Starting Elasticsearch
editStarting Elasticsearch
editThe method for starting Elasticsearch varies depending on how you installed it.
Archive packages (.tar.gz
)
editIf you installed Elasticsearch with a .tar.gz
package, you can start Elasticsearch from the
command line.
Run Elasticsearch from the command line
editRun the following command to start Elasticsearch from the command line:
./bin/elasticsearch
When starting Elasticsearch for the first time, security features are enabled and configured by default. The following security configuration occurs automatically:
-
Authentication and authorization are enabled, and a password is generated for
the
elastic
built-in superuser. - Certificates and keys for TLS are generated for the transport and HTTP layer, and TLS is enabled and configured with these keys and certificates.
- An enrollment token is generated for Kibana, which is valid for 30 minutes.
The password for the elastic
user and the enrollment token for Kibana are
output to your terminal. For example:
The generated password for the elastic built-in superuser is: <password> The enrollment token for Kibana instances, valid for the next 30 minutes: <enrollment-token> The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate: <fingerprint> You can complete the following actions at any time: Reset the password of the elastic built-in superuser with 'bin/elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with 'bin/elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with 'bin/elasticsearch-create-enrollment-token -s node'.
If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.
By default Elasticsearch prints its logs to the console (stdout
) and to the <cluster
name>.log
file within the logs directory. Elasticsearch logs some
information while it is starting, but after it has finished initializing it
will continue to run in the foreground and won’t log anything further until
something happens that is worth recording. While Elasticsearch is running you can
interact with it through its HTTP interface which is on port 9200
by default.
To stop Elasticsearch, press Ctrl-C
.
All scripts packaged with Elasticsearch require a version of Bash
that supports arrays and assume that Bash is available at /bin/bash
.
As such, Bash should be available at this path either directly or via a
symbolic link.
Enroll nodes in an existing cluster
editWhen Elasticsearch starts for the first time, the security auto-configuration process
binds the HTTP layer to 0.0.0.0
, but only binds the transport layer to
localhost. This intended behavior ensures that you can start
a single-node cluster with security enabled by default without any additional
configuration.
Before enrolling a new node, additional actions such as binding to an address
other than localhost
or satisfying bootstrap checks are typically necessary
in production clusters. During that time, an auto-generated enrollment token
could expire, which is why enrollment tokens aren’t generated automatically.
Additionally, only nodes on the same host can join the cluster without
additional configuration. If you want nodes from another host to join your
cluster, you need to set transport.host
to a
supported value
(such as uncommenting the suggested value of 0.0.0.0
), or an IP address
that’s bound to an interface where other hosts can reach it. Refer to
transport settings for more
information.
To enroll new nodes in your cluster, create an enrollment token with the
elasticsearch-create-enrollment-token
tool on any existing node in your
cluster. You can then start a new node with the --enrollment-token
parameter
so that it joins an existing cluster.
-
In a separate terminal from where Elasticsearch is running, navigate to the directory where you installed Elasticsearch and run the
elasticsearch-create-enrollment-token
tool to generate an enrollment token for your new nodes.bin/elasticsearch-create-enrollment-token -s node
Copy the enrollment token, which you’ll use to enroll new nodes with your Elasticsearch cluster.
-
From the installation directory of your new node, start Elasticsearch and pass the enrollment token with the
--enrollment-token
parameter.bin/elasticsearch --enrollment-token <enrollment-token>
Elasticsearch automatically generates certificates and keys in the following directory:
config/certs
- Repeat the previous step for any new nodes that you want to enroll.
Run as a daemon
editTo run Elasticsearch as a daemon, specify -d
on the command line, and record
the process ID in a file using the -p
option:
./bin/elasticsearch -d -p pid
If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.
Log messages can be found in the $ES_HOME/logs/
directory.
To shut down Elasticsearch, kill the process ID recorded in the pid
file:
pkill -F pid
Archive packages (.zip
)
editIf you installed Elasticsearch on Windows with a .zip
package, you can start Elasticsearch from
the command line. If you want Elasticsearch to start automatically at boot time without
any user interaction, install Elasticsearch as a service.
Run Elasticsearch from the command line
editRun the following command to start Elasticsearch from the command line:
.\bin\elasticsearch.bat
When starting Elasticsearch for the first time, security features are enabled and configured by default. The following security configuration occurs automatically:
-
Authentication and authorization are enabled, and a password is generated for
the
elastic
built-in superuser. - Certificates and keys for TLS are generated for the transport and HTTP layer, and TLS is enabled and configured with these keys and certificates.
