After Enabled XPack Kibana page not loading

[Luke Lee]

Hi all, 

After I have enabled Xpack on Kibana, and I restarted the service / systemctl, the whole kibana dashboard cannot be loaded. 

Showing error : Kibana server is not ready yet. 

Is there a way I can check the error log? 

[jesus.g...@wazuh.com]

Hi Luke,

Kibana uses to show that message while it’s generating all the things needed to start properly such as the internal indices, front-end bundles, etc.

However, there is a situation where Kibana can’t start properly and it is restarted with no end.

Please, can you share your configuration files (remember to obfuscate private data)?

cat /etc/kibana/kibana.yml

Then, for the Elasticsearch node(s) your Kibana instance is pointing to:

cat /etc/elasticsearch/elasticsearch.yml

Also, show us the permissions of your Kibana directories:

ls -lh /usr/share/kibana
ls -lh /etc/kibana

That’s enough as a starting point.

Best regards,
Jesús

​

[Luke Lee]

Hi, thanks. My Kibana can display properly. 

I realized is one of the code I entered on Elasticsearch.yml "xpack.security.enabled: false" that causes server throwing error. 

How do I install Xpack for Kibana ? Is it need to be done on kibana will do? or do I need to install for elasticsearch and logstash too? 

Thanks 

[jesus.g...@wazuh.com]

Hi Luke,

In versions 6.3 and later, X-Pack is included with the default distributions of Elastic Stack.

If you have configured Elasticsearch properly (a simple curl localhost:9200 asks for credentials), then
you must add these settings in /etc/kibana/kibana.yml:

elasticsearch.username: "elastic"
elasticsearch.password: "elasticpassword"

Then, restart Kibana.

Use the same user (elastic) when the UI asks for credentials and it should be enough.

Regards,
Jesús

​

[Luke Lee]

Hi, I am currently using ES 6.7 and Kibana 6.7. When I try to do the following that you mentioned, the system did not prompt me for the credentials. 

I remember I faced this Xpack authentication previously, but we have disabled it and now can't really recall where to enable those files. Could  you help to guide me? Thanks 

curl localhost:9200 >> It shows me the data but no authentication. 

[jesus.g...@wazuh.com]

Hello again Luke,

From your message, I think you must configure all the security features.

1) Enable security in Elasticsearch:

# /etc/elasticsearch/elasticsearch.yml
...
xpack.security.enabled: true

2) Restart Elasticsearch and wait until it’s ready:

systemctl restart elasticsearch

3) Configure all the credentials in Elasticsearch:

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

Alternatively, you may want to use a custom password, to do so, please use interactive instead of auto.

4) Note down at least the elastic user password from step 3.

5) Configure security in Kibana:

# /etc/kibana/kibana.yml
...
xpack.security.enabled: true
elasticsearch.username: "elastic"
elasticsearch.password: "my-password"

6) Configure security in Logstash:

# /etc/logstash/conf.d/01-wazuh.conf
...
output {
    elasticsearch {
        ...
        user => "elastic"
        password => "my-password"
    }
}

7) Restart Logstash, restart Kibana:

systemctl restart logstash
systemctl restart kibana

8) Log-in to the Kibana UI using the same user (elastic).

I hope now the explanation is clearer for you, let me know if you have any doubt.

Regards,
Jesús

​

[Luke Lee]

Hi, 

After I follow the steps, my kibana cannot be loaded. 

2. When I try to set the password on step 3, it prompt me " Error : Failed to connect to elasticsearch at http://10.0.106.144:9200/_xpack/security/_authenticate?pretty.

Please advise. 

[jesus.g...@wazuh.com]

Hi Luke,

The elasticsearch-setup-passwords command is mandatory so we must continue your configuration from there.

The issue you are facing is commonly caused by an Elasticsearch using HTTPS but the command is not taking care of it.

