To install Elasticsearch on a Linux server, add Elastic’s official package repository, install the elasticsearch package (8.x bundles a secure JDK), set kernel and ulimit parameters, configure elasticsearch.yml (cluster.name, network.host, discovery.type), enable and start the systemd service, open ports 9200/9300, and verify with curl using the generated credentials and CA certificate.
Installing Elasticsearch on a Linux server gives you a powerful, fast, and scalable search and analytics engine for logs, metrics, and full‑text search. This guide shows you how to install and configure Elasticsearch step-by-step on Ubuntu/Debian and RHEL/CentOS/Rocky/Alma Linux, including security, performance tuning, and common troubleshooting tips.
What Is Elasticsearch and Why Deploy It on Linux?
Elasticsearch is a distributed search and analytics engine built on Apache Lucene. It powers log analytics, application search, observability, and security analytics at scale. Linux is the preferred platform because it offers strong performance, predictable resource management, and first-class support from Elastic’s official packages.
Prerequisites to Install Elasticsearch on Linux
- Supported OS: Ubuntu 20.04/22.04/24.04, Debian 11/12, RHEL/CentOS/Rocky/Alma 8/9.
- Resources: Minimum 2 vCPU and 4 GB RAM for testing. For production, 4+ vCPU and 8–32 GB RAM per node are common.
- Root or sudo privileges and outbound internet access to Elastic’s repository.
- Open ports: 9200 (HTTP) and 9300 (transport). Use a firewall to restrict access.
- Accurate time sync (Chrony or NTP) to prevent cluster issues.
- Hostname/FQDN set correctly (especially for multi-node clusters).
Install Elasticsearch on Ubuntu/Debian (Apt)
Elasticsearch 8.x ships with a secure JDK and enables security by default. Use the official Elastic APT repository for stable updates.
# 1) Update and install prerequisites
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl gnupg
# 2) Add Elastic GPG key and repository
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
# 3) Install Elasticsearch
sudo apt update
sudo apt install -y elasticsearch
# 4) Enable and start the service
sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch
# 5) Watch logs (first run prints security info)
sudo journalctl -u elasticsearch -fOn first start, Elasticsearch 8 generates the elastic user password and an HTTP CA certificate. These appear in the logs. If needed, reset the password interactively:
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -iInstall Elasticsearch on RHEL/CentOS/Rocky/Alma (YUM/DNF)
Create the YUM/DNF repository and install the RPM package.
# 1) Create the Elastic repository
sudo tee /etc/yum.repos.d/elasticsearch.repo >/dev/null <<'EOF'
[elasticsearch-8.x]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
# 2) Install Elasticsearch
sudo dnf install -y elasticsearch || sudo yum install -y elasticsearch
# 3) Enable and start the service
sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch
# 4) Follow logs
sudo journalctl -u elasticsearch -fIf you need to reset the elastic user password later:
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -iEssential System Settings (All Linux)
Kernel and Limits
Configure the Linux memory map count and file descriptors to avoid bootstrap check failures.
# Set vm.max_map_count
echo "vm.max_map_count=262144" | sudo tee /etc/sysctl.d/99-elasticsearch.conf
sudo sysctl --system
# Increase file descriptors and processes for the elasticsearch user
sudo tee -a /etc/security/limits.d/90-elasticsearch.conf >/dev/null <<'EOF'
elasticsearch soft nofile 65535
elasticsearch hard nofile 65535
elasticsearch soft nproc 4096
elasticsearch hard nproc 4096
EOF
# Optional: allow memory locking for mlockall (if you enable it in elasticsearch.yml)
sudo systemctl edit elasticsearch <<'EOF'
[Service]
LimitMEMLOCK=infinity
EOFFirewall Rules
Restrict access to trusted hosts, especially for production clusters.
