- Elasticsearch Guide: other versions:
- What is Elasticsearch?
- What’s new in 7.14
- Quick start
- Set up Elasticsearch
- Installing Elasticsearch
- Configuring Elasticsearch
- Important Elasticsearch configuration
- Secure settings
- Auditing settings
- Circuit breaker settings
- Cluster-level shard allocation and routing settings
- Cross-cluster replication settings
- Discovery and cluster formation settings
- Field data cache settings
- Index lifecycle management settings
- Index management settings
- Index recovery settings
- Indexing buffer settings
- License settings
- Local gateway settings
- Logging
- Machine learning settings
- Monitoring settings
- Node
- Networking
- Node query cache settings
- Search settings
- Security settings
- Shard request cache settings
- Snapshot lifecycle management settings
- Transforms settings
- Thread pools
- Watcher settings
- Advanced configuration
- Important System Configuration
- Bootstrap Checks
- Heap size check
- File descriptor check
- Memory lock check
- Maximum number of threads check
- Max file size check
- Maximum size virtual memory check
- Maximum map count check
- Client JVM check
- Use serial collector check
- System call filter check
- OnError and OnOutOfMemoryError checks
- Early-access check
- G1GC check
- All permission check
- Discovery configuration check
- Bootstrap Checks for X-Pack
- Starting Elasticsearch
- Stopping Elasticsearch
- Discovery and cluster formation
- Add and remove nodes in your cluster
- Full-cluster restart and rolling restart
- Remote clusters
- Set up X-Pack
- Configuring X-Pack Java Clients
- Plugins
- Upgrade Elasticsearch
- Index modules
- Mapping
- Text analysis
- Overview
- Concepts
- Configure text analysis
- Built-in analyzer reference
- Tokenizer reference
- Token filter reference
- Apostrophe
- ASCII folding
- CJK bigram
- CJK width
- Classic
- Common grams
- Conditional
- Decimal digit
- Delimited payload
- Dictionary decompounder
- Edge n-gram
- Elision
- Fingerprint
- Flatten graph
- Hunspell
- Hyphenation decompounder
- Keep types
- Keep words
- Keyword marker
- Keyword repeat
- KStem
- Length
- Limit token count
- Lowercase
- MinHash
- Multiplexer
- N-gram
- Normalization
- Pattern capture
- Pattern replace
- Phonetic
- Porter stem
- Predicate script
- Remove duplicates
- Reverse
- Shingle
- Snowball
- Stemmer
- Stemmer override
- Stop
- Synonym
- Synonym graph
- Trim
- Truncate
- Unique
- Uppercase
- Word delimiter
- Word delimiter graph
- Character filters reference
- Normalizers
- Index templates
- Data streams
- Ingest pipelines
- Example: Parse logs
- Enrich your data
- Processor reference
- Append
- Bytes
- Circle
- Community ID
- Convert
- CSV
- Date
- Date index name
- Dissect
- Dot expander
- Drop
- Enrich
- Fail
- Fingerprint
- Foreach
- GeoIP
- Grok
- Gsub
- HTML strip
- Inference
- Join
- JSON
- KV
- Lowercase
- Network direction
- Pipeline
- Registered domain
- Remove
- Rename
- Script
- Set
- Set security user
- Sort
- Split
- Trim
- Uppercase
- URL decode
- URI parts
- User agent
- Aliases
- Search your data
- Query DSL
- Aggregations
- Bucket aggregations
- Adjacency matrix
- Auto-interval date histogram
- Children
- Composite
- Date histogram
- Date range
- Diversified sampler
- Filter
- Filters
- Geo-distance
- Geohash grid
- Geotile grid
- Global
- Histogram
- IP range
- Missing
- Multi Terms
- Nested
- Parent
- Range
- Rare terms
- Reverse nested
- Sampler
- Significant terms
- Significant text
- Terms
- Variable width histogram
- Subtleties of bucketing range fields
- Metrics aggregations
- Pipeline aggregations
- Average bucket
- Bucket script
- Bucket count K-S test
- Bucket correlation
- Bucket selector
- Bucket sort
- Cumulative cardinality
- Cumulative sum
- Derivative
- Extended stats bucket
- Inference bucket
- Max bucket
- Min bucket
- Moving average
- Moving function
- Moving percentiles
- Normalize
- Percentiles bucket
- Serial differencing
- Stats bucket
- Sum bucket
- Bucket aggregations
- EQL
- SQL
- Overview
- Getting Started with SQL
- Conventions and Terminology
- Security
- SQL REST API
- SQL Translate API
- SQL CLI
- SQL JDBC
- SQL ODBC
- SQL Client Applications
- SQL Language
- Functions and Operators
- Comparison Operators
- Logical Operators
- Math Operators
