Install Elasticsearch from archive on Linux or MacOS
editInstall Elasticsearch from archive on Linux or MacOS
editElasticsearch is available as a .tar.gz
archive for Linux and MacOS.
This package contains both free and subscription features. Start a 30-day trial to try out all of the features.
The latest stable version of Elasticsearch can be found on the Download Elasticsearch page. Other versions can be found on the Past Releases page.
Elasticsearch includes a bundled version of OpenJDK from the JDK maintainers (GPLv2+CE). To use your own version of Java, see the JVM version requirements
Download and install archive for Linux
editThe Linux archive for Elasticsearch v8.17.0 can be downloaded and installed as follows:
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.17.0-linux-x86_64.tar.gz wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.17.0-linux-x86_64.tar.gz.sha512 shasum -a 512 -c elasticsearch-8.17.0-linux-x86_64.tar.gz.sha512 tar -xzf elasticsearch-8.17.0-linux-x86_64.tar.gz cd elasticsearch-8.17.0/
Download and install archive for MacOS
editmacOS Gatekeeper warnings
Apple’s rollout of stricter notarization requirements affected the notarization of the 8.17.0 Elasticsearch artifacts. If macOS displays a dialog when you first run Elasticsearch that interrupts it, then you need to take an action to allow it to run.
To prevent Gatekeeper checks on the Elasticsearch files, run the following command on the downloaded .tar.gz archive or the directory to which was extracted:
xattr -d -r com.apple.quarantine <archive-or-directory>
Alternatively, you can add a security override by following the instructions in the If you want to open an app that hasn’t been notarized or is from an unidentified developer section of Safely open apps on your Mac.
The MacOS archive for Elasticsearch v8.17.0 can be downloaded and installed as follows:
curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.17.0-darwin-x86_64.tar.gz curl https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.17.0-darwin-x86_64.tar.gz.sha512 | shasum -a 512 -c - tar -xzf elasticsearch-8.17.0-darwin-x86_64.tar.gz cd elasticsearch-8.17.0/
Enable automatic creation of system indices
editSome commercial features automatically create indices within Elasticsearch.
By default, Elasticsearch is configured to allow automatic index creation, and no
additional steps are required. However, if you have disabled automatic index
creation in Elasticsearch, you must configure
action.auto_create_index
in elasticsearch.yml
to allow
the commercial features to create the following indices:
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
If you are using Logstash
or Beats then you will most likely
require additional index names in your action.auto_create_index
setting, and
the exact value will depend on your local configuration. If you are unsure of
the correct value for your environment, you may consider setting the value to
*
which will allow automatic creation of all indices.
Run Elasticsearch from the command line
editRun the following command to start Elasticsearch from the command line:
./bin/elasticsearch
When starting Elasticsearch for the first time, security features are enabled and configured by default. The following security configuration occurs automatically:
-
Authentication and authorization are enabled, and a password is generated for
the
elastic
built-in superuser. - Certificates and keys for TLS are generated for the transport and HTTP layer, and TLS is enabled and configured with these keys and certificates.
- An enrollment token is generated for Kibana, which is valid for 30 minutes.
The password for the elastic
user and the enrollment token for Kibana are
output to your terminal.
We recommend storing the elastic
password as an environment variable in your shell. Example:
export ELASTIC_PASSWORD="your_password"
If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.
By default Elasticsearch prints its logs to the console (stdout
) and to the <cluster
name>.log
file within the logs directory. Elasticsearch logs some
information while it is starting, but after it has finished initializing it
will continue to run in the foreground and won’t log anything further until
something happens that is worth recording. While Elasticsearch is running you can
interact with it through its HTTP interface which is on port 9200
by default.
To stop Elasticsearch, press Ctrl-C
.
All scripts packaged with Elasticsearch require a version of Bash
that supports arrays and assume that Bash is available at /bin/bash
.
As such, Bash should be available at this path either directly or via a
symbolic link.
Enroll nodes in an existing cluster
editWhen Elasticsearch starts for the first time, the security auto-configuration process
binds the HTTP layer to 0.0.0.0
, but only binds the transport layer to
localhost. This intended behavior ensures that you can start
a single-node cluster with security enabled by default without any additional
configuration.
Before enrolling a new node, additional actions such as binding to an address
other than localhost
or satisfying bootstrap checks are typically necessary
in production clusters. During that time, an auto-generated enrollment token
could expire, which is why enrollment tokens aren’t generated automatically.
Additionally, only nodes on the same host can join the cluster without
additional configuration. If you want nodes from another host to join your
cluster, you need to set transport.host
to a
supported value
(such as uncommenting the suggested value of 0.0.0.0
), or an IP address
that’s bound to an interface where other hosts can reach it. Refer to
transport settings for more
information.
To enroll new nodes in your cluster, create an enrollment token with the
elasticsearch-create-enrollment-token
tool on any existing node in your
cluster. You can then start a new node with the --enrollment-token
parameter
so that it joins an existing cluster.
-
In a separate terminal from where Elasticsearch is running, navigate to the directory where you installed Elasticsearch and run the
elasticsearch-create-enrollment-token
tool to generate an enrollment token for your new nodes.bin/elasticsearch-create-enrollment-token -s node
Copy the enrollment token, which you’ll use to enroll new nodes with your Elasticsearch cluster.
-
From the installation directory of your new node, start Elasticsearch and pass the enrollment token with the
--enrollment-token
parameter.bin/elasticsearch --enrollment-token <enrollment-token>
Elasticsearch automatically generates certificates and keys in the following directory:
config/certs
- Repeat the previous step for any new nodes that you want to enroll.