Please, can you add this line to /etc/elasticsearch/elasticsearch.yml?

xpack.security.http.ssl.enabled: true

Restart Elasticsearch, then try again from step 3.

Regards,
Jesús

​

[Luke Lee]

Hi, 

Could it be my password is wrong? Before enabling these, I am able access the kibana. 

How can I check the password or perform a reset?

[jesus.g...@wazuh.com]

Hi Luke,

If you want to start it again, just add this line to /etc/elasticsearch/elasticsearch.yml:

xpack.security.enabled: false

Restart Elasticsearch, wait until it’s ready again and now delete all security information:

curl -XDELETE localhost:9200/.security*

Regards,
Jesús

​

[jesus.g...@wazuh.com]

Hi Luke,

We prefer to talk using the mailing list instead of private messages, this way, all the community can read your issues and their solutions.

From your last message I understand you finally got it solved following the provided steps. Now you are facing an issue with the Elasticsearch license,
you can start a trial using the next command:

curl -X POST "localhost:9200/_license/start_trial?acknowledge=true"

You can read more about that command here: https://www.elastic.co/guide/en/elasticsearch/reference/current/start-trial.html

And here, you can read more about licenses: https://www.elastic.co/es/subscriptions

Best regards,
Jesús

​

[Luke Lee]

Hi, 

I have followed the steps but nothing much changed. Under "Management" > "Beats" is something new but there is a msg there "Security is not enabled". 

[jesus.g...@wazuh.com]

Hello again Luke,

Please, paste your configuration files here (feel free to obfuscate credentials):

cat /etc/kibana/kibana.yml
cat /etc/elasticsearch/elasticsearch.yml

Also, it would be nice if we can check created indices for security:

curl -u elastic:elasticpassword localhost:9200/_cat/indices

Regards,
Jesús

​

[Luke Lee]

cat /etc/kibana/kibana.yml:

server.port: 5910

server.host: "xxxxxxxxxxxx"

server.name: "xxxxxx0"

elasticsearch.hosts: ["http://xxxxxxxxxx:9200"]

elasticsearch.username: "xxxxx"

elasticsearch.password: "xxxxxxxxx"

xpack.security.enabled: true

xpack.security.encryptionKey: "ThisIsToTestTheWazuhXpackSecuirtyTesting000"

elasticsearch.requestTimeout: 30000

pid.file: /var/run/kibana/kibana.pid

logging.dest: /var/log/kibana/kibana.log

===============================================================================

cat /etc/elasticsearch/elasticsearch.yml:

cluster.name: wazuh_es

node.name: ${HOSTNAME}

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: xxxxxxxxx

http.port: 9200

Above are the configurations. 

[jesus.g...@wazuh.com]

Hi Luke,

Add this line to /etc/elasticsearch/elasticsearch.yml:

xpack.security.enabled: true

Now, restart Elasticsearch and wait until it’s ready again.

Regards

​

[Luke Lee]

Hi, I have enabled it but the page is showing that I'm unable to connect to ES. Sorry there are too many places with login credentials, may I know which one should I check? 

[Jesús Ángel González]

Hi Luke,

Is Elasticsearch up?

curl -u elastic:xxxx elastic_ip:9200

Is Elasticsearch throwing any error?

cat /var/log/elasticsearch/<cluster_name>.log | grep -i -E "warn|error|critical"

Regards,
Jesús

​

[Luke Lee]

Hi, there is only one error: 

[2019-05-10T15:52:21,953][WARN ][o.e.m.j.JvmGcMonitorService] [eta10] [gc][186666] overhead, spent [1.4s] collecting in the last [1.5s]

[Jesús Ángel González]

Hi Luke,

That's a warning telling you the Java garbage collector Elasticsearch uses under the hood was overloaded for a briefly. 

If you don't see more warnings like that it's not a problem, otherwise, you may want to give more resources to your Elasticsearch deployment.

In any case, it's not clear if you finally got the security working or not, what about that? Are you still facing issues?

Best regards,

Jesús