I saw Kibana in my professional career and I find it a very interesting tool for sysadmins, so I thought it might be helpful to someone out there to write a small article on how to install and use to to visualize data inside some elasticsearch software.
Kibana is an open-source data visualization and exploration tool used to analyze large volumes of data, especially logs. It is part of the ELK Stack (Elasticsearch, Logstash, Kibana), and is commonly used for centralized log management, security monitoring, and observability.
Kibana is often used in the so-called ELK pipeline for log file collection, analysis and visualization:
- Elasticsearch is for searching, analyzing, and storing your data
- Logstash (and Beats) is for collecting and transforming data, from any source, in any format
- Kibana is a portal for visualizing the data and to navigate within the elastic stack
In this article, you'll learn how to:
- Install Kibana
- Connect it to Elasticsearch
- Visualize log data
- Use its basic features
Prerequisites
Before installing Kibana, make sure you have the following:
- A Linux server running (Ubuntu / Debian / CentOS / RHEL)
- Elasticsearch installed and running
- Root or sudo access
Install Kibana
I. On Debian/Ubuntu
-
Import the Elastic GPG key:
# wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
-
Add the repository:
# echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
-
Update and install:
# apt update# apt install kibana
II. On RHEL/CentOS Linux
-
Create repo file:
# tee /etc/yum.repos.d/elastic.repo <<EOF
[elastic-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
-
Install Kibana:
# yum install kibana
2. Configure Kibana
The configuration file is located at:
/etc/kibana/kibana.yml
Edit the file:
# vim /etc/kibana/kibana.yml
Update or add the following:
# Server settings
server.port: 5601
server.host: "0.0.0.0"# Elasticsearch connection
elasticsearch.hosts: [“http://localhost:9200”]# Logging
logging.level: info# Security (only if Elasticsearch security is enabled)
# elasticsearch.username: "kibana_system"
# elasticsearch.password: "your_password_here"
Optional: Set basic auth or SSL settings if needed.
3. Start and Enable Kibana
# systemctl enable kibana
# systemctl start kibana
Check status:
# systemctl status kibana
…
4. Access Kibana Web Interface
Open your browser and go to:
http://<your-server-ip>:5601
You’ll be welcomed with the Kibana dashboard.
5. Import and Visualize Logs
Option A: Use Filebeat to Send Logs
Install Filebeat on the server with logs and configure it to send data to Elasticsearch. Kibana will then be able to visualize it.
# apt install filebeat
# filebeat modules enable system
# filebeat setup
# systemctl start filebeat
Option B: Ingest Logs via Logstash or Elasticsearch API
If you already have data in Elasticsearch, Kibana will automatically detect indices.
6. Create Index Pattern
- In Kibana, go to Stack Management -> Index Patterns
- Click Create Index Pattern
- Enter the name (e.g., filebeat-*)
- Select the timestamp field (usually @timestamp)
- Save
Now Kibana knows how to query and visualize your data.
7. Create Visualizations and Dashboards
- Go to Visualize -> Create visualization
- Choose a type (bar, pie, line, etc.)
- Select an index pattern
- Configure metrics and buckets
You can then save visualizations and add them to dashboards.
8. Secure Kibana
- Configure TLS/SSL for Kibana / ElasticSearch (such as Logstash)
- Use additional Elastic Security features like RBAC (Role Based Access Control, SSO (Single Sign On)
- Secure Kibana with a reverse proxy (e.g., Nginx + Basic Auth or Apache / Haproxy infront)
Example Nginx config simple snippet:
location / {
proxy_pass http://localhost:5601;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
What is Kibana used for and what it can do for you?
| Use Case | Description |
|---|---|
| Log Monitoring | Visualize system and application logs in real time |
| Security Analytics | Detect anomalies, failed logins, suspicious activity |
| DevOps Dashboards | Track uptime, error rates, and system performance |
| SIEM | Use Elastic Security for threat detection |
Once Kibana is installed on a server, you typically use it to visualize and explore data stored in Elasticsearch. Here’s a practical guide with sample usage scenarios:
Access Kibana
After installation, Kibana usually runs on port 5601 by default.
http://<your-server-ip>:5601
- Open this URL in a browser.
- You should see the Kibana dashboard.
Connect to Elasticsearch
Kibana automatically connects to your Elasticsearch instance if installed locally.
You can verify the connection:
GET /_cluster/health
- Go to Dev Tools → Console in Kibana.
- Run the above query to check cluster status.
Visualize Data
Kibana allows multiple types of visualizations:
- Bar/line chart: trends over time.
- Pie chart: distribution of values.
- Data table: top IP addresses or most visited URLs.
