This is Part 3 of my tutorial series on ELK on CentOS 7

  • Part 1 - Operating System, Java and Tweaks
  • Part 2 - Elasticsearch
  • Part 3 (This Site) - Kibana
  • Part 4 - Logstash with Nginx
  • Part 5 - Filebeat
  • Part 6 - Securing and Clean Up
  • Part 7 - Extending the cluster

Next on the agenda is Kibana. It comes with its own web server but we will configure the service to be hidden behind a Nginx reverse proxy, mainly to enable a rudimentary secure setup which the ELK stack only offers in the payed plans but also to prepare for a cluster service.

Install Kibana

If you haven't followed part 2 of this tutorial series, you may require to import Elastic's GPG keys first before adding the repository. If you've already done so, you can skip the next step. Don't worry in case you do it again, no harm will be done to your server:

$ sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Now we need to create a repo-entry in /etc/yum.repos.d/. Let's change into the directory and check what's there already:

$ cd /etc/yum.repos.d/
$ ls -la

Amongst others, you should see a file called elasticsearch.repo which we created in part two. If it's not there, go back to part 2 and make sure your Elasticsearch installation is complete.

Create a new repo file:

$ sudo nano kibana.repo

Add the following content to the empty file:

[kibana-6.x]
name=Kibana repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Then install Kibana:

$ sudo yum install kibana -y

Configure Kibana to run as a daemon on startup:

$ sudo systemctl daemon-reload
$ sudo systemctl enable kibana.service

Then we start Kibana:

$ sudo systemctl start kibana.service

It may take Kibana some time to start, so give it a minute before you continue.

One Minute break.................

Now let's check if Kibana is running and listening on a network socket:

$ sudo lsof -Pni | grep kibana

You should see something like this:

node     19112        kibana   10u  IPv4 138600      0t0  TCP 127.0.0.1:37918->127.0.0.1:9200 (ESTABLISHED)
node     19112        kibana   11u  IPv4 138592      0t0  TCP 127.0.0.1:37908->127.0.0.1:9200 (ESTABLISHED)
node     19112        kibana   12u  IPv4 138611      0t0  TCP 127.0.0.1:5601 (LISTEN)
node     19112        kibana   14u  IPv4 138601      0t0  TCP 127.0.0.1:37920->127.0.0.1:9200 (ESTABLISHED)
node     19112        kibana   15u  IPv4 138602      0t0  TCP 127.0.0.1:37922->127.0.0.1:9200 (ESTABLISHED)
node     19112        kibana   16u  IPv4 138605      0t0  TCP 127.0.0.1:37924->127.0.0.1:9200 (ESTABLISHED)
node     19112        kibana   17u  IPv4 138606      0t0  TCP 127.0.0.1:37926->127.0.0.1:9200 (ESTABLISHED)
node     19112        kibana   18u  IPv4 138610      0t0  TCP 127.0.0.1:37928->127.0.0.1:9200 (ESTABLISHED)

Explanation: In line 3 you can see how Kibana is listening on localhost only. That means, right now you can't access Kibana from any other host. The other lines mean that Kibana and Elasticsearch have established a connection.

Install Nginx

As mentioned earlier, we will use Nginx as reverse proxy rather than to expose Kibana's web frontend directly.

Nginx is not part of CentOS's default repos, so we need to add the repo. This time we'll do that by adding the epel-release package

$ sudo yum install epel-release -y

Then install Nginx:

$ sudo yum install nginx -y

Then we set the daemon to start on system boot:

$ sudo systemctl enable nginx

And then we run the server:

$ sudo systemctl start nginx

Go to the website by entering the ip in your browser:

http://[yourip]

If you see the website, you're all set.

Install httpd-tools

Before we start, you should get a domain name for the server and set it up so it points directly at the server's public IP. We want to enable https right away. Let's say, you get the domain analytics.com (you won't, that one is gone), you should then create a DNS entry for elastic.analytics.com pointing at the public IP of your server.

For the rest of this tutorial, I will use elastic.analytics.com as the server's hostname, but of course you will need to change that to your actual host and domain name.

We also will need httpd-tools to enable a rudimentary user/password query to protect the server.

Install httpd-tools:

$ sudo yum install httpd-tools -y

Next we will create a .htpasswd file:

$ sudo htpasswd -c /etc/nginx/.htpasswd [username]

Replace [username] with the user you want to create, for example elastic. Pick a strong password if possible.

Next, we need to let Nginx know that we want to use authentication. Either create (if it's not there) or open the file /etc/nginx/conf.d/default.conf:

$ sudo nano /etc/nginx/conf.d/default.conf

If the file exists, it will be opened, otherwise newly created. Dump everything out if necessary and paste this into it:

server {
    listen *:80;
    server_name elastic.analytics.com;
      location / {
        proxy_pass http://localhost:5601;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
      }
    }

!! Don't forget to replace elastic.analytics.com with your real hostname !!

Explanation: The server will now listen on port 80 and pass all requests on to localhost:5601, where Kibana should be listening. It will run the requests through the .htpasswd file for authentication, which we just created before.

Save, exit. Then test the configuration and if ok then restart Nginx:

$ sudo nginx -t
$ sudo systemctl restart nginx

Enable HTTPS

We will use Let's Encrypt to generate a free certificate. For this, we will use the tool certbot-nginx which is part of the epel-release repository, so installation is easy.

$ sudo yum install certbot-nginx -y

We can now obtain the certificate. Certbot will read Nginx's configuration, extract the domain and host-name, generate the required certificates and change the configuration file for you. That's nice...

Remember to use the correct hostname and domain in the command below.

$ sudo certbot --nginx -d elastic.analytics.com

Again, replace elastic.domain.tld with the correct domain and hostname.

We also should make sure the certificate will be automatically renewed:

$ sudo crontab -e

Note that this will invoke vim as editor instead of nano, so vim editing keyboard shortcuts apply. Press i to start editing. Copy the following content:

15 3 * * * /usr/bin/certbot renew --quiet

Next, press ESC, then : then wq and ENTER. That should save the file.

This will check the certificate renewal every night at 3:15am.

Finally, test the renew process:

$ sudo certbot renew --dry-run

Head over to your web browser and type in https://elastic.analytics.com to Kibana. (Don't forget to use your own hostname and domain).

You should be prompted for the username and password you've created earlier and then connect via https to Kibana.

Conclusion

We now have Elasticsearch and Kibana up and running. Next up will be either some Kibana practice or to move on to install Logstash.