Configure Elasticsearch, Logstash and Kibana to use X-Pack and SSL

X-Pack is included in free Basic version of Elasticsearch and you should use it. Here are my notes how i configured Elasticsearch, Logstash and Kibana to use X-Pack and SSL with Ubuntu.

Create Certificates for SSL

I used my own private CA to create certs.

Elasticsearch certs must be placed in Elasticsearch configuration folder (/etc/elasticsearch/). Elasticsearch certificate common name must match ELASTICSEARCHHOST.DOMAIN

Kibana and Logstash certs can be anywhere but i still placed them into their config folders (/etc/logstash/, /etc/kibana/)


mkdir /etc/elasticsearch/certs
mv elasticsearch.key /etc/elasticsearch/certs/
mv elasticsearch.crt /etc/elasticsearch/certs/
cp /etc/elasticsearch/certs/
chmod 640 /etc/elasticsearch/certs/*
chown root:elasticsearch -R /etc/elasticsearch/certs


mkdir /etc/kibana/certs
mv kibana.key /etc/kibana/certs/
mv kibana.crt /etc/kibana/certs/
cp /etc/kibana/certs/
chmod 640 /etc/kibana/certs/*
chown root:kibana -R /etc/kibana/certs


mkdir /etc/logstash/certs
cp /etc/logstash/certs/
chmod 640 /etc/logstash/certs/*
chown root:logstash -R /etc/logstash/certs

Configure Elasticsearch to use X-Pack

vi /etc/elasticsearch/elasticsearch.yml "ELASTICSEARCHHOST.DOMAIN"
discovery.seed_hosts: ["ELASTICSEARCHHOST.DOMAIN"]
cluster.initial_master_nodes: ["ELASTICSEARCHHOST.DOMAIN"]
xpack.monitoring.collection.enabled: true true true true certs/elasticsearch.key certs/elasticsearch.crt certs/ certs/elasticsearch.key certs/elasticsearch.crt certs/

systemctl start elasticsearch

Setup passwords

Setup passwords for default users. You need kibana and logstash_system passwords later. You will login to kibana with elastic user.

run /usr/share/elasticsearch/bin/elasticsearch-setup-passwords

Configure Kibana to use X-Pack

vi /etc/kibana/kibana.yml "KIBANA.DOMAIN"
elasticsearch.hosts: ["https://ELASTICSEARCHHOST.DOMAIN:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: PASSWORD
server.ssl.enabled: true
server.ssl.certificate: "/etc/kibana/certs/kibana.crt"
server.ssl.key: "/etc/kibana/certs/kibana.key"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/" ]
elasticsearch.ssl.verificationMode: full

systemctl start kibana

Create users for Logstash output/indexes

Login to Kibana and select Management on the left panel. There should be Security section now.

Create logstash output role

  • Role name: logstash_output
  • Cluster privileges: manage_index_templates  monitor

Create role for index

  • Role name: INDEXPURPOSE_index
  • Indices: INDEXPURPOSE-*
    • Privileges: create_index write

Create user for Logstash INDEXPURPOSE index output

  • Roles: logstash_output INDEXPURPOSE_index

Configure Logstash to use X-Pack

vi /etc/logstash/logstash.yml

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: LOGSTASH_SYSTEMPASSWORD
xpack.monitoring.elasticsearch.hosts: ["https://ELASTICSEARCHHOST.DOMAIN:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/etc/logstash/certs/"
xpack.monitoring.elasticsearch.sniffing: true
xpack.monitoring.collection.interval: 10s
xpack.monitoring.collection.pipeline.details.enabled: true

Add https and cacert to output

output {
  elasticsearch {
    hosts => ["https://ELASTICSEARCHHOST.DOMAIN:9200"]
    cacert => '/etc/logstash/certs/'
    index => "INDEXPURPOSE-%{+YYYY.MM}"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.