How to install Kibana on Ubuntu or Debian

Installing Kibana on Ubuntu or Debian adds the Elastic web interface for searching data, opening dashboards, and working with alerts or saved objects without staying in raw Elasticsearch API calls.

The official Debian package installs the program under /usr/share/kibana, reads settings from /etc/kibana/kibana.yml, stores persistent data under /var/lib/kibana, and registers the kibana.service systemd unit on port 5601. Secure first-time setup uses a Kibana enrollment token to write the connection, trust, and service-account settings that let the web UI talk to Elasticsearch.

Current self-managed package installs use Elastic's 9.x APT repository and the /usr/share/keyrings/elasticsearch-keyring.gpg keyring path. Kibana should stay on the same stack version as the connected Elasticsearch cluster, enrollment tokens expire after about 30 minutes, and remote browser access stays local-only until server.host is changed. On Debian-package Elasticsearch installs, the initial elastic password is not printed automatically at first startup because the service runs under systemd, so the password may need to be reset on the Elasticsearch host before the first Kibana sign-in.

Steps to install Kibana on Ubuntu or Debian:

Import the Elastic package signing key into a dedicated APT keyring.
```
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
```
No command output indicates the keyring file was written successfully.
Install apt-transport-https if the host still lacks HTTPS APT transport support.
```
$ sudo apt-get install apt-transport-https
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
apt-transport-https is already the newest version.
```
Current Ubuntu releases already include HTTPS APT transport, so this step is mainly relevant on older or minimal Debian systems.

Save the official Elastic APT repository definition.

$ echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-9.x.list
deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main

Do not use add-apt-repository here. Elastic's current Debian instructions warn that it adds an unsupported deb-src entry that breaks apt-get update for this repository.

Refresh the local APT package index.

$ sudo apt-get update
Get:1 https://artifacts.elastic.co/packages/9.x/apt stable InRelease [3249 B]
Get:2 https://artifacts.elastic.co/packages/9.x/apt stable/main arm64 Packages [44.3 kB]
##### snipped #####
Reading package lists... Done

The architecture label in the package line reflects the local host, such as amd64 or arm64.

Install the Kibana package.

$ sudo apt-get install kibana
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  kibana
##### snipped #####
Setting up kibana (9.3.2) ...

Install the same stack version on Kibana and Elasticsearch. Pin a specific package version only when the connected cluster already runs that exact version.

Generate a fresh Kibana enrollment token on an Elasticsearch node when the original first-start token is unavailable or has expired.
```
$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
eyJ2ZXIiOiI5LjMuMiIsImFkciI6WyJodHRwczovL2VzLmV4YW1wbGUubmV0OjkyMDAiXSwiZmdyIjoi##### snipped #####
```
The token is valid for about 30 minutes and writes the current security connection settings into /etc/kibana/kibana.yml during enrollment. Add --url "https://<es-host>:9200" when the tool must reach a non-default Elasticsearch endpoint.

Elastic also provides /usr/share/kibana/bin/kibana-setup –enrollment-token “<token>” for detached CLI enrollment when the browser-based preboot flow is not practical.

Related: How to install Elasticsearch on Ubuntu or Debian
Related: How to connect Kibana to Elasticsearch
Set server.host in /etc/kibana/kibana.yml when Kibana must accept remote connections.
```
server.host: "0.0.0.0"
```
Keep the default localhost binding for local-only access, or use a specific interface IP when the UI should be reachable from only one network.

Binding to 0.0.0.0 exposes port 5601 on every interface, so pair it with a firewall, reverse proxy, or another network control before allowing untrusted networks to reach the service.

Related: How to set the Kibana server host and port
Reload the systemd manager configuration so the new unit is available immediately.
```
$ sudo systemctl daemon-reload
```
Elastic's current Debian-package instructions run this explicitly before the service is enabled.

Enable the Kibana service at boot.

$ sudo systemctl enable kibana.service
Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service → /usr/lib/systemd/system/kibana.service.

Start the Kibana service.
```
$ sudo systemctl start kibana.service
```
These commands do not report success or failure directly, so follow up with systemctl status or journalctl instead of assuming the service started cleanly.

Related: How to manage the Kibana service with systemctl in Linux

Check the Kibana service status for the running state, setup URL, and verification code.

$ sudo systemctl status kibana --no-pager
● kibana.service - Kibana
     Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-04-02 08:32:11 UTC; 7s ago
##### snipped #####
Apr 02 08:32:18 host kibana[8123]: Kibana has not been configured.
Apr 02 08:32:18 host kibana[8123]: Go to http://kibana.example.net:5601/?code=123456 to get started.

The first-start status output commonly shows the browser URL and a six-digit verification code while Kibana waits for enrollment.

Use journalctl –unit=kibana.service –no-pager -n 50 when the service does not reach active (running) cleanly or the setup URL never appears.

Open the setup URL from the status output and paste the current Kibana enrollment token.
```
http://kibana.example.net:5601/?code=123456
```
Click Configure Elastic after pasting the token, and enter the six-digit verification code from the systemctl status output if the browser asks for it.
Sign in on the Welcome to Elastic page with the elastic user and the current password for that cluster.

On Debian or RPM package installs of Elasticsearch, reset the password on an Elasticsearch node first if the current elastic password is not already known.

Related: How to reset built-in user passwords in Elasticsearch
Confirm the Kibana home page loads after the enrollment and sign-in flow completes.

First-time access can land on the home page, a solution overview, or sample-data prompts instead of an existing dashboard, but the main Kibana navigation should be available.