- An enrollment token is generated for Kibana, which is valid for 30 minutes.
The password for the elastic
user and the enrollment token for Kibana are
output to your terminal. For example:
The generated password for the elastic built-in superuser is: <password> The enrollment token for Kibana instances, valid for the next 30 minutes: <enrollment-token> The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate: <fingerprint> You can complete the following actions at any time: Reset the password of the elastic built-in superuser with 'bin\elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with 'bin\elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with 'bin\elasticsearch-create-enrollment-token -s node'.
If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.
By default Elasticsearch prints its logs to the console (STDOUT
) and to the <cluster
name>.log
file within the logs directory. Elasticsearch logs some
information while it is starting, but after it has finished initializing it
will continue to run in the foreground and won’t log anything further until
something happens that is worth recording. While Elasticsearch is running you can
interact with it through its HTTP interface which is on port 9200
by default.
To stop Elasticsearch, press Ctrl-C
.
Enroll nodes in an existing cluster
editWhen Elasticsearch starts for the first time, the security auto-configuration process
binds the HTTP layer to 0.0.0.0
, but only binds the transport layer to
localhost. This intended behavior ensures that you can start
a single-node cluster with security enabled by default without any additional
configuration.
Before enrolling a new node, additional actions such as binding to an address
other than localhost
or satisfying bootstrap checks are typically necessary
in production clusters. During that time, an auto-generated enrollment token
could expire, which is why enrollment tokens aren’t generated automatically.
Additionally, only nodes on the same host can join the cluster without
additional configuration. If you want nodes from another host to join your
cluster, you need to set transport.host
to a
supported value
(such as uncommenting the suggested value of 0.0.0.0
), or an IP address
that’s bound to an interface where other hosts can reach it. Refer to
transport settings for more
information.
To enroll new nodes in your cluster, create an enrollment token with the
elasticsearch-create-enrollment-token
tool on any existing node in your
cluster. You can then start a new node with the --enrollment-token
parameter
so that it joins an existing cluster.
-
In a separate terminal from where Elasticsearch is running, navigate to the directory where you installed Elasticsearch and run the
elasticsearch-create-enrollment-token
tool to generate an enrollment token for your new nodes.bin\elasticsearch-create-enrollment-token -s node
Copy the enrollment token, which you’ll use to enroll new nodes with your Elasticsearch cluster.
-
From the installation directory of your new node, start Elasticsearch and pass the enrollment token with the
--enrollment-token
parameter.bin\elasticsearch --enrollment-token <enrollment-token>
Elasticsearch automatically generates certificates and keys in the following directory:
config\certs
- Repeat the previous step for any new nodes that you want to enroll.
Debian packages
editRunning Elasticsearch with systemd
editTo configure Elasticsearch to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service
Elasticsearch can be started and stopped as follows:
sudo systemctl start elasticsearch.service sudo systemctl stop elasticsearch.service
These commands provide no feedback as to whether Elasticsearch was started
successfully or not. Instead, this information will be written in the log
files located in /var/log/elasticsearch/
.
If you have password-protected your Elasticsearch keystore, you will need to provide
systemd
with the keystore password using a local file and systemd environment
variables. This local file should be protected while it exists and may be
safely deleted once Elasticsearch is up and running.
echo "keystore_password" > /path/to/my_pwd_file.tmp chmod 600 /path/to/my_pwd_file.tmp sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp sudo systemctl start elasticsearch.service
By default the Elasticsearch service doesn’t log information in the systemd
journal. To enable journalctl
logging, the --quiet
option must be removed
from the ExecStart
command line in the elasticsearch.service
file.
When systemd
logging is enabled, the logging information are available using
the journalctl
commands:
To tail the journal:
sudo journalctl -f
To list journal entries for the elasticsearch service:
sudo journalctl --unit elasticsearch
To list journal entries for the elasticsearch service starting from a given time:
sudo journalctl --unit elasticsearch --since "2016-10-30 18:17:16"
Check man journalctl
or https://www.freedesktop.org/software/systemd/man/journalctl.html for
more command line options.
Startup timeouts with older systemd
versions
By default Elasticsearch sets the TimeoutStartSec
parameter to systemd
to 900s
. If
you are running at least version 238 of systemd
then Elasticsearch can automatically
extend the startup timeout, and will do so repeatedly until startup is complete
even if it takes longer than 900s.
