Advice needed on migrating from X-pack


We've deployed an elastic cluster using the recommended template in azure ( Once created , we have 6 nodes (3 master + 3 data nodes) in a virtual network and one VM hosting kibana (this vm is public facing).

However , we want to move away from X-pack and roll out our own security measures (Using Nginx for auth for now and possibly bring in search-guard later).

To that effect , i did the below -

  • SSH'd into each VM and performed /usr/share/{elasticsearch|kibana}/bin/elasticsearch-plugin remove Xpack

After removing Xpack from both kibana/elasticsearch - i tried accessing the kibana url (xxxx:
) - but i still see a popup screen asking me for authentication (i can either login by elastic user or es_kibana user.

What is causing this popup to occur and how do i remove it?

Also , i just wanted to confirm if the process of authenticating using a reverse proxy in front of kibana would be sufficient enough for security (for a POC concept - not at scale) considerations. I will be adding search-guard on top of this later


Did you restart both elasticsearch and kibana? Adding or removing plugins requires restarting.

@Kannaj The ARM template uses monit to monitor the elasticsearch service, so you would need to stop it using monit, remove the plugin, and start again

sudo monit stop elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-plugin remove x-pack --purge
sudo monit start elasticsearch

If you're deploying Elasticsearch 6.x, you'll also need to remove bootstrap.password from the Elasticsearch keystore before restarting

/usr/share/elasticsearch/bin/elasticsearch-keystore remove bootstrap.password

To remove X-Pack from Kibana

/usr/share/kibana/bin/kibana-plugin remove x-pack
sudo service kibana restart

Instead of removing X-Pack completely, you may be interested in registering for a free basic license and applying this to the cluster. The free basic license provides a subset of the features of X-Pack

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.