Kibana
Overview
Kibana provides the visualization layer for Elasticsearch data, enabling log analysis, dashboard creation, and Fleet management.
Access
Features
Discover
Search and analyze log data:
- Select data view (index pattern)
- Set time range
- Build queries using KQL
- Save searches for reuse
Dashboards
Visualize data with:
- Time series charts
- Pie charts
- Data tables
- Maps
- Metrics
Fleet
Manage Elastic Agents:
- Agent policies
- Integrations
- Package management
Data Views
| Name |
Pattern |
Description |
| logs-* |
logs-* |
All log data |
| metrics-* |
metrics-* |
System metrics |
| filebeat-* |
filebeat-* |
Filebeat logs |
Creating Data View
- Go to Stack Management → Data Views
- Click "Create data view"
- Enter index pattern
- Select timestamp field
- Save
KQL Query Language
Basic Syntax
# Field equals value
kubernetes.namespace: "hub"
# Contains text
message: "error"
# Range query
response_time > 1000
# Combine with AND/OR
kubernetes.namespace: "hub" AND log.level: "error"
Common Queries
# Find errors in last hour
log.level: "error" AND @timestamp >= now-1h
# Specific pod logs
kubernetes.pod.name: "hub-api-*"
# HTTP 5xx errors
http.response.status_code >= 500
Dashboards
Security Dashboards
| Dashboard |
Description |
| Threat Intelligence |
IOC matches and indicators |
| Network Security |
Traffic analysis |
| Authentication |
Login attempts |
Application Dashboards
| Dashboard |
Description |
| Hub API Logs |
API request/error logs |
| Nginx Access |
Web server access logs |
| Container Logs |
Kubernetes container logs |
Fleet Management
Agent Policies
| Policy |
Agents |
Integrations |
| Default |
All nodes |
System, Kubernetes |
| Security |
All nodes |
Threat Intel, Network |
Integrations
| Integration |
Purpose |
| System |
CPU, memory, disk, network |
| Kubernetes |
Pod logs, metrics |
| Nginx |
Web server logs |
| AlienVault OTX |
Threat intelligence |
Alerting
Rule Types
| Type |
Description |
| Elasticsearch query |
Alert on search results |
| Threshold |
Alert on metric threshold |
| Anomaly |
ML-based anomaly detection |
Creating Alert
- Go to Stack Management → Rules
- Click "Create rule"
- Select rule type
- Define conditions
- Configure actions
- Save
Saved Objects
Exporting
# Export dashboards
curl -X POST "kibana:5601/api/saved_objects/_export" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"type": "dashboard"}'
Importing
# Import saved objects
curl -X POST "kibana:5601/api/saved_objects/_import" \
-H "kbn-xsrf: true" \
--form file=@export.ndjson
Spaces
Default Spaces
| Space |
Purpose |
| Default |
General dashboards |
| Security |
Security analytics |
| Observability |
Monitoring data |
API
Common Endpoints
| Endpoint |
Description |
/api/saved_objects |
Manage saved objects |
/api/alerting/rules |
Manage alert rules |
/api/fleet/agents |
Fleet agents |
/api/data_views |
Data views |
Best Practices
- Use data views - Organize by data type
- Save searches - Reuse common queries
- Create index templates - Consistent mappings
- Set retention - Manage storage costs
- Use spaces - Separate by team/function