# UFW (Ubuntu/Debian)
sudo ufw allow 9200/tcp
sudo ufw allow 9300/tcp
# firewalld (RHEL/Rocky/Alma)
sudo firewall-cmd --add-port=9200/tcp --permanent
sudo firewall-cmd --add-port=9300/tcp --permanent
sudo firewall-cmd --reloadConfigure Elasticsearch (Single Node or Cluster)
Edit /etc/elasticsearch/elasticsearch.yml. For a development or single-node server, use discovery.type: single-node. For production clusters, define seed hosts and initial master nodes.
sudo cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
sudo nano /etc/elasticsearch/elasticsearch.yml
# Example: single-node (dev/test)
cluster.name: my-es-dev
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node# Example: multi-node (production)
cluster.name: prod-es-cluster
node.name: es-node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 10.0.0.10
http.port: 9200
discovery.seed_hosts: ["10.0.0.10","10.0.0.11","10.0.0.12"]
cluster.initial_master_nodes: ["es-node-1","es-node-2","es-node-3"]Restart the service after changes:
sudo systemctl restart elasticsearch
sudo systemctl status elasticsearch --no-pagerSet Heap Size (JVM) for Performance
Elasticsearch performance depends heavily on JVM heap sizing. Set both Xms and Xmx to the same value, typically 50% of system RAM up to 31g (to keep compressed oops).
# Edit JVM options (example: 4 GB server → 2 GB heap)
sudo nano /etc/elasticsearch/jvm.options
# Set:
-Xms2g
-Xmx2gAfter editing, restart Elasticsearch to apply.
Security in Elasticsearch 8.x
Security is on by default in 8.x: TLS for HTTP, basic authentication, and built-in users. Retrieve the CA certificate for secure curl requests and manage passwords with built-in tools.
# Default CA certificate path (package installs)
ls -l /etc/elasticsearch/certs/http_ca.crt
# Reset the elastic user's password (if needed)
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i
# Create an enrollment token for Kibana (optional)
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibanaVerify the Installation
Use curl with the elastic user and the HTTP CA certificate to verify the node is healthy.
# Replace <ELASTIC_PASSWORD> with your actual password
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:<ELASTIC_PASSWORD> https://localhost:9200
# Check cluster health
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:<ELASTIC_PASSWORD> https://localhost:9200/_cluster/health?prettyInstall Useful Elasticsearch Plugins
Extend functionality with official plugins, then restart the service.
# ICU analysis (internationalization)
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-icu
# Ingest attachment (process PDFs/Office docs)
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-attachment
# Restart after plugin installs
sudo systemctl restart elasticsearchBest Practices and Performance Tuning
- Use SSD storage and mount with noatime to reduce I/O overhead.
- Allocate 50% of RAM to the JVM heap (max ~31 GB), leaving the rest for Lucene page cache.
- Keep Xms and Xmx equal; avoid swapping. Consider enabling memory locking.
- Deploy 3+ master-eligible nodes to avoid split-brain; use odd counts.
- Pin CPU resources or use cgroups for predictable performance on shared hosts.
- Use index lifecycle management (ILM) to roll over and delete old data.
- Snapshot regularly to S3, GCS, or an NFS share for backups.
- Monitor with Elastic Stack, Prometheus exporters, and system metrics.
- Limit http exposure; use private networks, VPNs, or reverse proxies with auth.
Troubleshooting Common Errors
- max virtual memory areas vm.max_map_count is too low: Set to 262144 and reload sysctl.
- max file descriptors [4096] for elasticsearch process is too low: Increase nofile to 65535.
- Bootstrap checks failed: These appear when binding to non-loopback addresses. Fix kernel/limits and JVM, then restart.
- BindException: Address already in use: Another process is using 9200/9300. Stop it or change ports.
- Permission denied on data path: Ensure /var/lib/elasticsearch is owned by the elasticsearch user.
- Authentication failures: Reset elastic password and use the generated http_ca.crt with curl.
- Cluster not forming: Validate network.host, discovery.seed_hosts, and cluster.initial_master_nodes; check firewall and DNS.
Upgrades, Holds, and Uninstalls
Upgrade Between 8.x Versions
- Review release notes and ensure all plugins support the target version.
- Snapshot your data first.
- Rolling upgrade: Upgrade one node at a time, wait for green health, then proceed.
