OOKB - Olaf's Own Knowledge Base

Install Debian with basic function, only add SSH server. Login as root Modify /etc/network/interfaces

auto enp8s0
iface enp8s0 inet static
  address 10.0.0.15
  netmask 255.255.0.0
  gateway 10.0.0.1
  dns-nameservers 10.0.0.1

Set the name of the machine in /etc/hostname and the IP addresses in /etc/hosts
Register it with your DNS server or add it to /etc/hosts on the host system

Update the system

apt update && apt upgrade -y
apt autoremove -y

Create another user and set the password

useradd kenny
passwd kenny

Reboot

reboot now

Login through ssh

ssh kenny@deb11-elk-04

Become root

su -

Install vim, tools for importing the elastic key ring, allow apt to download through https, for mounting SMB shares and unzip. Then get the elastic key ring and add the repository

apt install -y vim gpg apt-transport-https cifs-utils unzip
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-8.x.list

Install Kibana

apt update
apt install kibana

Change /etc/kibana/kibana.yml:

In /etc/kibana/kibana.yml set:
server.port: 443
server.host: "deb11-elk-13"
elasticsearch.hosts: ["https://deb11-elk-11:9200", "https://deb11-elk-12:9200" ]
server.publicBaseUrl: "https://deb11-elk-13"
# SSL config
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/deb11-elk-13_https.crt
server.ssl.key: /etc/kibana/certs/deb11-elk-13_https.key
 
# looging settings below are default in Linux installations (no need to modify)
# But: those settings need to be adjusted and used in Windows setups
# Enables you to specify a file where Kibana stores log output.
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
#  layout:
#    type: json

On one of the Elasticsearch nodes generate an access token for Kibana

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
 
eyJ2ZXIiOiI4LjYuMiIsImFkciI6WyIxMC42OC4xMDAuMTQ6OTIwMCJdLCJvZ3IoIoI0MzBhMWRiYWFhZGFmMjEzMjBiYzEyZTI5ZWM5NjhlOTNmZWQzMDA4YzgxMGMwYTY3NjMzOGYyZDY5NjE3OTAxIiwia2V5IjoiampEdXg0WUJtUDNfUFh6QlhVSWQ6WXJGMETtbV9ScWlqelZpMTJfckFpZyJ9

On the Kibana node configure Kibana:

/usr/share/kibana/bin/kibana-setup
? Enter enrollment token: eyJ2ZXIiOiI4LjYuMiIsImFkciI6WyIxMC42OC4xMDAuMTQ6OTIwMCJdLCJvZ3IoIoI0MzBhMWRiYWFhZGFmMjEzMjBiYzEyZTI5ZWM5NjhlOTNmZWQzMDA4YzgxMGMwYTY3NjMzOGYyZDY5NjE3OTAxIiwia2V5IjoiampEdXg0WUJtUDNfUFh6QlhVSWQ6WXJGMETtbV9ScWlqelZpMTJfckFpZyJ9
 
✔ Kibana configured successfully.
 
To start Kibana run:
  bin/kibana

Get the elasticsearch.serviceAccountToken from /etc/kibana/kibana.yml

elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2NzE3MTc2Njg4OTA6QllmZml2MGpTNjZzRTdnR1RCMXhRUQ

Generate encryption keys …

/usr/share/kibana/bin/kibana-encryption-keys generate
 
xpack.encryptedSavedObjects.encryptionKey: bdab0983a2ef291a97dd0d570329fabd
xpack.reporting.encryptionKey: d10a1eb9b4088bf06a01894fe422a939
xpack.security.encryptionKey: 777d3da41a468bc3524c7c598262538b

… and add all values to the kibana-keystore

/usr/share/kibana/bin/kibana-keystore add elasticsearch.serviceAccountToken
/usr/share/kibana/bin/kibana-keystore add xpack.encryptedSavedObjects.encryptionKey
/usr/share/kibana/bin/kibana-keystore add xpack.reporting.encryptionKey
/usr/share/kibana/bin/kibana-keystore add xpack.security.encryptionKey

remove the line with the elasticsearch.serviceAccountToken from /etc/kibana/kibana.yml

To be able to copy files between the ES nodes and Kibana a mount for the SMB share is needed.
Create a file containing the credentials for the share in the root user directory:

cat > /root/backup.crd
username=kenny
password=kennyspassword
<ctrl-d>

To mount the share for the snapshot repository with the correct permissions for the elasticsearch user, we need to know the user id (uid) of the elasticsearch user: id -u elasticsearch 106

Create the mount directory

mkdir /mnt/backup

Add the share used for repository in /etc/fstab

//10.0.1.10/ES       /mnt/backup     cifs    vers=3.0,credentials=/root/backup.crd,uid=106   0       0

Mount the share

mount //10.0.0.10/ES

On one of the elasticsearch nodes

Generate the SSL certificate and key for Kibana

/usr/share/elasticsearch/bin/elasticsearch-certutil cert -name deb11-elk-04_https -dns deb11-elk-04 -pem -self-signed

Tell to save it as deb11-elk-04_http.zip than copy it to the share:

cp /usr/share/elasticsearch/deb11-elk-04_http.zip /mnt/backup/debby/deb11-elk-04/

Back to the Kibana node
Create the directory for the certificate and key copy the certificate file, unzip it, move the certificate and key to the certs directory and clean up

mkdir /etc/kibana/certs
cd /etc/kibana/certs
cp /mnt/backup/debby/deb11-elk-04/deb11-elk-04_http.zip ./
unzip deb11-elk-04_http.zip
mv deb11-elk-04_https/* ./
rm -rf deb11-elk-04_https
rm deb11-elk-04_http.zip
chown -R root:kibana /etc/kibana/certs

Allow Kibana to use HTTPS default port (443):

setcap cap_net_bind_service=+epi /usr/share/kibana/bin/kibana
setcap cap_net_bind_service=+epi /usr/share/kibana/bin/kibana-plugin
setcap cap_net_bind_service=+epi /usr/share/kibana/bin/kibana-keystore
setcap cap_net_bind_service=+epi /usr/share/kibana/node/bin/node

Install Kibana as service and start it

systemctl daemon-reload
systemctl enable kibana.service
 
systemctl start kibana.service

Kibana is now availbale at https://deb11-elk-04

Either use the generated password from the installation of ES or generate a new one on a ES node with

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Login with elastic and the password

Kibana is installed