2015-02-13 19:22:02 +01:00
[[production]]
2018-05-17 18:31:23 +02:00
== Using Kibana in a production environment
2016-10-25 03:41:32 +02:00
2018-05-17 18:31:23 +02:00
* <<configuring-kibana-shield, Using Kibana with {xpack}>>
2015-03-03 23:16:13 +01:00
* <<enabling-ssl, Enabling SSL>>
2018-05-17 18:31:23 +02:00
* <<load-balancing, Load balancing across multiple {es} nodes>>
2015-02-13 19:22:02 +01:00
How you deploy Kibana largely depends on your use case. If you are the only user,
2015-07-15 10:48:49 +02:00
you can run Kibana on your local machine and configure it to point to whatever
Elasticsearch instance you want to interact with. Conversely, if you have a large
2015-02-13 19:22:02 +01:00
number of heavy Kibana users, you might need to load balance across multiple
Kibana instances that are all connected to the same Elasticsearch instance.
2015-07-15 10:48:49 +02:00
While Kibana isn't terribly resource intensive, we still recommend running Kibana
2015-03-03 23:16:13 +01:00
separate from your Elasticsearch data or master nodes. To distribute Kibana
traffic across the nodes in your Elasticsearch cluster, you can run Kibana
and an Elasticsearch client node on the same machine. For more information, see
<<load-balancing, Load Balancing Across Multiple Elasticsearch Nodes>>.
2015-02-13 19:22:02 +01:00
2016-05-17 03:19:18 +02:00
[float]
[[configuring-kibana-shield]]
2018-05-17 18:31:23 +02:00
=== Using Kibana with {security}
2016-05-17 03:19:18 +02:00
2018-05-17 18:31:23 +02:00
You can use {stack-ov}/xpack-security.html[{security}] to control what
2016-10-23 22:29:06 +02:00
Elasticsearch data users can access through Kibana.
2018-05-17 18:31:23 +02:00
When {security} is enabled, Kibana users have to log in. They need to
2016-10-15 01:50:09 +02:00
have the `kibana_user` role as well as access to the indices they
2016-10-23 22:18:16 +02:00
will be working with in Kibana.
2016-05-17 03:19:18 +02:00
2016-10-15 01:50:09 +02:00
If a user loads a Kibana dashboard that accesses data in an index that they
are not authorized to view, they get an error that indicates the index does
2018-05-17 18:31:23 +02:00
not exist. {security} does not currently provide a way to control which
2016-05-17 03:19:18 +02:00
users can load which dashboards.
2018-05-17 18:31:23 +02:00
For information about setting up Kibana users, see
{kibana-ref}/using-kibana-with-security.html[Configuring security in Kibana].
2015-05-28 20:26:02 +02:00
2015-03-03 23:16:13 +01:00
[float]
[[enabling-ssl]]
2015-02-13 19:22:02 +01:00
=== Enabling SSL
2018-05-17 18:31:23 +02:00
Kibana supports TLS/SSL encryption for both client requests and the requests the
Kibana server sends to Elasticsearch.
2015-02-13 19:22:02 +01:00
2017-01-25 16:58:56 +01:00
To encrypt communications between the browser and the Kibana server, you configure the `server.ssl.enabled`,
`server.ssl.certificate` and `server.ssl.key` properties in `kibana.yml`:
2015-02-13 19:22:02 +01:00
2015-05-01 19:59:15 +02:00
[source,text]
2015-02-13 19:22:02 +01:00
----
# SSL for outgoing requests from the Kibana Server (PEM formatted)
2017-01-25 16:58:56 +01:00
server.ssl.enabled: true
2015-11-24 17:25:14 +01:00
server.ssl.key: /path/to/your/server.key
2017-01-25 16:58:56 +01:00
server.ssl.certificate: /path/to/your/server.crt
2015-02-13 19:22:02 +01:00
----
2018-05-17 18:31:23 +02:00
If you are using {security} or a proxy that provides an HTTPS endpoint for Elasticsearch,
2015-02-13 19:22:02 +01:00
you can configure Kibana to access Elasticsearch via HTTPS so communications between
2015-07-15 10:48:49 +02:00
the Kibana server and Elasticsearch are encrypted.
