How to connect Kibana to Elasticsearch

Kibana needs a working Elasticsearch connection to power data views, dashboards, alerting, and stack monitoring. A correct backend URL and credentials prevent startup stalls such as the “Kibana server is not ready yet” loop and keep the UI usable for search and visualization work.

On package-based Linux installs, Kibana reads connection settings from /etc/kibana/kibana.yml and uses elasticsearch.hosts to reach the Elasticsearch HTTP API over HTTP or HTTPS. When security is enabled, Kibana authenticates with an internal identity (commonly kibana_system) for background operations such as saved objects migrations.

Connection failures usually come from mismatched schemes (http:// vs https://), missing trusted CA certificates, incorrect credentials, or blocked access to port 9200 between hosts. Secrets stored directly in /etc/kibana/kibana.yml are readable as plain text, so the Kibana keystore is a safer place for passwords and tokens.

Steps to connect Kibana to Elasticsearch:

Open /etc/kibana/kibana.yml for editing.
```
$ sudoedit /etc/kibana/kibana.yml
```
Set the elasticsearch.hosts list to the Elasticsearch HTTP endpoint.
```
elasticsearch.hosts: [https://localhost:9200]
```
Multiple nodes can be listed, or a load balancer URL can be used, as long as the scheme and port match the Elasticsearch HTTP listener.
Set elasticsearch.username to kibana_system when using built-in user authentication.
```
elasticsearch.username: "kibana_system"
```
Service account token authentication uses elasticsearch.serviceAccountToken instead of elasticsearch.username.
Store the elasticsearch.password secret in the Kibana keystore.
```
$ sudo -u kibana env KBN_PATH_CONF=/etc/kibana /usr/share/kibana/bin/kibana-keystore add elasticsearch.password
Enter value for elasticsearch.password: ********
```
Remove any elasticsearch.password entries from /etc/kibana/kibana.yml when the keystore is used to avoid leaving a plain-text password on disk.
Configure a trusted CA for Elasticsearch HTTPS connections.
```
elasticsearch.ssl.certificateAuthorities: [/etc/kibana/certs/http-ca.crt]
elasticsearch.ssl.verificationMode: full
```
Skip elasticsearch.ssl.* settings when elasticsearch.hosts uses http://, and ensure the CA file is readable by the kibana service account when https:// is used.

Setting elasticsearch.ssl.verificationMode to none disables certificate validation and allows man-in-the-middle interception of the Elasticsearch connection.
Restart the Kibana service to apply the configuration.
```
$ sudo systemctl restart kibana
```
Related: How to manage the Kibana service with systemctl in Linux

Check the Kibana service state after the restart.

$ sudo systemctl status kibana --no-pager --full | head -n 12
● kibana.service - Kibana
     Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-01-08 00:22:45 UTC; 12min ago
       Docs: https://www.elastic.co
   Main PID: 57170 (node)
      Tasks: 11 (limit: 28486)
     Memory: 1011.9M (peak: 1.4G)
        CPU: 34.864s
##### snipped #####

Confirm Kibana reports an available state from the status API.

$ curl --silent --show-error --cacert /etc/kibana/certs/kibana-ca.crt --user elastic:password "https://localhost:5601/kibana/api/status" | jq '.status.overall'
{
  "level": "available",
  "summary": "All services and plugins are available"
}

Use basic authentication if required, include the base path (server.basePath), and treat available as the healthy state.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.