Connecting Kibana to Elasticsearch is what lets the web UI load saved objects, query indices, build dashboards, and run alerting or monitoring tasks. When the backend endpoint or credentials are wrong, Kibana usually stalls at Kibana server is not ready yet, reports a degraded status, or keeps restarting without ever becoming usable.

On package-based Linux installs, Kibana reads its outbound cluster settings from /etc/kibana/kibana.yml. The main connection knob is elasticsearch.hosts, while authentication is supplied either by elasticsearch.username plus a matching secret or by elasticsearch.serviceAccountToken. When the endpoint uses HTTPS, Kibana must also trust the issuing CA through elasticsearch.ssl.certificateAuthorities.

Fresh secured installations are commonly enrolled with an Elasticsearch enrollment token through kibana-setup or the first-start browser flow, which writes the security connection settings automatically. This page covers the manual path for an existing host, a repaired configuration, or a non-default Elasticsearch endpoint. Keep secrets out of /etc/kibana/kibana.yml by using the Kibana keystore, and restart the service after any change.

Related: How to configure TLS for Kibana
Related: How to install Kibana on Ubuntu or Debian
Related: How to install Kibana on CentOS, RHEL, or Fedora

Steps to connect Kibana to Elasticsearch:

  1. Open the Kibana configuration file for editing. 
    $ sudoedit /etc/kibana/kibana.yml

    Archive or container installs commonly use a different config path such as /usr/share/kibana/config/kibana.yml.

  2. Set elasticsearch.hosts to the Elasticsearch HTTP endpoint or endpoints that Kibana should use. 
    elasticsearch.hosts: ["https://es.example.net:9200"]

    All listed URLs must belong to the same Elasticsearch cluster. A load balancer URL is also valid when it fronts the cluster's HTTP API.

  3. Choose one server-side authentication method for Kibana. For built-in user authentication, set elasticsearch.username. For service-account authentication, leave the username unset and add elasticsearch.serviceAccountToken to the Kibana keystore in the next step. 
    elasticsearch.username: "kibana_system"

    Use either the kibana_system user with its secret or elasticsearch.serviceAccountToken, not both. Enrollment-token setup commonly writes a service account token automatically.

  4. Store the matching secret in the Kibana keystore. Add elasticsearch.password when using kibana_system, or add elasticsearch.serviceAccountToken when using service-account authentication. 
    $ sudo /usr/share/kibana/bin/kibana-keystore add elasticsearch.password
Enter value for elasticsearch.password: ********

    Remove any plain-text elasticsearch.password or elasticsearch.serviceAccountToken entries from /etc/kibana/kibana.yml after the value is stored in the keystore.

    Related: How to add a secret to a Kibana keystore

  5. Trust the Elasticsearch certificate authority when elasticsearch.hosts uses HTTPS. 
    elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/http-ca.crt"]

    elasticsearch.ssl.verificationMode defaults to full, which validates both the certificate chain and the host name. Use certificate only when the certificate chain is trusted but the endpoint name does not match, and reserve none for short-lived troubleshooting.

    Setting elasticsearch.ssl.verificationMode to none disables certificate validation and allows a man-in-the-middle to impersonate Elasticsearch.

  6. Restart the Kibana service so it reloads the updated connection settings. 
    $ sudo systemctl restart kibana

    Related: How to manage the Kibana service with systemctl in Linux

  7. Check the Kibana service state after the restart. 
    $ sudo systemctl status kibana --no-pager --full | head -n 12
● kibana.service - Kibana
     Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-04-02 14:18:45 UTC; 7s ago
       Docs: https://www.elastic.co
   Main PID: 8123 (node)
      Tasks: 11 (limit: 28486)
     Memory: 1007.4M (peak: 1.3G)
        CPU: 14.242s
##### snipped #####

    Use journalctl –unit=kibana –no-pager -n 50 when the service stays in a restart loop or never reaches active (running).

    Related: How to manage the Kibana service with systemctl in Linux

  8. Query the Kibana status API to confirm both overall readiness and the Elasticsearch core connection. 
    $ curl --silent --show-error --user elastic:password http://localhost:5601/api/status | jq '{overall: .status.overall, elasticsearch: .status.core.elasticsearch}'
{
  "overall": {
    "level": "available",
    "summary": "All services and plugins are available"
  },
  "elasticsearch": {
    "level": "available",
    "summary": "Elasticsearch is available",
    "meta": {
      "warningNodes": [],
      "incompatibleNodes": []
    }
  }
}

    Add the configured base path, HTTPS URL, or CA trust option when Kibana is not served from plain http://localhost:5601.

    Using --user user:password stores credentials in shell history; prefer --user user to prompt for the password or use an Authorization header when shell history is retained.

    Related: How to check Kibana status
    Related: How to configure the Kibana base path