WARNING: Version 4.0 of Kibana has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Using Kibana in a Production Environment
editUsing Kibana in a Production Environment
editHow you deploy Kibana largely depends on your use case. If you are the only user, you can run Kibana on your local machine and configure it to point to whatever Elasticsearch instance you want to interact with. Conversely, if you have a large number of heavy Kibana users, you might need to load balance across multiple Kibana instances that are all connected to the same Elasticsearch instance.
While Kibana isn’t terribly resource intensive, we still recommend running Kibana separate from your Elasticsearch data or master nodes. To distribute Kibana traffic across the nodes in your Elasticsearch cluster, you can run Kibana and an Elasticsearch client node on the same machine. For more information, see Load Balancing Across Multiple Elasticsearch Nodes.
Configuring Kibana to Work with Shield
editIf you are using Shield to authenticate Elasticsearch users, you need to provide
the Kibana server with credentials so it can access the .kibana
index and monitor
the cluster.
To configure credentials for the Kibana server:
-
Assign the
kibana4_server
role to a user in Shield. For more information, see Configuring a Role for the Kibana 4 Server in the Shield documentation. -
Set the
kibana_elasticsearch_username
andkibana_elasticsearch_password
properties inkibana.yml
to specify the credentials of the user you assigned thekibana4_server
role:kibana_elasticsearch_username: kibana4-user kibana_elasticsearch_password: kibana4-password
Kibana 4 users also need access to the .kibana
index so they can save and load searches, visualizations, and dashboards.
For more information, see Configuring Roles for Kibana 4 Users in the Shield documentation.
Enabling SSL
editKibana supports SSL encryption for both client requests and the requests the Kibana server sends to Elasticsearch.
To encrypt communications between the browser and the Kibana server, you configure the ssl_key_file `and `ssl_cert_file
properties in kibana.yml
:
# SSL for outgoing requests from the Kibana Server (PEM formatted) ssl_key_file: /path/to/your/server.key ssl_cert_file: /path/to/your/server.crt
If you are using Shield or a proxy that provides an HTTPS endpoint for Elasticsearch, you can configure Kibana to access Elasticsearch via HTTPS so communications between the Kibana server and Elasticsearch are encrypted.
To do this, you specify the HTTPS
protocol when you configure the Elasticsearch URL in kibana.yml
:
elasticsearch: "https://<your_elasticsearch_host>.com:9200"
If you are using a self-signed certificate for Elasticsearch, set the ca
property in
kibana.yml
to specify the location of the PEM file. Setting the ca
property lets you leave the verify_ssl
option enabled.
# If you need to provide a CA certificate for your Elasticsarech instance, put # the path of the pem file here. ca: /path/to/your/ca/cacert.pem
Controlling access
editYou can use Elasticsearch Shield (Shield) to control what Elasticsearch data users can access through Kibana. Shield provides index-level access control. If a user isn’t authorized to run the query that populates a Kibana visualization, the user just sees an empty visualization.
To configure access to Kibana using Shield, you create Shield roles
for Kibana using the kibana4
default role as a starting point. For more
information, see Shield with Kibana 4[Using Shield with Kibana 4].
Load Balancing Across Multiple Elasticsearch Nodes
editIf you have multiple nodes in your Elasticsearch cluster, the easiest way to distribute Kibana requests across the nodes is to run an Elasticsearch client node on the same machine as Kibana. Elasticsearch client nodes are essentially smart load balancers that are part of the cluster. They process incoming HTTP requests, redirect operations to the other nodes in the cluster as needed, and gather and return the results. For more information, see Node in the Elasticsearch reference.
To use a local client node to load balance Kibana requests:
- Install Elasticsearch on the same machine as Kibana.
-
Configure the node as a client node. In
elasticsearch.yml
, set bothnode.data
andnode.master
tofalse
:# 3. You want this node to be neither master nor data node, but # to act as a "search load balancer" (fetching data from nodes, # aggregating results, etc.) # node.master: false node.data: false
-
Configure the client node to join your Elasticsearch cluster. In
elasticsearch.yml
, set thecluster.name
to the name of your cluster.cluster.name: "my_cluster"
-
Make sure Kibana is configured to point to your local client node. In
kibana.yml
, theelasticsearch_url
should be set tolocalhost:9200
.# The Elasticsearch instance to use for all your queries. elasticsearch_url: "http://localhost:9200"