- Cast Operators
- LIKE and RLIKE Operators
- Aggregate Functions
- Grouping Functions
- Date/Time and Interval Functions and Operators
- Full-Text Search Functions
- Mathematical Functions
- String Functions
- Type Conversion Functions
- Geo Functions
- Conditional Functions And Expressions
- System Functions
- Reserved keywords
- SQL Limitations
- Scripting
- Data management
- ILM: Manage the index lifecycle
- Overview
- Concepts
- Automate rollover
- Customize built-in ILM policies
- Index lifecycle actions
- Configure a lifecycle policy
- Migrate index allocation filters to node roles
- Troubleshooting index lifecycle management errors
- Start and stop index lifecycle management
- Manage existing indices
- Skip rollover
- Restore a managed data stream or index
- Autoscaling
- Monitor a cluster
- Roll up or transform your data
- Set up a cluster for high availability
- Snapshot and restore
- Secure the Elastic Stack
- Elasticsearch security principles
- Configuring security
- Updating node security certificates
- User authentication
- Built-in users
- Service accounts
- Internal users
- Token-based authentication services
- Realms
- Realm chains
- Active Directory user authentication
- File-based user authentication
- LDAP user authentication
- Native user authentication
- OpenID Connect authentication
- PKI user authentication
- SAML authentication
- Kerberos authentication
- Integrating with other authentication systems
- Enabling anonymous access
- Controlling the user cache
- Configuring SAML single-sign-on on the Elastic Stack
- Configuring single sign-on to the Elastic Stack using OpenID Connect
- User authorization
- Built-in roles
- Defining roles
- Granting access to Stack Management features
- Security privileges
- Document level security
- Field level security
- Granting privileges for data streams and aliases
- Mapping users and groups to roles
- Setting up field and document level security
- Submitting requests on behalf of other users
- Configuring authorization delegation
- Customizing roles and authorization
- Enable audit logging
- Restricting connections with IP filtering
- Cross cluster search, clients, and integrations
- Operator privileges
- Troubleshooting
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Common Kerberos exceptions
- Common SAML issues
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- Failures due to relocation of the configuration files
- Limitations
- Watcher
- Command line tools
- How to
- REST APIs
- API conventions
- Autoscaling APIs
- Compact and aligned text (CAT) APIs
- cat aliases
- cat allocation
- cat anomaly detectors
- cat count
- cat data frame analytics
- cat datafeeds
- cat fielddata
- cat health
- cat indices
- cat master
- cat nodeattrs
- cat nodes
- cat pending tasks
- cat plugins
- cat recovery
- cat repositories
- cat segments
- cat shards
- cat snapshots
- cat task management
- cat templates
- cat thread pool
- cat trained model
- cat transforms
- Cluster APIs
- Cluster allocation explain
- Cluster get settings
- Cluster health
- Cluster reroute
- Cluster state
- Cluster stats
- Cluster update settings
- Nodes feature usage
- Nodes hot threads
- Nodes info
- Nodes reload secure settings
- Nodes stats
- Pending cluster tasks
- Remote cluster info
- Task management
- Voting configuration exclusions
- Cross-cluster replication APIs
- Data stream APIs
- Document APIs
- Enrich APIs
- EQL APIs
- Features APIs
- Fleet APIs
- Find structure API
- Graph explore API
- Index APIs
- Alias exists
- Aliases
- Analyze
- Clear cache
- Clone index
- Close index
- Create index
- Create or update alias
- Create or update component template
- Create or update index template
- Create or update index template (legacy)
- Delete component template
- Delete dangling index
- Delete alias
- Delete index
- Delete index template
- Delete index template (legacy)
- Exists
- Flush
- Force merge
- Freeze index
- Get alias
- Get component template
- Get field mapping
- Get index
- Get index settings
- Get index template
- Get index template (legacy)
- Get mapping
- Import dangling index
- Index recovery
- Index segments
- Index shard stores
- Index stats
- Index template exists (legacy)
- List dangling indices
- Open index
- Refresh
- Resolve index
- Rollover