Check that Elasticsearch is running
editYou can test that your Elasticsearch node is running by sending an HTTPS request to port
9200
on localhost
:
Ensure that you use
|
The call returns a response like this:
{ "name" : "Cp8oag6", "cluster_name" : "elasticsearch", "cluster_uuid" : "AT69_T_DTp-1qgIJlatQqA", "version" : { "number" : "8.17.0", "build_type" : "tar", "build_hash" : "f27399d", "build_flavor" : "default", "build_date" : "2016-03-30T09:51:41.449Z", "build_snapshot" : false, "lucene_version" : "9.12.0", "minimum_wire_compatibility_version" : "1.2.3", "minimum_index_compatibility_version" : "1.2.3" }, "tagline" : "You Know, for Search" }
Log printing to stdout
can be disabled using the -q
or --quiet
option on the command line.
Run as a daemon
editTo run Elasticsearch as a daemon, specify -d
on the command line, and record
the process ID in a file using the -p
option:
./bin/elasticsearch -d -p pid
If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.
Log messages can be found in the $ES_HOME/logs/
directory.
To shut down Elasticsearch, kill the process ID recorded in the pid
file:
pkill -F pid
Configure Elasticsearch on the command line
editElasticsearch loads its configuration from the $ES_HOME/config/elasticsearch.yml
file by default. The format of this config file is explained in
Configuring Elasticsearch.
Any settings that can be specified in the config file can also be specified on
the command line, using the -E
syntax as follows:
./bin/elasticsearch -d -Ecluster.name=my_cluster -Enode.name=node_1
Typically, any cluster-wide settings (like cluster.name
) should be
added to the elasticsearch.yml
config file, while any node-specific settings
such as node.name
could be specified on the command line.
Connect clients to Elasticsearch
editWhen you start Elasticsearch for the first time, TLS is configured automatically for the HTTP layer. A CA certificate is generated and stored on disk at:
$ES_HOME/config/certs/http_ca.crt
The hex-encoded SHA-256 fingerprint of this certificate is also output to the terminal. Any clients that connect to Elasticsearch, such as the Elasticsearch Clients, Beats, standalone Elastic Agents, and Logstash must validate that they trust the certificate that Elasticsearch uses for HTTPS. Fleet Server and Fleet-managed Elastic Agents are automatically configured to trust the CA certificate. Other clients can establish trust by using either the fingerprint of the CA certificate or the CA certificate itself.
If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate. You can also copy the CA certificate to your machine and configure your client to use it.
Use the CA fingerprint
editCopy the fingerprint value that’s output to your terminal when Elasticsearch starts, and configure your client to use this fingerprint to establish trust when it connects to Elasticsearch.
If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate by running the following command. The path is to the auto-generated CA certificate for the HTTP layer.
openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
The command returns the security certificate, including the fingerprint.
The issuer
should be Elasticsearch security auto-configuration HTTP CA
.
issuer= /CN=Elasticsearch security auto-configuration HTTP CA SHA256 Fingerprint=<fingerprint>
Use the CA certificate
editIf your library doesn’t support a method of validating the fingerprint, the auto-generated CA certificate is created in the following directory on each Elasticsearch node:
$ES_HOME/config/certs/http_ca.crt
Copy the http_ca.crt
file to your machine and configure your client to use this
certificate to establish trust when it connects to Elasticsearch.
Directory layout of archives
editThe archive distributions are entirely self-contained. All files and
directories are, by default, contained within $ES_HOME
— the directory
created when unpacking the archive.
This is very convenient because you don’t have to create any directories to
start using Elasticsearch, and uninstalling Elasticsearch is as easy as
removing the $ES_HOME
directory. However, it is advisable to change the
default locations of the config directory, the data directory, and the logs
directory so that you do not delete important data later on.
Type | Description | Default Location | Setting |
---|---|---|---|
home |
Elasticsearch home directory or |
Directory created by unpacking the archive |
|
bin |
Binary scripts including |
|
|
conf |
Configuration files including |
|
|
conf |
Generated TLS keys and certificates for the transport and HTTP layer. |
|
|
data |
The location of the data files of each index / shard allocated on the node. |
|
|
logs |
Log files location. |
|
|
plugins |
Plugin files location. Each plugin will be contained in a subdirectory. |
|
|
repo |
Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. |
Not configured |
|
Security certificates and keys
editWhen you install Elasticsearch, the following certificates and keys are generated in the Elasticsearch configuration directory, which are used to connect a Kibana instance to your secured Elasticsearch cluster and to encrypt internode communication. The files are listed here for reference.
-
http_ca.crt
- The CA certificate that is used to sign the certificates for the HTTP layer of this Elasticsearch cluster.
-
http.p12
- Keystore that contains the key and certificate for the HTTP layer for this node.
-
transport.p12
- Keystore that contains the key and certificate for the transport layer for all the nodes in your cluster.
http.p12
and transport.p12
are password-protected PKCS#12 keystores. Elasticsearch
stores the passwords for these keystores as secure
settings. To retrieve the passwords so that you can inspect or change the
keystore contents, use the
bin/elasticsearch-keystore
tool.
Use the following command to retrieve the password for http.p12
:
bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
Use the following command to retrieve the password for transport.p12
:
bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
Next steps
editYou now have a test Elasticsearch environment set up. Before you start serious development or go into production with Elasticsearch, you must do some additional setup:
- Learn how to configure Elasticsearch.
- Configure important Elasticsearch settings.
- Configure important system settings.