Using Kibana in a Production Environment

How you deploy Kibana largely depends on your use case. If you are the only user, you can run Kibana on your local machine and configure it to point to whatever Elasticsearch instance you want to interact with. Conversely, if you have a large number of heavy Kibana users, you might need to load balance across multiple Kibana instances that are all connected to the same Elasticsearch instance.


While Kibana isn’t terribly resource intensive, we still recommend running Kibana separate from your Elasticsearch data or master nodes. To distribute Kibana traffic across the nodes in your Elasticsearch cluster, you can run Kibana and an Elasticsearch client node on the same machine. For more information, see Load Balancing Across Multiple Elasticsearch Nodes.

当Kibana不需要增强资源时,我们仍然推荐运行Kibana时,和ES节点或主节点分开。为了分配ES簇节点间的Kibana链路,你可以在同一台机器上运行Kibana和一个ES请求节点。关于更多信息,查看:Load Balancing Across Multiple Elasticsearch Nodes

Configuring Kibana to Work with Shield  配置Kibana在保护下工作

If you are using Shield to authenticate Elasticsearch users, you need to provide the Kibana server with credentials so it can access the .kibana index and monitor the cluster.


To configure credentials for the Kibana server:  为Kibana服务器配置信任说明

  1. Assign the kibana4_server role to a user in Shield. For more information, see Configuring a Role for the Kibana 4 Server in the Shield documentation.  在Shield中,把kibana4_server 角色设定为用户。关于更多信息,查看Shield文档中的:Configuring a Role for the Kibana 4 Server
  2. Set the kibana_elasticsearch_username and kibana_elasticsearch_password properties inkibana.yml to specify the credentials of the user you assigned the kibana4_server role:  在kibana.yml中,设置kibana_elasticsearch_usernamekibana_elasticsearch_password特性,来指定你在kibana4_server角色中分派的用户信任说明。

    kibana_elasticsearch_username: kibana4-user
    kibana_elasticsearch_password: kibana4-password

Kibana 4 users also need access to the .kibana index so they can save and load searches, visualizations, and dashboards. For more information, see Configuring Roles for Kibana 4 Users in the Shield documentation.

Kibana 4 用户也需要访问.kibana索引,所以他们可以保存和加载搜索、可视化和仪表盘。关于更多信息,可以查看Shield文档中的Configuring Roles for Kibana 4 Users

See Kibana and Elasticsearch Dynamic Mapping for important information on Kibana and the dynamic mapping feature in Elasticsearch.

关于Kibana的重要信息和ES动态映射特性,可以查看:Kibana and Elasticsearch Dynamic Mapping

Enabling SSL  使SSL工作

Kibana supports SSL encryption for both client requests and the requests the Kibana server sends to Elasticsearch.


To encrypt communications between the browser and the Kibana server, you configure the ssl_key_fileand ssl_cert_file properties in kibana.yml:


# SSL for outgoing requests from the Kibana Server (PEM formatted)
server.ssl.key: /path/to/your/server.key
server.ssl.cert: /path/to/your/server.crt

If you are using Shield or a proxy that provides an HTTPS endpoint for Elasticsearch, you can configure Kibana to access Elasticsearch via HTTPS so communications between the Kibana server and Elasticsearch are encrypted.


To do this, you specify the HTTPS protocol when you configure the Elasticsearch URL in kibana.yml:


elasticsearch: "https://<your_elasticsearch_host>.com:9200"

If you are using a self-signed certificate for Elasticsearch, set the ca property in kibana.yml to specify the location of the PEM file. Setting the ca property lets you leave the verify_ssl option enabled.


# If you need to provide a CA certificate for your Elasticsearch instance, put
# the path of the pem file here.
ca: /path/to/your/ca/cacert.pem

Controlling access  控制入口(访问)

You can use Elasticsearch Shield (Shield) to control what Elasticsearch data users can access through Kibana. Shield provides index-level access control. If a user isn’t authorized to run the query that populates a Kibana visualization, the user just sees an empty visualization.

你可以使用Elasticsearch Shield 控制使用者通过Kibana访问的ES数据。Shield提供了索引层面的访问控制。如果一个用户未经授权,而想访问Kibana可视化结果,那么他看到的将是空的可视化。

To configure access to Kibana using Shield, you create Shield roles for Kibana using the kibana4 default role as a starting point. For more information, see Using Kibana 4 with Shield.

为了配置使用Shield对Kibana 的访问,你可以在启动端,使用Kibana4默认角色,为Kibana创建Shield角色。关于更多信息,参考:Using Kibana 4 with Shield

Load Balancing Across Multiple Elasticsearch Nodes  在多ES节点间加载平衡

If you have multiple nodes in your Elasticsearch cluster, the easiest way to distribute Kibana requests across the nodes is to run an Elasticsearch client node on the same machine as Kibana. Elasticsearch client nodes are essentially smart load balancers that are part of the cluster. They process incoming HTTP requests, redirect operations to the other nodes in the cluster as needed, and gather and return the results. For more information, see Node in the Elasticsearch reference.


To use a local client node to load balance Kibana requests:


  1. Install Elasticsearch on the same machine as Kibana.  在Kibana同名机器上安装Kibana。
  2. Configure the node as a client node. In elasticsearch.yml, set both and node.master tofalse:   配置节点成为请求节点。在elasticsearch.yml中,把node.datanode.master设置成false

    # 3. You want this node to be neither master nor data node, but
    #    to act as a "search load balancer" (fetching data from nodes,
    #    aggregating results, etc.)
    node.master: false false
  3. Configure the client node to join your Elasticsearch cluster. In elasticsearch.yml, set to the name of your cluster.  配置请求节点,来加入你的ES集群。在elasticsearch.yml中,设置luster.name成你集群的名字。 "my_cluster"
  4. Make sure Kibana is configured to point to your local client node. In kibana.yml, theelasticsearch_url should be set to localhost:9200.    确保Kibana配置指向你本地客户端节点。在kibana.yml中,elasticsearch_url应该被设置成localhost:9200

    # The Elasticsearch instance to use for all your queries.
    elasticsearch_url: "http://localhost:9200"