# Debian/Ubuntu
sudo apt update
sudo apt install elasticsearch
# RHEL family
sudo dnf upgrade elasticsearch || sudo yum update elasticsearchHold or Pin Version
# Ubuntu/Debian
sudo apt-mark hold elasticsearch
# RHEL family (requires yum-plugin-versionlock)
sudo dnf install -y python3-dnf-plugin-versionlock || sudo yum install -y yum-plugin-versionlock
sudo dnf versionlock add elasticsearch || sudo yum versionlock add elasticsearchUninstall
# Stop and remove
sudo systemctl stop elasticsearch
sudo apt remove --purge -y elasticsearch && sudo apt autoremove -y
# or
sudo dnf remove -y elasticsearch || sudo yum remove -y elasticsearch
# Optional: remove data and logs (irreversible)
sudo rm -rf /var/lib/elasticsearch /var/log/elasticsearchSelf-Hosted vs Managed Elasticsearch
Running Elasticsearch yourself gives full control and cost efficiency, but you own patching, scaling, and 24×7 monitoring. Managed options reduce operational burden.
- Self-hosted: Maximum flexibility; ideal for custom plugins and strict data locality. Requires Linux, JVM, and cluster ops expertise.
- Managed: Faster to market; predictable SLAs; built-in monitoring and backups. Slightly higher cost, fewer low-level knobs.
If you prefer a reliable foundation for self-hosted clusters, YouStable offers SSD-powered VPS and dedicated servers with private networking and DDoS protection—optimized for Elasticsearch and the Elastic Stack. Our experts can help size nodes, tune JVM, and secure your cluster without overspending.
Real-World Use Cases on Linux
- Log analytics with Filebeat/Logstash shipping to a hot-warm ILM policy.
- App search with synonym filtering and ICU analysis for multilingual content.
- Security analytics ingesting events from servers, firewalls, and cloud platforms.
- Metrics and traces via Elastic APM to troubleshoot performance regressions.
FAQ’s: Install Elasticsearch on Linux Server
1) How do I install Elasticsearch on Ubuntu 22.04 quickly?
Add Elastic’s APT repository, install elasticsearch, enable the service, and verify with curl using the CA cert. See the Ubuntu/Debian section above for exact commands. Elasticsearch 8.x bundles a JDK and enables security by default.
2) What are the minimum system requirements for Elasticsearch?
For testing: 2 vCPU, 4 GB RAM, and 20 GB SSD. For production: 4+ vCPU, 8–32 GB RAM per node, SSD storage, and a dedicated data disk. Allocate half of RAM to the JVM heap (max ~31 GB).
3) How do I change the Elasticsearch heap size on Linux?
Edit /etc/elasticsearch/jvm.options and set -Xms and -Xmx to the same value (e.g., 2g). Restart the elasticsearch service. Avoid swapping and consider enabling memory locking to prevent heap from being swapped out.
4) How do I secure Elasticsearch?
Elasticsearch 8 enables TLS and authentication by default. Use the generated http_ca.crt with curl, reset the elastic password if needed, limit access with firewalls/VPNs, and avoid exposing port 9200 to the internet. For 7.x, enable xpack.security and configure TLS manually.
5) How can I verify the installation is healthy?
Run curl against https://localhost:9200 using the CA cert and elastic credentials, then check /_cluster/health and logs (journalctl -u elasticsearch). Health should be green or yellow, not red. Investigate any shard allocation or bootstrap warnings.
6) Should I use Elasticsearch or OpenSearch on Linux?
Elasticsearch offers the latest Elastic features and commercial capabilities; OpenSearch is a community fork compatible with many 7.x APIs. Choose based on licensing, features, and ecosystem needs. Do not mix nodes across products in the same cluster.
7) Can I run Elasticsearch in a container on Linux?
Yes. Docker and Kubernetes are popular for orchestration. Ensure vm.max_map_count is set on the host, allocate persistent storage, and tune resources. For bare-metal performance and predictable I/O, many production teams still prefer VM or dedicated servers.
Conclusion
With the official repositories, installing Elasticsearch on Linux is straightforward. Prioritize secure defaults, correct system limits, and proper heap sizing. Start small, verify with curl, then scale to a resilient 3+ node cluster. Need a fast, reliable foundation? YouStable’s SSD VPS and dedicated servers are a great fit for production-grade Elasticsearch.
