Hi,
I'm new to the ELK stack and currently trying to configure Kibana however I am encountering an error regarding some security authentication issue. This is the Kibana log showing the error:
Apr 17 16:56:52 CyberELK systemd[1]: Started Kibana.
Apr 17 16:56:59 CyberELK kibana[32897]: [2023-04-17T16:56:59.749+02:00][INFO ][node] Kibana process configured with roles: [background_tasks, ui]
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.178+02:00][INFO ][plugins-service] Plugin "cloudChat" is disabled.
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.178+02:00][INFO ][plugins-service] Plugin "cloudExperiments" is disabled.
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.179+02:00][INFO ][plugins-service] Plugin "cloudFullStory" is disabled.
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.179+02:00][INFO ][plugins-service] Plugin "cloudGainsight" is disabled.
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.202+02:00][INFO ][plugins-service] Plugin "profiling" is disabled.
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.453+02:00][INFO ][http.server.Preboot] http server running at http://192.168.100.224:5601
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.678+02:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup]
Apr 17 16:57:44 CyberELK kibana[32897]: [2023-04-17T16:57:44.853+02:00][WARN ][config.deprecation] The default mechanism for Reporting privileges will work differentl>
Apr 17 16:57:45 CyberELK kibana[32897]: [2023-04-17T16:57:45.584+02:00][INFO ][plugins-system.standard] Setting up [132] plugins: [translations,monitoringCollection,l>
Apr 17 16:57:45 CyberELK kibana[32897]: [2023-04-17T16:57:45.654+02:00][INFO ][custom-branding-service] CustomBrandingService registering plugin: customBranding
Apr 17 16:57:45 CyberELK kibana[32897]: [2023-04-17T16:57:45.690+02:00][INFO ][plugins.taskManager] TaskManager is identified by the Kibana UUID: 0f782c99-cfc9-4d12-8>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.018+02:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To p>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.019+02:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections.>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.087+02:00][WARN ][plugins.security.config] Generating a random key for xpack.security.encryptionKey. To p>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.090+02:00][WARN ][plugins.security.config] Session cookies will be transmitted over insecure connections.>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.117+02:00][WARN ][plugins.encryptedSavedObjects] Saved objects encryption key is not set. This will sever>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.152+02:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missin>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.178+02:00][INFO ][plugins.notifications] Email Service Error: Email connector not specified.
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.488+02:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missi>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.579+02:00][WARN ][plugins.reporting.config] Generating a random key for xpack.reporting.encryptionKey. To>
Apr 17 16:57:46 CyberELK kibana[32897]: [2023-04-17T16:57:46.651+02:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
Apr 17 16:57:47 CyberELK kibana[32897]: [2023-04-17T16:57:47.472+02:00][INFO ][plugins.cloudSecurityPosture] Registered task successfully [Task: cloud_security_postur>
Apr 17 16:57:48 CyberELK kibana[32897]: [2023-04-17T16:57:48.621+02:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protect>
Apr 17 16:57:49 CyberELK kibana[32897]: [2023-04-17T16:57:49.141+02:00][INFO ][savedobjects-service] Waiting until all Elasticsearch nodes are compatible with Kibana >
Apr 17 16:57:49 CyberELK kibana[32897]: [2023-04-17T16:57:49.143+02:00][INFO ][savedobjects-service] Starting saved objects migrations
Apr 17 16:57:49 CyberELK kibana[32897]: [2023-04-17T16:57:49.290+02:00][ERROR][savedobjects-service] [.kibana] Action failed with 'security_exception
Apr 17 16:57:49 CyberELK kibana[32897]: Root causes:
Apr 17 16:57:49 CyberELK kibana[32897]: security_exception: action [indices:admin/get] is unauthorized for service account [elastic/fleet-server] on r>
Apr 17 16:57:49 CyberELK kibana[32897]: [2023-04-17T16:57:49.292+02:00][INFO ][savedobjects-service] [.kibana] INIT -> INIT. took: 89ms.
Apr 17 16:57:49 CyberELK kibana[32897]: [2023-04-17T16:57:49.299+02:00][ERROR][savedobjects-service] [.kibana_task_manager] Action failed with 'security_exception
The following is the kibana.yml configuration file:
# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "192.168.100.224"
# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://192.168.100.224:9200"]
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "kibana_system"
#elasticsearch.password: "kibanapassword"
# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
elasticsearch.serviceAccountToken: "BEARER_GENERATED_SERVICE_ACCOUNT_TOKEN"
# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
#xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "/etc/elasticsearch/certs/http_ca.crt" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full
# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to debug to log everything. Defaults to 'info'
#logging.root.level: debug
# Enables you to specify a file where Kibana stores log output.
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
# layout:
# type: json
# Logs queries sent to Elasticsearch.
#logging.loggers:
# - name: elasticsearch.query
# level: debug
# Logs http responses.
#logging.loggers:
# - name: http.server.response
# level: debug
# Logs system usage information.
#logging.loggers:
# - name: metrics.ops
# level: debug
I have tried editing the roles.yml file according to some solutions I encountered while searching on the internet but nothing changed:
# The default roles file is empty as the preferred method of defining roles is
# through the API/UI. File based roles are useful in error scenarios when the
# API based roles may not be available.
admins:
cluster:
- all
indices:
allow_restricted_indices: true
- names:
- "*"
privileges:
- all
I have managed to get elasticsearch to connect successfully with TLS, so no issue there.
But when I try to connect to Kibana on the browser through http://192.168.100.224:5601, the message "Kibana server is not ready yet." is printed.
This is the message I receive when checking the server access token using curl:
{
"username": "elastic/fleet-server",
"roles": [],
"full_name": "Service account - elastic/fleet-server",
"email": null,
"token": {
"type": "_service_account_index",
"name": "token1"
},
"metadata": {
"_elastic_service_account": true
},
"enabled": true,
"authentication_realm": {
"name": "_service_account",
"type": "_service_account"
},
"lookup_realm": {
"name": "_service_account",
"type": "_service_account"
},
"authentication_type": "token"
}
Also I am working on this as an internal project so there should not be any issues related to networking or proxies etc.
I would appreciate any help pointing out anything I might be overlooking.
Thanks