-8-x-on-ubuntu/
Elasticsearch is the database and Kibana the WebUI to access the database. Elasticsearch provides a RESTapi, accessable via curl and/or via a so called console, that is a part of kibana.
Yallah:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list
apt-get update
apt-get -y install apt-transport-https openjdk-17-jre-headless elasticsearch
After this you should the following to your .profile file:
PATH="/usr/share/elasticsearch/bin:/usr/share/kibana/bin:$PATH"
The installation of the elasticsearch packet includes a post install configuration that creates all the crypt/cert/key/ca stuff for you and finishes with a printout of the credentials/password of the just created brand new superuser elastic. Save this password! You can change it (as also printed out) at any time with the command
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
Another information you get from the printout is how to get a so called kibana-enrollment-token:
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
This token will be never placed in any yml-config file, you will need it to start the process connecting your (later installed kibana) with your existing and running elasticsearch instance. You will have to drop it later into kibanas WebUi.
The next is to enable and start elasticsearch:
systemctl enable elasticsearch
systemctl start elasticsearchWait some seconds and run
systemctl status elasticsearchIt should run now.
Use curl to test the access to elasticsearch:
curl https://localhost:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elasticYou will be asked for elastics password. Or simply do
curl https://192.168.59.23:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:<yourelasticspassword>You should see some output containing infos about your installations, version numbers etc.
Now you can install Kibana. Run
apt install kibanaAfter that, you have to tune /etc/kibana/kibana.yml. Theres is some stuff you will have to drop into this file, its all about encrypted communication.
/usr/share/kibana/bin/kibana-encryption-keys generateYou will get something like this:
xpack.encryptedSavedObjects.encryptionKey: <key>
xpack.reporting.encryptionKey: <anotherkey>
xpack.security.encryptionKey: <andanotherone>Put this stuff into kibana.yml.
Attention!
Theres no need to change any other stuff in kibana.yml as recommended in the official docu. Especially do not change the
elasticsearch.hosts
value from http to https. But you can change the
server.hostfrom localhost to your servers external IP.
Now enable and start Kibana:
systemctl enable kibana
systemctl start kibana
Wait a minute and check kibanas status:
systemctl status kibanaAttention! This is a crucial point. This command will show you a six-digit-code you need to start the process that connects kibana to your elasticsearch instance. The last systemctl status kibana will need some time to print out this code, be patient. It shows the basic infos immediately, the additional infos will be prompted later:
Mar 09 11:39:33 elastica.yourdomain.tld kibana[4214]: Kibana has not been configured.
Mar 09 11:39:33 elastica.yourdomain.tld kibana[4214]: Go to http://<yourip>:5601/?code=<sixdigits> to get started.Use the browser of your choice to access the provided address.
ATTENTION: http NOT https
If done, you will be prompted for your kibana enrollment token. Now run
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibanaYou will get the token. Put it into your modal WebUI. Now the Kibana setup does some magic and totally rewrites your original kibana.yml.
At this point you can tune your kibana.yml
server.publicBaseUrl: "http://elastica.yourdomain.tld"and your elasticsearch.yml
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*The access to your Kibana should work now, but only via http, cs there is some additional stuff to enable https. Log in with the elastic-account.
At this point you can reach kibana on port 5601 via http but https doesn’t work. To fix this, create some keys and certs
# elasticsearch-certutil csr -name kibana-server -dns elastica.inbbradio.de -days 3650
# unzip /usr/share/elasticsearch/csr-bundle.zip -d /etc/kibana/
# openssl genrsa 2048 > ca-key.pem
# openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
# openssl x509 -req -days 3650 -set_serial 01 \
-in /etc/kibana/kibana-server/kibana-server.csr \
-out /etc/kibana/kibana-server/kibana-server.crt \
-CA ca-cert.pem \
-CAkey ca-key.pem
and in kibana.yml switch kibanas https on:
server.ssl.certificate: /etc/kibana/kibana-server/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server/kibana-server.key
server.ssl.enabled: true
bytes and bones 