lw24
April 12, 2020, 2:18pm
1
I have tried to follow the steps outlined under "Detections configuration and index privilege prerequisites"
I have modified elasticsearch.yml to be:
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: "/etc/elasticsearch/elastic-certificates.p12"
xpack.security.transport.ssl.truststore.path: "/etc/elasticsearch/elastic-certificates.p12"
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/etc/elasticsearch/http.p12"
And have edited kibana.yml to be:
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "password"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]
xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlproglsaeface'
When I now try and connect to https://IP:5601 I get "This site can't be reached".
When I connect over https://IP:9200 I get put my user and password in and get a JSON prinout.
Seems as if Kibana to Elasticsearch is encrypted but Kibana to browser is not working over https properly?
rugenl
(Len Rugen)
April 12, 2020, 4:51pm
2
You would also need to configure and start Kibana, particularly this section and the server.ssl.enabled option set to True.
Check for KIbana errors and "netstat -an | grep 5601" to see if Kibana is listening on the port.
lw24
April 13, 2020, 4:07pm
3
I have added:
server.ssl.enabled: true
server.ssl.certificate: "kibana-server.p12"
server.ssl.key: "kibana-server.p12"
to kibana.yml. The cert was generated using the elasticsearch CA I previously generated.
I have tried to check if kibana is listening on 5601, but it seems kibana isn't starting.
I get the following error:
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-04-13 08:55:39 PDT; 3min 43s ago
Process: 89150 ExecStart=/usr/share/kibana/bin/kibana -c /etc/kibana/kibana.yml (code=exited, status=1/FAILURE)
Main PID: 89150 (code=exited, status=1/FAILURE)
Apr 13 08:55:39 ubuntu systemd[1]: kibana.service: Service hold-off time over, scheduling r
Apr 13 08:55:39 ubuntu systemd[1]: kibana.service: Scheduled restart job, restart counter i
Apr 13 08:55:39 ubuntu systemd[1]: Stopped Kibana.
Apr 13 08:55:39 ubuntu systemd[1]: kibana.service: Start request repeated too quickly.
Apr 13 08:55:39 ubuntu systemd[1]: kibana.service: Failed with result 'exit-code'.
Apr 13 08:55:39 ubuntu systemd[1]: Failed to start Kibana.
I've tried looking in /var/log/kibana but that directory doesn't exist so don't know how best to troubleshoot from here.
Any help would be appreciated!
rugenl
(Len Rugen)
April 13, 2020, 4:09pm
4
Kibana sometimes logs to /var/log/messages or you can start it from the command line to test.
lw24
April 13, 2020, 4:27pm
5
I managed to find relevant logs with:
sudo tail -n 100 /var/log/syslog
There were a bunch of issues I remedied:
In kibana.yml I had a line "elasticsearch.url: [..." which was erroring, it needs to be elasticsearch.hosts.
I had to provide it the full path to the ssl certificate and key, and give it permissions to these, though after doing so it now starts, but errors with:
FATAL Error 0906D06C:PEM routines:PEM_read_bio:no start line
Apparently kibana can't read .p12 certs, so will need to generate ones in .pem format. Will report back on this.
system
(system)
Closed
May 11, 2020, 4:27pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.