- Shrink index
- Simulate index
- Simulate template
- Split index
- Synced flush
- Type exists
- Unfreeze index
- Update index settings
- Update mapping
- Index lifecycle management APIs
- Ingest APIs
- Info API
- Licensing APIs
- Logstash APIs
- Machine learning anomaly detection APIs
- Add events to calendar
- Add jobs to calendar
- Close jobs
- Create jobs
- Create calendars
- Create datafeeds
- Create filters
- Delete calendars
- Delete datafeeds
- Delete events from calendar
- Delete filters
- Delete forecasts
- Delete jobs
- Delete jobs from calendar
- Delete model snapshots
- Delete expired data
- Estimate model memory
- Find file structure
- Flush jobs
- Forecast jobs
- Get buckets
- Get calendars
- Get categories
- Get datafeeds
- Get datafeed statistics
- Get influencers
- Get jobs
- Get job statistics
- Get machine learning info
- Get model snapshots
- Get overall buckets
- Get scheduled events
- Get filters
- Get records
- Open jobs
- Post data to jobs
- Preview datafeeds
- Reset jobs
- Revert model snapshots
- Set upgrade mode
- Start datafeeds
- Stop datafeeds
- Update datafeeds
- Update filters
- Update jobs
- Update model snapshots
- Upgrade model snapshots
- Machine learning data frame analytics APIs
- Create data frame analytics jobs
- Create or update trained model aliases
- Create trained models
- Update data frame analytics jobs
- Delete data frame analytics jobs
- Delete trained models
- Delete trained model aliases
- Evaluate data frame analytics
- Explain data frame analytics
- Get data frame analytics jobs
- Get data frame analytics jobs stats
- Get trained models
- Get trained models stats
- Preview data frame analytics
- Start data frame analytics jobs
- Stop data frame analytics jobs
- Migration APIs
- Reload search analyzers API
- Repositories metering APIs
- Rollup APIs
- Script APIs
- Search APIs
- Searchable snapshots APIs
- Security APIs
- Authenticate
- Change passwords
- Clear cache
- Clear roles cache
- Clear privileges cache
- Clear API key cache
- Clear service account token caches
- Create API keys
- Create or update application privileges
- Create or update role mappings
- Create or update roles
- Create or update users
- Create service account tokens
- Delegate PKI authentication
- Delete application privileges
- Delete role mappings
- Delete roles
- Delete service account token
- Delete users
- Disable users
- Enable users
- Get API key information
- Get application privileges
- Get builtin privileges
- Get role mappings
- Get roles
- Get service accounts
- Get service account credentials
- Get token
- Get user privileges
- Get users
- Grant API keys
- Has privileges
- Invalidate API key
- Invalidate token
- OpenID Connect prepare authentication
- OpenID Connect authenticate
- OpenID Connect logout
- SAML prepare authentication
- SAML authenticate
- SAML logout
- SAML invalidate
- SAML complete logout
- SAML service provider metadata
- SSL certificate
- Snapshot and restore APIs
- Snapshot lifecycle management APIs
- SQL APIs
- Transform APIs
- Usage API
- Watcher APIs
- Definitions
- Migration guide
- Release notes
- Elasticsearch version 7.14.2
- Elasticsearch version 7.14.1
- Elasticsearch version 7.14.0
- Elasticsearch version 7.13.4
- Elasticsearch version 7.13.3
- Elasticsearch version 7.13.2
- Elasticsearch version 7.13.1
- Elasticsearch version 7.13.0
- Elasticsearch version 7.12.1
- Elasticsearch version 7.12.0
- Elasticsearch version 7.11.2
- Elasticsearch version 7.11.1
- Elasticsearch version 7.11.0
- Elasticsearch version 7.10.2
- Elasticsearch version 7.10.1
- Elasticsearch version 7.10.0
- Elasticsearch version 7.9.3
- Elasticsearch version 7.9.2
- Elasticsearch version 7.9.1
- Elasticsearch version 7.9.0
- Elasticsearch version 7.8.1
- Elasticsearch version 7.8.0
- Elasticsearch version 7.7.1
- Elasticsearch version 7.7.0
- Elasticsearch version 7.6.2
- Elasticsearch version 7.6.1
- Elasticsearch version 7.6.0
- Elasticsearch version 7.5.2
- Elasticsearch version 7.5.1
- Elasticsearch version 7.5.0
- Elasticsearch version 7.4.2
- Elasticsearch version 7.4.1
- Elasticsearch version 7.4.0
- Elasticsearch version 7.3.2
- Elasticsearch version 7.3.1
- Elasticsearch version 7.3.0
- Elasticsearch version 7.2.1
- Elasticsearch version 7.2.0
- Elasticsearch version 7.1.1
