Elasticsearch + Kibana 8.1.0 on Debian 11

Credits, kudos and thanx to the guys making https://kifarunix.com/install-elk-stack-8-x-on-ubuntu/

Elasticsearch is the database and Kibana the WebUI to access the database. Elasticsearch provides a RESTapi, accessable via curl and/or via a so called console, that is a part of kibana.


wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list
apt-get update
apt-get -y install apt-transport-https openjdk-17-jre-headless elasticsearch

After this you should the following to your .profile file:


The installation of the elasticsearch packet includes a post install configuration that creates all the crypt/cert/key/ca stuff for you and finishes with a printout of the credentials/password of the just created brand new superuser elastic. Save this password! You can change it (as also printed out) at any time with the command

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Another information you get from the printout is how to get a so called kibana-enrollment-token:

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

This token will be never placed in any yml-config file, you will need it to start the process connecting your (later installed kibana) with your existing and running elasticsearch instance. You will have to drop it later into kibanas WebUi.

The next is to enable and start elasticsearch:

systemctl enable elasticsearch
systemctl start elasticsearch

Wait some seconds and run

systemctl status elasticsearch

It should run now.

Use curl to test the access to elasticsearch:

curl https://localhost:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic

You will be asked for elastics password. Or simply do

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:<yourelasticspassword>

You should see some output containing infos about your installations, version numbers etc.

Now you can install Kibana. Run

apt install kibana

After that, you have to tune /etc/kibana/kibana.yml. Theres is some stuff you will have to drop into this file, its all about encrypted communication.

/usr/share/kibana/bin/kibana-encryption-keys generate

You will get something like this:

xpack.encryptedSavedObjects.encryptionKey: <key>
xpack.reporting.encryptionKey: <anotherkey>
xpack.security.encryptionKey: <andanotherone>

Put this stuff into kibana.yml.


Theres no need to change any other stuff in kibana.yml as recommended in the official docu. Especially do not change the


value from http to https. But you can change the


from localhost to your servers external IP.

Now enable and start Kibana:

systemctl enable kibana
systemctl start kibana

Wait a minute and check kibanas status:

systemctl status kibana

Attention! This is a crucial point. This command will show you a six-digit-code you need to start the process that connects kibana to your elasticsearch instance. The last systemctl status kibana will need some time to print out this code, be patient. It shows the basic infos immediately, the additional infos will be prompted later:

Mar 09 11:39:33 elastica.yourdomain.tld kibana[4214]: Kibana has not been configured.
Mar 09 11:39:33 elastica.yourdomain.tld kibana[4214]: Go to http://<yourip>:5601/?code=<sixdigits> to get started.

Use the browser of your choice to access the provided address.

ATTENTION: http NOT https

If done, you will be prompted for your kibana enrollment token. Now run

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

You will get the token. Put it into your modal WebUI. Now the Kibana setup does some magic and totally rewrites your original kibana.yml.

At this point you can tune your kibana.yml

server.publicBaseUrl: "http://elastica.yourdomain.tld"

and your elasticsearch.yml

action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*

The access to your Kibana should work now, but only via http, cs there is some additional stuff to enable https. Log in with the elastic-account.

At this point you can reach kibana on port 5601 via http but https doesn’t work. To fix this, create some keys and certs

# elasticsearch-certutil csr -name kibana-server -dns elastica.inbbradio.de -days 3650

# unzip /usr/share/elasticsearch/csr-bundle.zip -d /etc/kibana/

# openssl genrsa 2048 > ca-key.pem

# openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem

# openssl x509 -req -days 3650 -set_serial 01 \
   -in /etc/kibana/kibana-server/kibana-server.csr \
   -out /etc/kibana/kibana-server/kibana-server.crt \
   -CA ca-cert.pem \
   -CAkey ca-key.pem

and in kibana.yml switch kibanas https on:

server.ssl.certificate: /etc/kibana/kibana-server/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server/kibana-server.key
server.ssl.enabled: true

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.