Connect kibana to Elasticsearch after changes made

Hello!

My kibana doesnt talk to Elasticsearch after changes are made in elasticsearch config

Some history:
installed ELK on one host and filebeat on another one.

Started elasticsearch, started kibana, started logstash
Connected to kibana with browser and put enrollment token ( automatically generated), connected with user: elastic and password, everything works.

Configured filebeat and logstash, they are able to communicate now. Filebeat sends events, logstash receives them.

To provide insecure communication between logstash and elasticsearch made changes in elasticsearch.yml. For the moment it looks like this

elasticsearch.yml

cluster.name: my-application
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200

xpack.security.enabled: false
xpack.security.enrollment.enabled: false
xpack.security.http.ssl:
  enabled: false

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["dlx-prd-dal-search-11-p.int.sparkred.com"]

http.host: 0.0.0.0

The settings I've changed:
xpack.security.enabled: false
xpack.security.enrollment.enabled: false
xpack.security.http.ssl:
enabled: false

They used to be - true

My kibana.yml

server.port: 5601
server.host: "0.0.0.0"

logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid

elasticsearch.hosts: ['https://10.142.77.174:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NjgwMzIzMzExMDU6ZVhiMVFPRFBUOUtBSGhtZkNhbjgyZw
elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1668032331523.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://10.142.77.174:9200'], ca_trusted_fingerprint: e7b4eb1476cdbd2606e2eade41373a0ce52305b3313efe082cef0676e2ada4a7}]

I believe I need to make some changes in xpack.fleet.outputs line of kibana.
Is this right? What changes should I make to provide access kibana to elasticsearch again?

I don't care for security for now. This setup on testing environment to get familiar with ELK
Thank you for your help.

I forgot to mention - when I'm trying to http://IP:5601
I have a message "Kibana server is not ready yet."
In kibana.log I can see lines like this:

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2023-02-14T15:32:11.180-06:00","message":"Unable to retrieve version information from Elasticsearch nodes. write EPROTO 47776760881024:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n","log":{"level":"ERROR","logger":"elasticsearch-service"},"process":{"pid":18927},"trace":{"id":"d23526847b6ba234f6fe7e55c64d0f73"},"transaction":{"id":"5f094a5e56756e96"}}

If you disabled all of these then you need to update Kibana to remove authentication and TLS.

Update, you mean reinstall?

No, you need to change the settings.

yes, that was my question - which settings?

my kibana.yml is provided.. which settings I should change?

These ones, remove TLS and auth.

you mean to comment out the last 2 lines in the output? what about
xpack.fleet.outputs: ? need to change smth in this line?

Yes comment out of the fleet line AND change to
http not https

elasticsearch.hosts: ['http://10.142.77.174:9200']
..........................^

OK, thnx.. will apply tomorrow and let you know

yes, I have access to kibana interface thank you for your help
The only question I have - what "fleet" does?
I've commented it out - will I be able to see events(logs) in kibana?

Hi @vassiliy.vins apologies I have lost track of what you are trying to accomplish

Fleet Manages Agents, and will not work without security enabled

And Yes you can still send data to elastic with Beats, Agents, and any other method you chose since elsasticsearch as an HTTP(S) REST API endpoint

I'm trying to reach very basic setup - filebeat on remote host, ELK on server and see logs from remote host in Kibana.. That's what I'm trying to reach

security is not on the first place for now

looks like we can close this ticket, thank you for your help

You could have just used the default setting with security enabled by default than simply set the SSL verification to none for the beats.

You can also disable all security which it appears you are doing, then beats will use HTTP and no authentication

Unfortunately seems like you started 1 way and then changed

Both are valid... by default Elastic enables security because it is a data store, so you are actually going against the grain a bit...

here is a post on how to disable security

If you want a docker compose that creates an elastic and kibana with no security I have one....

Thank you, Stephen
My first intention was - to have default security enabled, but I met some problems - that some parts of environments were not able to communicate to each other.
So I started to disable security features to have at least something working and see logs in kibana.

For me right now more important to see logs in kibana and make some filtering..

As I said after that I will add ssl back and so on

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.