- Elasticsearch version 7.1.0
- Elasticsearch version 7.0.0
- Elasticsearch version 7.0.0-rc2
- Elasticsearch version 7.0.0-rc1
- Elasticsearch version 7.0.0-beta1
- Elasticsearch version 7.0.0-alpha2
- Elasticsearch version 7.0.0-alpha1
- Dependencies and versions
Update certificates with the same CA
editUpdate certificates with the same CA
editThis procedure assumes that the you have access to the CA certificate and key that was originally generated (or otherwise held by your organization) and used to sign the node certificates currently in use. It also assumes that the clients connecting to Elasticsearch on the HTTP layer are configured to trust the CA certificate.
If you have access to the CA used to sign your existing certificates, you only need to replace the certificates and keys for each node in your cluster. If you replace your existing certificates and keys on each node and use the same filenames, Elasticsearch reloads the files starts using the new certificates and keys.
You don’t have to restart each node, but doing so forces new TLS connections and is a recommended practice when updating certificates. Therefore, the following steps include a node restart after updating each certificate.
The following steps provide instructions for generating new node certificates and keys for both the transport layer and the HTTP layer. You might only need to replace one of these layer’s certificates depending on which of your certificates are expiring.
If your keystore is password protected, the password is stored in the Elasticsearch secure settings, and the password needs to change, then you must perform a rolling restart on your cluster. You must also use a different file name for the keystore so that Elasticsearch doesn’t reload the file before the node is restarted.
If your CA has changed, complete the steps in update security certificates with a different CA.
Generate a new certificate for the transport layer
editThe following examples use PKCS#12 files, but the same steps apply to JKS keystores.
-
Open the
ES_PATH_CONF/elasticsearch.yml
file and check the names and locations of the keystores that are currently in use. You’ll use the same names for your new certificate.In this example, the keystore and truststore are pointing to different files. Your configuration might use the same file that contains the certificate and CA. In this case, include the path to that file for both the keystore and truststore.
These instructions assume that the provided certificate is signed by a trusted CA and the verification mode is set to
certificate
. This setting ensures that nodes to not attempt to perform hostname verification.xpack.security.transport.ssl.keystore.path: config/elastic-certificates.p12 xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.truststore.path: config/elastic-stack-ca.p12 xpack.security.transport.ssl.truststore.type: PKCS12 xpack.security.transport.ssl.verification_mode: certificate
-
Using your existing CA, generate a keystore for your nodes. You must use the CA that was used to sign the certificate currently in use.
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Command parameters
-
--ca <ca_file>
-
Name of the CA keystore used to sign your certificates.
If you used the
elasticsearch-certutil
tool to generate your existing CA, the keystore name defaults toelastic-stack-ca.p12
.
-
Enter a name for the output file or accept the default of
elastic-certificates.p12
. - When prompted, enter a password for the node keystore.
-
-
If you entered a password when creating the node keystore that is different from the current keystore password, run the following command to store the password in the Elasticsearch keystore:
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
-
On the current node in your cluster where you’re updating the keystore, start a rolling restart.
Stop at the step indicating Perform any needed changes, and then proceed to the next step in this procedure.
-
Replace your existing keystore with the new keystore, ensuring that the file names match. For example,
elastic-certificates.p12
.If your keystore password is changing, then save the keystore with a new filename so that Elasticsearch doesn’t attempt to reload the file before you update the password.
-
If you needed to save the new keystore with a new filename, update the
ES_PATH_CONF/elasticsearch.yml
file to use the filename of the new keystore. For example:xpack.security.transport.ssl.keystore.path: config/elastic-certificates.p12 xpack.security.transport.ssl.keystore.type: PKCS12 xpack.security.transport.ssl.truststore.path: config/elastic-stack-ca.p12 xpack.security.transport.ssl.truststore.type: PKCS12
- Start the node where you updated the keystore.
-
(Optional) Use the SSL certificate API to verify that Elasticsearch loaded the new keystore.
GET /_ssl/certificates
-
If you’re only updating certificates for the transport layer (and not the HTTP layer), then complete step 4 through step 8 one node at a time until you’ve updated all keystores in your cluster. You can then complete the remaining steps for a rolling restart.
Otherwise, do not complete a rolling restart. Instead, proceed to the steps for generating a new certificate for the HTTP layer.
What’s next?
editWell done! You’ve updated the keystore for the transport layer. You can also update the keystore for the HTTP layer if necessary. If you’re not updating the keystore for the HTTP layer, then you’re all set.
Generate a new certificate for the HTTP layer
editOther components such as Kibana or any of the Elastic language clients verify this certificate when they connect to Elasticsearch.
If your organization has its own CA, you’ll need to generate Certificate Signing Requests (CSRs). CSRs contain information that your CA uses to generate and sign a certificate.
-
On any node in your cluster where Elasticsearch is installed, run the Elasticsearch HTTP certificate tool.
./bin/elasticsearch-certutil http
This command generates a
.zip
file that contains certificates and keys to use with Elasticsearch and Kibana. Each folder contains aREADME.txt
explaining how to use these files.-
When asked if you want to generate a CSR, enter
n
. -
When asked if you want to use an existing CA, enter
y
. -
Enter the absolute path to your CA, such as the path to the
elastic-stack-ca.p12
file. - Enter the password for your CA.
-
Enter an expiration value for your certificate. You can enter the
validity period in years, months, or days. For example, enter
1y
for one year. -
When asked if you want to generate one certificate per node, enter
y
.Each certificate will have its own private key, and will be issued for a specific hostname or IP address.
-
When prompted, enter the name of the first node in your cluster. It’s
helpful to use the same node name as the value for the
node.name
parameter in theelasticsearch.yml
file. -
Enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate.
List every hostname and variant used to connect to your cluster over HTTPS.
- Enter the IP addresses that clients can use to connect to your node.
- Repeat these steps for each additional node in your cluster.
-
When asked if you want to generate a CSR, enter
- After generating a certificate for each of your nodes, enter a password for your private key when prompted.
-
Unzip the generated
elasticsearch-ssl-http.zip
file. This compressed file contains two directories; one each for Elasticsearch and Kibana. Within the/elasticsearch
directory is a directory for each node that you specified with its ownhttp.p12
file. For example:/node1 |_ README.txt |_ http.p12 |_ sample-elasticsearch.yml
/node2 |_ README.txt |_ http.p12 |_ sample-elasticsearch.yml
/node3 |_ README.txt |_ http.p12 |_ sample-elasticsearch.yml
-
If necessary, rename the
http.p12
file to match the name of your existing certificate for HTTP client communications. For example,node1-http.p12
. -
On the current node in your cluster where you’re updating the keystore, start a rolling restart.
Stop at the step indicating Perform any needed changes, and then proceed to the next step in this procedure.
-
Replace your existing keystore with the new keystore, ensuring that the file names match. For example,
node1-http.p12
.If your keystore password is changing, then save the keystore with a new filename so that Elasticsearch doesn’t attempt to reload the file before you update the password.
-
If you needed to save the new keystore with a new filename, update the
ES_PATH_CONF/elasticsearch.yml
file to use the filename of the new keystore. For example:xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: node1-http.p12
-
If your keystore password is changing, add the password for your private key to the secure settings in Elasticsearch.
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
-
Start the node where you updated the keystore.
Use the cat nodes API to confirm that the node joined the cluster:
GET _cat/nodes
-
(Optional) Use the SSL certificate API to verify that Elasticsearch loaded the new keystore.
GET /_ssl/certificates
- One node at a time, complete step 5 through step 10 until you’ve updated all keystores in your cluster.
- Complete the remaining steps for a rolling restart, beginning with the step to Reenable shard allocation.
On this page