X-Pack is an Elastic Stack extension that provides security, alerting, monitoring, reporting, machine learning, and many other capabilities. By default, when you install Elasticsearch, X-Pack is installed.
The growing popularity of Elasticsearch has made both Elasticsearch and Kibana targets for hackers and ransomware, so it is important never to leave your Elasticsearch cluster unprotected.
From Elasticsearch Version 6.8 and onwards, X Pack Basic License (free) includes security in the standard Elasticsearch version, while prior to that it was a paid for feature.
How to set up X-pack security on Elasticsearch
Bear in mind that the following steps will inevitably require some down time. If your elk stack is already in production, it is advisable to carry out the following on a staging environment first to ensure that you familiarize yourself with all the steps involved before causing down-time in production.
sudo systemctl stop kibana
sudo systemctl stop elasticsearch
enable xpack in elasticsearch.yml
sudo nano /etc/elasticsearch/elasticsearch.yml xpack.security.enabled: true
sudo systemctl start elasticsearch
Setup default user passwords
cd /usr/share/elasticsearch/bin sudo ./elasticsearch-setup-passwords auto
Changed password for user apm_system PASSWORD apm_system = ixicTkGDQvsRD4DVud7G Changed password for user kibana PASSWORD kibana = bkC6npKCtAMBFWZw4ube Changed password for user logstash_system PASSWORD logstash_system = 8t8t6FAbBPU1SYthqQnW Changed password for user beats_system PASSWORD beats_system = fRoOzNLyZ5lB8bKD9SaG Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = Ais1CsbZtl0KbIHDHZ2i Changed password for user elastic PASSWORD elastic = Vd0DDcdBV5d3gIKRxmVM
Add the default username in kibana
vim /etc/kibana/kibana.yml elasticsearch.username: "kibana_system" elasticsearch.password: "new_password"
systemctl start kibana
Log in to Kibana with the elastic built-in user
Go to the Management / Security / Users page: