Install Elasticsearch and Kibana 9.x

Published on 2025-07-22

« See All Lectures Contact Us
Install Elasticsearch and Kibana 9.x

Introduction

We will install Elasticsearch and Kibana. We will use the CA made by Elasticsearch to create privately signed TLS certs for both Elasticsearch and Kibana as per original documentation. We will use IP addresses to access both Elasticsearch and Kibana.

Source Code: Found on Github

Requirements

In the video, we used one instance of Ubuntu 24.04 running on a VM with 8GB memory. VM will run in a local private network. We install both elastic and kibana to this same server.

Steps

Step 1 - Update Ubuntu

The Ubuntu installations is brand new. We update the distribution as well as install some tools we typically use on both machinese.

apt-get update && apt dist-upgrade -y && apt-get install -y vim curl zip gnupg gpg

Step 2 - Install Elasticsearch

The Ubuntu installations needs these dependencies, so run these commands on both:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-9.x.list apt-get update; apt-get install -y apt-transport-https; apt-get install -y elasticsearch;

When installation is complete, make sure you write down the password.

Copy password for Elasticsearch

Step 3 - Configure Elasticsearch

Edit elasticsearch.yml

Go to the /etc/elasticsearch/elasticsearch.yml file. Edit the following fields:

...etc... cluster.name: {anything you want} ...etc... network.host: 0.0.0.0 ...etc...

Note: you can also replace network.host: 0.0.0.0 with the ip address of the machine you want other systems to reference.

Change ownership

chown -R elasticsearch:elasticsearch /etc/elasticsearch

Step 4 - Start Elasticsearch

Start elasticsearch with these commands:

systemctl enable elasticsearch; systemctl daemon-reload; systemctl start elasticsearch;

Confirm elasticsearch is working with this command:

curl -X GET -u elastic:<password from step 2> https://{ip address of server}:9200 --cacert /etc/elasticsearch/certs/http_ca.crt

And you should see something like this:

Confirm Elasticsearch Success

Step 5 - OPTIONAL - Change Elastic Password

You can change the password of your Elasticsearch instance with this command /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i. You can omit the -i flag if you want to autogenerate the password.

Step 6 - Install Kibana

Since Kibana uses all the same dependencies as elasticsearch, you can gert straight to installing kibana like this: apt-get install -y kibana;

Step 7 - Make Certificates for Kibana

Let's make certificates for Kibana. You will need the /usr/share/elasticsearch/bin/elasticsearch-certutil command, and the CA files for elasticsearch. Since Kibana is on the same server as the elasticsearch server, we have access to all these resources.

We must first extract the CA private key file from the /etc/elasticsearch/http.p12. To do this, you must know the password to the http.p12 file, which is stored in the Elasticsearch keystore. See a list of all keystore pairs with this command:

/usr/share/elasticsearch/bin/elasticsearch-keystore list

Elasticsearch Keystore

The xpack.security.http.ssl.keystore.secure_password is what you want. So you can see the password like this:

/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password

Now you can extract the private key from from the http.p12 using this openssl command and make a http_ca.key (enter the password when prompted):

openssl pkcs12 -in /etc/elasticsearch/certs/http.p12 -nodes -nocerts -out /etc/elasticsearch/certs/http_ca.key

You now have the CA private key as http_ca.key. Keep http_ca.key secret and never let it leave the elasticsearch server. Or delete the http_ca.key as soon as your done with it. You can always re-create it by repeating the steps above.

Run this command to make the Kibana TLS files:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert \ --out /etc/kibana/kibana.zip \ --name kibana \ --ca-cert /etc/elasticsearch/certs/http_ca.crt \ --ca-key /etc/elasticsearch/certs/http_ca.key \ --ip {ip address of server} \ --pem; cd /etc/kibana/; unzip kibana.zip mv kibana certs cp /etc/elasticsearch/certs/http_ca.crt /etc/kibana/certs/ chown -R kibana:kibana /etc/kibana

Step 8 - Configure Kibana

Go to the /etc/kibana/kibana.yml file. Edit the following fields:

Edit Kibana.yml

server.host: 0.0.0.0 server.publicBaseUrl: "https://{ip address of server}:5601" server.ssl.enabled: true server.ssl.key: /etc/kibana/certs/kibana.key server.ssl.certificate: /etc/kibana/certs/kibana.crt server.ssl.certificateAuthorities: /etc/kibana/certs/http_ca.crt

Start Kibana

systemctl enable kibana systemctl daemon-reload systemctl start kibana systemctl status kibana

The systemctl status kibana should show something like this after a minute or so:

Kibana Waiting For Enrollment Token

I highlighted in red the URL you should visit, except replace 0.0.0.0 with the actual ip address of your machine. Remember to copy the query string part too ?code=____.

On the web page, you will be asked for an enrollment token.

Create Enrollment Token

Run this command on the Elasticsearch server: /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Paste this token into your Kibana website and press Configure.

If you are asked for a verification code, you can run this command to get it:

/usr/share/kibana/bin/kibana-verification-code

You can now login to Kibana with the elastic user and password you established earlier.

Step 9 - Hide Service Token

Go to your /etc/kibana/kibana.yml and locate this line:

Kibana Service Token

This value should be a secret. Let's use the kibana keystore to hide it.

/usr/share/kibana/bin/kibana-keystore add elasticsearch.serviceAccountToken When prompted, paste in the service token.

Now delete the line elasticsearch.serviceAccountToken: ... from ther kibana.yml file.

Restart Kibana

systemctl restart kibana

Go back to your web browser and enjoy!