How to install xpack on elasticsearch hosted on docker

Please let me know how to install xpack on docker the elasticsearch version which I am using on docker is 5.6.8 .

Xpack is built in the default docker image. See

To use the x-pack features do I need to execute the yml file if not what configurations are necessary to go ahead and start using its features.

With this you should be ok for 30 days I think.

docker pull
docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node"

It does not work?

my elasticsearch is working but on kibana there is no monitoring drop downkibana

Do I need to install x-pack for all the containers which I am using suppose I am using three different logstash containers at the same time so do I need to install for all the three.

How are you starting Kibana?
Did you install x-pack on Kibana?

I'm often using the docker-compose which is documented here:

I already have a compose file running at the same time is it fine if I have two compose files as in one which I have made for my containers and the other one which is there in the documentation or should I combine the two

"error": {
"root_cause": [
"type": "security_exception",
"reason": "action [indices:data/read/search] is unauthorized for user [kibana]"
"type": "security_exception",
"reason": "action [indices:data/read/search] is unauthorized for user [kibana]"
"status": 403

This is the error which is prompted on kibana dev tools

curl ngauravls13:9200/_cat/indices
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_cat/indices]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_cat/indices]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}%
This is the error when I try o fetch the indices

I have no idea of what you are doing. Could you share:

  • All the docker compose files you are using
  • All the commands you run to launch that

this is my compose file for my containers

version: '3'
restart: on-failure:3
command: logstash -f /logs1/logstash_app.conf
container_name: logstash-app
- es
- ./logstash:/logs1
- /remote/backup/logs/APT/CINT:/logs
restart: on-failure:3
command: logstash -f /logs1/logstash_fe.conf
container_name: logstash-fe
- es
- ./logstash:/logs1
- /remote/backup/logs/APT/CINT:/logs
restart: on-failure:3
command: logstash -f /logs1/logstash_httpd.conf
container_name: logstash-httpd
- es
- ./logstash:/logs1
- /remote/backup/logs/APT/CINT:/logs

    restart: on-failure:3
    container_name: kibana
        - es
        - "5601:5601"

    restart: on-failure:3
    container_name: elasticsearch
        - "9200:9200"
        - "9300:9300"


for the installation of x-pack I used this
Hey, this is not a real issue but I spent time to install and configure x-pack plugin. If you are interested I can make a PR to add this into the documentation.

Here is my doc:

Configure X-Pack
Official documentation

Into elasticsearch/Dockerfile, install xpack plugin:

RUN elasticsearch-plugin install x-pack
Into kibana/Dockerfile, install xpack plugin:

RUN kibana-plugin install x-pack
Rebuild your stack:

docker-compose up -d --build
Generate passwords:

docker exec -it elk_elasticsearch_1 bin/x-pack/setup-passwords auto

Initiating the setup of reserved user elastic,kibana,logstash_system passwords.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y

Changed password for user kibana
PASSWORD kibana = #jLOV$W+!oPFO^~tgw

Changed password for user logstash_system
PASSWORD logstash_system = HNn8Vi3g9i_#A9c=sX%~

Changed password for user elastic
Add credentials to kibana/config/kibana.yml:

elasticsearch.username: "kibana"
elasticsearch.password: ""
Restart Stack:

docker-compose restart
Login with elastic user at http://localhost:5601

Create a new User for logstash pipeline

Create a role and assign the index and all permissions


Configure your pipeline

output {
elasticsearch {
hosts => "elasticsearch:9200"
index => "app-%{+YYYY.MM.dd}"
user => logstash_gelf
password => "nvR9fKYKb2\yiQze5"
Restart Stack to reload the configuration:

docker-compose restart

I recommend using the Docker images made by us here at Elastic. They are more current than the ones available on Docker Hub (which are deprecated) and are available with X-Pack pre-installed.


Actually I m using version 5.6.8 of elasticsearch so the updated one which is 6.2.3 is not in the plan as of now

No problem. You could still consider using our 5.6 image though, to avoid the trouble of installing X-Pack.

docker pull

I pulled my images from here only just that i did the installation of the x-pack feature in the way as mentioned above also I have posted the errors which i m getting. There are errors 401 and 403
I am not able to get what permission problems is coming and from where is this forbidden error coming .
What I feel is logstash is not able to flow data to elasticsearch but I am not able to figure out why because when I uninstall the x-pack feature everything works fine .

It's quite difficult for us to follow exactly what you're doing.
You're posting error messages with no context about what caused them, or even which application/log file you're pulling them from.
We can provide better help if you take the time to describe exactly what you're doing, what went wrong, and what was in the relevant logs/error messages.

In this case, it looks like you have logged into Kibana as the kibana user.
That's a common mistake that new users make.

The kibana user is the user that the Kibana application uses for its own purposes when it connects to Elasticsearch. For example, it is how Kibana can tell whether your ES server is available, and whether it has security turned on. You should not log in to Kibana as that user, because it doesn't have permission to do very much (which is intentional - it has just enough access to run Kibana but no more)

You should initially login to Kibana using the elastic user. This is a superuser that can do everything.
You can use that user for everything you want to do, and always login to Kibana as elastic, but we don't recommend it. Because that user can do everything, it can make a horrible mess of your cluster if you're not careful, and one of the benefits of X-Pack security is that it can protect you from mistakes like that.

Rather, we recommend that you use the elastic user to login the first time, and then use the Kibana admin screens to create new, lower privileged users and roles that have just the permissions that you need, but nothing more. You can then safely use those users to do your work in Kibana, and you can always login as elastic if you need to make major changes.

docker exec -it elk_elasticsearch_1 bin/x-pack/setup-passwords auto

Setup-passwords is a 6.x utility. If you are running 5.6 then that command should not exist in your container.

Which specific error do you mean? You've posted a few log messages and I can't keep track of what is a current problem, versus what has been solved.

I will go step by step
for elasticsearch x-pack installation I got this
root@61da15d80409:/usr/share/elasticsearch# elasticsearch-plugin install x-pack
-> Downloading x-pack from elastic
[=================================================] 100%
@ WARNING: plugin requires additional permissions @

  • \.\pipe* read,write
  • java.lang.RuntimePermission
  • java.lang.RuntimePermission getClassLoader
  • java.lang.RuntimePermission setContextClassLoader
  • java.lang.RuntimePermission setFactory
  • * connect,accept,resolve
  • createPolicy.JavaPolicy
  • getPolicy
  • putProviderProperty.BC
  • setPolicy
  • java.util.PropertyPermission * read,write
  • setHostnameVerifier
    for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.