Versions of systemd
prior to 238 do not support the timeout extension
mechanism and will terminate the Elasticsearch process if it has not fully started up
within the configured timeout. If this happens, Elasticsearch will report in its logs
that it was shut down normally a short time after it started:
[2022-01-31T01:22:31,077][INFO ][o.e.n.Node ] [instance-0000000123] starting ... ... [2022-01-31T01:37:15,077][INFO ][o.e.n.Node ] [instance-0000000123] stopping ...
However the systemd
logs will report that the startup timed out:
Jan 31 01:22:30 debian systemd[1]: Starting Elasticsearch... Jan 31 01:37:15 debian systemd[1]: elasticsearch.service: Start operation timed out. Terminating. Jan 31 01:37:15 debian systemd[1]: elasticsearch.service: Main process exited, code=killed, status=15/TERM Jan 31 01:37:15 debian systemd[1]: elasticsearch.service: Failed with result 'timeout'. Jan 31 01:37:15 debian systemd[1]: Failed to start Elasticsearch.
To avoid this, upgrade your systemd
to at least version 238. You can also
temporarily work around the problem by extending the TimeoutStartSec
parameter.
Docker images
editIf you installed a Docker image, you can start Elasticsearch from the command line. There are different methods depending on whether you’re using development mode or production mode. See Docker Run.
RPM packages
editRunning Elasticsearch with systemd
editTo configure Elasticsearch to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service
Elasticsearch can be started and stopped as follows:
sudo systemctl start elasticsearch.service sudo systemctl stop elasticsearch.service
These commands provide no feedback as to whether Elasticsearch was started
successfully or not. Instead, this information will be written in the log
files located in /var/log/elasticsearch/
.
If you have password-protected your Elasticsearch keystore, you will need to provide
systemd
with the keystore password using a local file and systemd environment
variables. This local file should be protected while it exists and may be
safely deleted once Elasticsearch is up and running.
echo "keystore_password" > /path/to/my_pwd_file.tmp chmod 600 /path/to/my_pwd_file.tmp sudo systemctl set-environment ES_KEYSTORE_PASSPHRASE_FILE=/path/to/my_pwd_file.tmp sudo systemctl start elasticsearch.service
By default the Elasticsearch service doesn’t log information in the systemd
journal. To enable journalctl
logging, the --quiet
option must be removed
from the ExecStart
command line in the elasticsearch.service
file.
When systemd
logging is enabled, the logging information are available using
the journalctl
commands:
To tail the journal:
sudo journalctl -f
To list journal entries for the elasticsearch service:
sudo journalctl --unit elasticsearch
To list journal entries for the elasticsearch service starting from a given time:
sudo journalctl --unit elasticsearch --since "2016-10-30 18:17:16"
Check man journalctl
or https://www.freedesktop.org/software/systemd/man/journalctl.html for
more command line options.
Startup timeouts with older systemd
versions
By default Elasticsearch sets the TimeoutStartSec
parameter to systemd
to 900s
. If
you are running at least version 238 of systemd
then Elasticsearch can automatically
extend the startup timeout, and will do so repeatedly until startup is complete
even if it takes longer than 900s.
Versions of systemd
prior to 238 do not support the timeout extension
mechanism and will terminate the Elasticsearch process if it has not fully started up
within the configured timeout. If this happens, Elasticsearch will report in its logs
that it was shut down normally a short time after it started:
[2022-01-31T01:22:31,077][INFO ][o.e.n.Node ] [instance-0000000123] starting ... ... [2022-01-31T01:37:15,077][INFO ][o.e.n.Node ] [instance-0000000123] stopping ...
However the systemd
logs will report that the startup timed out:
Jan 31 01:22:30 debian systemd[1]: Starting Elasticsearch... Jan 31 01:37:15 debian systemd[1]: elasticsearch.service: Start operation timed out. Terminating. Jan 31 01:37:15 debian systemd[1]: elasticsearch.service: Main process exited, code=killed, status=15/TERM Jan 31 01:37:15 debian systemd[1]: elasticsearch.service: Failed with result 'timeout'. Jan 31 01:37:15 debian systemd[1]: Failed to start Elasticsearch.
To avoid this, upgrade your systemd
to at least version 238. You can also
temporarily work around the problem by extending the TimeoutStartSec
parameter.