First configure security if you’re using X-Pack’s security features. Then come back here for instructions on installing and configuring Kibana (the monitoring server) with X-Pack so that Elasticsearch (secured with X-Pack), Kibana (secured with X-Pack), and Liferay DXP can communicate effortlessly and securely. A Liferay Enterprise Search (LES) subscription is necessary for this integration. Contact Liferay’s Sales department for more information.
To install X-Pack monitoring,
Tell Elasticsearch to enable data collection.
Download and install Kibana.
Configure Kibana with the proper security settings.
Install the Liferay Enterprise Search Monitoring app.
Configure the connector to communicate with Elasticsearch.
This document assumes you’re enabling security (with authentication and encrypted communication) and monitoring for Elasticsearch 7, but differences in the process for Elasticsearch 6 are noted where necessary.
Start by following the steps in this article to enable TLS/SSL in your Elasticsearch and Liferay DXP installation.
Then continue by enabling data collection in Elasticsearch.
Monitoring is enabled on Elasticsearch by default, but data collection isn’t.
Enable data collection by adding this line to
Now install Kibana.
Make sure to install the correct version of Kibana. Check the Liferay Enterprise Search compatibility matrix for details.
Download Kibana and extract it. The root folder is referred to as Kibana Home.
Tell Kibana where to send monitoring data by setting Elasticsearch’s URL in
elasticsearch.hosts: [ "https://localhost:9200" ]
On 6.5 and below, use
If TLS/SSL is not enabled on Elasticsearch, this is an
httpURL, otherwise use
If not using X-Pack security, start Kibana by opening a command prompt to Kibana Home and entering this command:
If you’re using X-Pack’s security features on the Elasticsearch server, there’s additional configuration required before starting Kibana.
If X-Pack requires authentication to access the Elasticsearch cluster, follow these steps or refer to Elastic’s documentation.
Set the password for the built-in
elasticsearch.username: "kibana" elasticsearch.password: "liferay"
kibanauser password from your X-Pack setup. Once Kibana is installed, you can change the built-in user passwords from the Management user interface.
If you’re not encrypting communication with the Elasticsearch cluster, start Kibana from Kibana home.
Follow these steps to configure Kibana if X-Pack encrypts communication with the Elasticsearch cluster. Consult Elastic’s guide for more information.
[Elasticsearch Home]/config/certsfolder into the
This example reuses the certificate files created for Elasticsearch itself. If you wish to generate a separate certificate for your Kibana instance, make sure it is signed by the same CA as the Elasticsearch node certificates.
Add these settings to
xpack.security.encryptionKey: "xsomethingxatxleastx32xcharactersx" xpack.security.sessionTimeout: 600000 elasticsearch.hosts: [ "https://localhost:9200" ] elasticsearch.ssl.verificationMode: certificate elasticsearch.ssl.certificateAuthorities: [ "config/certs/ca.crt" ] elasticsearch.ssl.certificate: config/certs/localhost.crt elasticsearch.ssl.key: config/certs/localhost.key server.ssl.enabled: true server.ssl.certificateAuthorities: [ "config/certs/ca.crt" ] server.ssl.certificate: config/certs/localhost.crt server.ssl.key: config/certs/localhost.key
Elasticsearch/Kibana 6.5 and below use a different property for specifying the
host URL. Replace the
elasticsearch.hosts property with
For more information about monitoring and security best practices in a clustered environment, refer to Elastic’s documentation.
After this step you can access Kibana at
https://localhost:5601 and sign in
with a Kibana user. The last step is to connect Kibana to Liferay DXP.
If you have a LES subscription,
download the Liferay Enterprise Search Monitoring app . Install
the LPKG file by copying it into the
Liferay Home/deploy folder.
Once the connector is installed and Kibana and Elasticsearch are securely configured, create a configuration file named
Place these settings in the
kibanaPassword="liferay" kibanaUserName="elastic" kibanaURL="https://localhost:5601"
The values depend on your Kibana configuration. For example, use a URL such as
kibanaURL="http://localhost:5601"if you are not using X-Pack Security TLS/SSL features.
