How to connect elastic from public address

mmax · August 21, 2020, 12:47pm

Hi,

I have an infrastructure of 20 servers , standalones, no lan, only public ip behind firewall.
I would like monitoring them with elk using metricbeats & winlogsbeats

My cluster is ok, i tested metricbeats from a vm on the same lan , all is ok

Now i want connect non lan servers

On the server I want to monitor: , i put :
setup.kibana:
host: "https://publicaddresskibana:443"

But for "output.elasticsearch:"
hosts: ["publicadresskibanannode1:9200"]
username: "elastic"
password: "xxxxxxxxxxxxxxx"

with publicaddress:9200 i cant contacting elasticsearch from my server

Network:
elasticnode1 have a a private IP
elasticnode2 have a private IP
elasticnode 3 have a private IP
kibananode1 have a public + a private IP , with elastic installed with all roles (data, master, ingest) : false

Steve_Mushero · August 22, 2020, 1:06am

Seems you have networking issues - if I read this right, you have TWO separate systems, the ELK stack and some other 20 servers. And the 20 servers can't reach your ELK stack to send data.

I would:

You say Kibana has a public IP, but it seems that's via NAT and firewall, not on the VM/server; if it's on the server, make sure it's listening on the public IP.
If it's via NAT, make sure your firewall is correctly configured, and that you can telnet to publicaddress:9200 - this is not really an elasticsearch thing but your network, firewall, NAT, etc. You must get to a point where the 20 servers can do this telnet (or cURL or whatever).

mmax · August 24, 2020, 7:56am

Thanks, it works
Kibana have a real public ip (no nat)

On kibana.yml i put publicip:443
on elasticsearch.yml i put publicip:9200

Is it a good practice whith elastic stack ?
(I will allow 9200 only for monitored servers)

Steve_Mushero · August 24, 2020, 10:13am

Not sure I understand your question but a LOT of people put their ES servers on the public Internet and get hacked instantly and all their data stolen & deleted; so don't do that

This all depends on how your 'other' servers being monitored will reach your ES system; a VPN or similar would be ideal, but if over the Internet, of course you need to limit the IP range in Security Groups and Firewalls, probably at couple levels to be safe, plus enable security on the ES system ASAP so the clients need a user/PW, key, etc.

mmax · August 24, 2020, 1:06pm

You perfectly understood, and answered

There is no vpn enabled, but i will restrict 9200 port to only monitored servers
I already enabled xpack security and configured passwords before all

Is there others ports listened by kibana, elastic ? (i see 9300 sometimes but i dont know what is it)

Steve_Mushero · August 25, 2020, 1:45am

Is there others ports listened by kibana, elastic ? (i see 9300 sometimes but i dont know what is it)

9200 is for ES REST API for data in/out, and would need to be reachable by all clients. Protect it as much as you can.

9300 is called Transport and is for the cluster to talk internally - all nodes need to be able to reach all other nodes on this port, but it's very private and is NEVER put on the Internet or should even be reachable outside the cluster (not sure if it's used for cross-cluster replication).

Kibana is listening I believe, as a server, but you only need to expose the port 443 for your browser, and also protect it as best you can via security groups, etc. plus user/password.

There are generally no other ports, other than if you use Logstash or other tools, or maybe older JVM JMX, etc.

mmax · August 27, 2020, 8:22am

Perfect ! Thank you for your time and advises !
Have a nice day

system · September 24, 2020, 8:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.