- Maps: geolocation of IP addresses.
Create Dashboards
- Combine multiple visualizations in a Dashboard.
- Useful for monitoring logs, metrics, or application performance.
- Example: Create a dashboard with:
- Requests per URL (bar chart)
- Requests over time (line chart)
- Top client IPs (data table)
- Errors by type (pie chart)
Search & Query Logs
- Use Discover to search logs interactively.
- Example KQL query:
status:500 AND url:"/login"
This finds all failed login requests.
Set Alerts (Optional)
- Kibana’s Alerts and Actions can trigger notifications (email, Slack, etc.) when certain thresholds are crossed.
- Example: alert if error responses exceed 100 in 5 minutes.
Once Kibana is installed on a server, you typically use it to visualize and explore data stored in Elasticsearch. Here’s a practical guide with sample usage scenarios:
Access Kibana
After installation, Kibana usually runs on port 5601 by default.
http://<your-server-ip>:5601
- Open this URL in a browser.
- You should see the Kibana dashboard.
Connect to Elasticsearch
Kibana automatically connects to your Elasticsearch instance if installed locally.
You can verify the connection:
GET /_cluster/health
- Go to Dev Tools → Console in Kibana.
- Run the above query to check cluster status.
Visualize Data
Kibana allows multiple types of visualizations:
- Bar/line chart: trends over time.
- Pie chart: distribution of values.
- Data table: top IP addresses or most visited URLs.
- Maps: geolocation of IP addresses.
Create Dashboards
- Combine multiple visualizations in a Dashboard.
- Useful for monitoring logs, metrics, or application performance.
- Example: Create a dashboard with:
- Requests per URL (bar chart)
- Requests over time (line chart)
- Top client IPs (data table)
- Errors by type (pie chart)
Search & Query Logs
- Use Discover to search logs interactively.
- Example KQL query:
status:500 AND url:"/login"
This finds all failed login requests.
Set Alerts (Optional)
- Kibana’s Alerts and Actions can trigger notifications (email, Slack, etc.) when certain thresholds are crossed.
- Example: alert if error responses exceed 100 in 5 minutes.
Once Kibana is installed on a server, you typically use it to visualize and explore data stored in Elasticsearch. Here’s a practical guide with sample usage scenarios:
Access Kibana
After installation, Kibana usually runs on port 5601 by default.
http://your-server-ip:5601
- Open this URL in a browser.
- You should see the Kibana dashboard.
Connect to Elasticsearch
Kibana automatically connects to your Elasticsearch instance if installed locally.
You can verify the connection:
GET /_cluster/health
- Go to Dev Tools → Console in Kibana.
- Run the above query to check cluster status.
Visualize Data
Kibana allows multiple types of visualizations:
- Bar/line chart: trends over time.
- Pie chart: distribution of values.
- Data table: top IP addresses or most visited URLs.
- Maps: geolocation of IP addresses.
Create Dashboards
- Combine multiple visualizations in a Dashboard.
- Useful for monitoring logs, metrics, or application performance.
- Example: Create a dashboard with:
- Requests per URL (bar chart)
- Requests over time (line chart)
- Top client IPs (data table)
- Errors by type (pie chart)
Search & Query Logs
- Use Discover to search logs interactively.
- Example KQL query:
status:500 AND url:"/login"
This finds all failed login requests.
Set Alerts (Optional)
- Kibana’s Alerts and Actions can trigger notifications (email, Slack, etc.) when certain thresholds are crossed.
- Example: alert if error responses exceed 100 in 5 minutes.
Sample Kibana dashboard
Kibana with connected servers to find out Geo Location
Summary closing words (what we did)
| Step | Action |
|---|---|
| 1 | Install Kibana from Elastic repo |
| 2 | Configure to connect to Elasticsearch |
| 3 | Start and enable the service |
| 4 | Access it via http://<ip>:5601 |
| 5 | Ingest log data |
| 6 | Define index pattern |
| 7 | Create dashboards and visualizations |
The idea of this article was just to introduce you to the existence of Elasticsearch / kibana and filebeat and logstack and not to give you a fully fine tuned install guide. The usual way to deploy Kibana on multiple servers of course is using a dockerized container version of it. There is plenty to learned on how to use kibana to do a monitoring of your machines. But most simple use is to directly access the locally visible kibana on a server and check the status of processes on the host instead of logging via SSH. Kibana can do pretty much
Some further useful Reading Resources
- Kibana Docs: https://www.elastic.co/guide/en/kibana/index.html
- Filebeat Docs: https://www.elastic.co/guide/en/beats/filebeat/index.html
- Logstash Docs: https://www.elastic.co/guide/en/logstash/index.html