Alternatively, configure the monitoring adapter from System Settings. Navigate to Control Panel → Configuration → System Settings and find the X-Pack Monitoring entry in the Search category. All the configuration options for the monitoring connector appear there.
Deploy this configuration file to
Liferay Home/osgi/configs, and your running instance applies the settings. There’s no need to restart the server.
There are two more settings to add to Kibana itself. The first forbids Kibana from rewriting requests prefixed with
server.basePath. The second sets Kibana’s base path for the Monitoring portlet to act as a proxy for Kibana’s monitoring UI. Add this to
server.rewriteBasePath: false server.basePath: "/o/portal-search-elasticsearch-xpack-monitoring/xpack-monitoring-proxy"
Note that once you set the
server.basePath, you cannot access the Kibana UI through Kibana’s URL (e.g.,
https://localhost:5601). All access to the Kibana UI is through the Monitoring portlet, which is only accessible to signed in Liferay DXP users. Navigate directly to the portlet using this URL:
Because you’re using the Monitoring portlet in Liferay DXP as a proxy to Kibana’s UI, if you are using X-Pack Security with TLS/SSL, you must configure the application server’s startup JVM parameters to recognize a valid truststore and password.
First, navigate to Elasticsearch Home and generate a PKSC#12 certificate from the CA you created when setting up X-Pack security:
./bin/elasticsearch-certutil cert --ca-cert /path/to/ca.crt --ca-key /path/to/ca.key --ip 127.0.0.1 --dns localhost --name localhost --out /path/to/Elasticsearch_Home/config/localhost.p12
Next use the
keytoolcommand to generate a truststore:
keytool -importkeystore -deststorepass liferay -destkeystore /path/to/truststore.jks -srckeystore /path/to/Elasticsearch_Home/config/localhost.p12 -srcstoretype PKCS12 -srcstorepass liferay
Add the trustore path and password to your application server’s startup JVM parameters. Here are example truststore and path parameters for appending to a Tomcat server’s
Restart Liferay DXP and Kibana.
Once Kibana and X-Pack are successfully installed and configured and all the servers are running, add the X-Pack Monitoring portlet to a page:
Open the Add menu on a page and choose Widgets
Search for monitoring and drag the X-Pack Monitoring widget from the Search category onto the page.
See the Elastic documentation for information on monitoring Elasticsearch.
Here are the
kibana.yml properties demonstrated in this article, for
# X-Pack Security enabled (Basic Auth) elasticsearch.username: "kibana" elasticsearch.password: "liferay" # When TLS/SSL is enabled in X-Pack Security xpack.security.encryptionKey: "xsomethingxatxleastx32xcharactersx" xpack.security.sessionTimeout: 600000 # If on Elasticsearch 6.5 or below, replace the next property with: # elasticsearch.url: "http://localhost:9200" elasticsearch.hosts: [ "https://localhost:9200" ] # Enable TLS/SSL for out-bound traffic: from Kibana to Elasticsearch elasticsearch.ssl.verificationMode: certificate elasticsearch.ssl.certificateAuthorities: [ "config/certs/ca.crt" ] elasticsearch.ssl.certificate: config/certs/localhost.crt elasticsearch.ssl.key: config/certs/localhost.key # Enable TLS/SSL for in-bound traffic: from browser or # DXP (X-Pack Monitoring widget, proxy) to Kibana server.ssl.enabled: true server.ssl.certificateAuthorities: [ "config/certs/ca.crt" ] server.ssl.certificate: config/certs/localhost.crt server.ssl.key: config/certs/localhost.key # To use Kibana inside the X-Pack Monitoring widget server.rewriteBasePath: false server.basePath: "/o/portal-search-elasticsearch-xpack-monitoring/xpack-monitoring-proxy"