2015-02-13 19:22:02 +01:00
To do this, you specify the HTTPS
protocol when you configure the Elasticsearch URL in `kibana.yml`:
2015-05-01 19:59:15 +02:00
[source,text]
2015-02-13 19:22:02 +01:00
----
2017-01-25 16:58:56 +01:00
elasticsearch.url: "https://<your_elasticsearch_host>.com:9200"
2015-02-13 19:22:02 +01:00
----
2017-01-25 16:58:56 +01:00
If you are using a self-signed certificate for Elasticsearch, set the `certificateAuthorities` property in
`kibana.yml` to specify the location of the PEM file. Setting the `certificateAuthorities` property lets you use the
default `verificationMode` option of `full`.
2015-05-01 19:59:15 +02:00
[source,text]
2015-02-13 19:22:02 +01:00
----
2015-08-19 15:24:35 +02:00
# If you need to provide a CA certificate for your Elasticsearch instance, put
2015-02-13 19:22:02 +01:00
# the path of the pem file here.
2017-01-25 16:58:56 +01:00
elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/ca/cacert.pem" ]
2015-02-13 19:22:02 +01:00
----
2015-03-03 23:16:13 +01:00
[float]
[[load-balancing]]
=== Load Balancing Across Multiple Elasticsearch Nodes
If you have multiple nodes in your Elasticsearch cluster, the easiest way to distribute Kibana requests
2016-11-29 19:16:55 +01:00
across the nodes is to run an Elasticsearch _Coordinating only_ node on the same machine as Kibana.
Elasticsearch Coordinating only nodes are essentially smart load balancers that are part of the cluster. They
2015-07-15 10:48:49 +02:00
process incoming HTTP requests, redirect operations to the other nodes in the cluster as needed, and
gather and return the results. For more information, see
2017-06-27 19:13:42 +02:00
{ref}/modules-node.html[Node] in the Elasticsearch reference.
2015-03-03 23:16:13 +01:00
To use a local client node to load balance Kibana requests:
2015-07-15 10:48:49 +02:00
. Install Elasticsearch on the same machine as Kibana.
2016-11-29 19:16:55 +01:00
. Configure the node as a Coordinating only node. In `elasticsearch.yml`, set `node.data`, `node.master` and `node.ingest` to `false`:
2015-03-03 23:16:13 +01:00
+
--------
2016-11-29 19:16:55 +01:00
# 3. You want this node to be neither master nor data node nor ingest node, but
2015-03-03 23:16:13 +01:00
# to act as a "search load balancer" (fetching data from nodes,
# aggregating results, etc.)
#
node.master: false
node.data: false
2017-06-27 19:13:42 +02:00
node.ingest: false
2015-03-03 23:16:13 +01:00
--------
2015-07-15 10:48:49 +02:00
. Configure the client node to join your Elasticsearch cluster. In `elasticsearch.yml`, set the `cluster.name` to the
2015-03-03 23:16:13 +01:00
name of your cluster.
+
--------
cluster.name: "my_cluster"
--------
2017-02-13 23:16:19 +01:00
. Check your transport and HTTP host configs in `elasticsearch.yml` under `network.host` and `transport.host`. The `transport.host` needs to be on the network reachable to the cluster members, the `network.host` is the network for the HTTP connection for Kibana (localhost:9200 by default).
+
--------
network.host: localhost
http.port: 9200
# by default transport.host refers to network.host
transport.host: <external ip>
transport.tcp.port: 9300 - 9400
--------
2016-08-15 14:14:33 +02:00
. Make sure Kibana is configured to point to your local client node. In `kibana.yml`, the `elasticsearch.url` should be set to
2015-03-03 23:16:13 +01:00
`localhost:9200`.
+
--------
# The Elasticsearch instance to use for all your queries.
2016-08-15 14:14:33 +02:00
elasticsearch.url: "http://localhost:9200"
2015-05-18 04:31:43 +02:00
--------