How to Create ElasticSearch on Linux Server with Security Enabled

To create Elasticsearch on a Linux server, prepare the OS, add Elastic’s package repository, install Elasticsearch 8.x, tune kernel limits, configure elasticsearch.yml (single-node or cluster), open ports 9200/9300, enable and start the service, secure with HTTPS/passwords, and verify via REST API. Optionally install Kibana for dashboards and management.

If you want to create Elasticsearch on Linux server for search, analytics, or logging, this guide walks you through a clean, production-minded setup.

We’ll cover Ubuntu/Debian and RHEL-based distros, security defaults in Elasticsearch 8, performance tuning, basic API usage, and practical tips from years of hosting real workloads.

What You’ll Build and Who This Guide Is For

This tutorial helps beginners and sysadmins install and configure Elasticsearch 8 on a Linux server. You’ll set up a secure single-node or cluster-ready instance, learn essential kernel and JVM tuning, and run your first index and search queries. The steps align with Elastic’s best practices and modern security defaults.

Prerequisites and System Requirements

• Supported OS: Ubuntu 20.04/22.04/24.04, Debian 11/12, RHEL/CentOS/AlmaLinux/Rocky 8/9
• CPU/RAM: Minimum 2 vCPU and 4 GB RAM (8+ GB recommended)
• Storage: SSD recommended; plan IOPS for indexing-heavy workloads
• Network: Open TCP ports 9200 (HTTP) and 9300 (transport/cluster)
• Access: Root or sudo privileges
• Clock sync: Enable chrony or systemd-timesyncd for consistent timestamps

Note: Elasticsearch 8 bundles a compatible JDK. You do not need to install Java separately.

Understand Elasticsearch 8 Security Defaults

Elasticsearch 8 enables security by default. HTTPS is on, and you’ll use built-in users (like elastic) with passwords. For dev, you can run a single-node with minimal config. For production, configure TLS, users/roles, and restrict network exposure.

Install Elasticsearch on Ubuntu/Debian

These steps add Elastic’s APT repository and install the latest 8.x release.

sudo apt update && sudo apt install -y curl gnupg apt-transport-https

# Import Elastic GPG key
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg

# Add APT repository
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | \
  sudo tee /etc/apt/sources.list.d/elastic-8.x.list

sudo apt update
sudo apt install -y elasticsearch

The installer may print a temporary password for the elastic user and certificate file locations. Save these securely.

Install Elasticsearch on RHEL/CentOS/AlmaLinux/Rocky

sudo dnf install -y curl gnupg

# Create YUM repo
cat <<'EOF' | sudo tee /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-8.x]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

sudo dnf clean all
sudo dnf install -y elasticsearch

Kernel and OS Tuning (Required)

Elasticsearch relies on virtual memory mappings and open files. Set these before first start.

# Virtual memory mappings
echo "vm.max_map_count=262144" | sudo tee /etc/sysctl.d/99-elasticsearch.conf
sudo sysctl --system

# File descriptors and processes for the elasticsearch user
echo -e "elasticsearch soft nofile 65536\nelasticsearch hard nofile 65536\nelasticsearch soft nproc 4096\nelasticsearch hard nproc 4096" | \
  sudo tee /etc/security/limits.d/90-elasticsearch.conf

# Optional: reduce swap aggressiveness
echo "vm.swappiness=1" | sudo tee /etc/sysctl.d/98-swappiness.conf
sudo sysctl --system

To lock memory (helps avoid swapping), enable memory lock and adjust systemd limits.

# In elasticsearch.yml
# bootstrap.memory_lock: true

# Create systemd override to allow memlock
sudo systemctl edit elasticsearch
# Then add:
# [Service]
# LimitMEMLOCK=infinity

sudo systemctl daemon-reload

Configure elasticsearch.yml

Edit the main configuration file to set node identity, network binding, and cluster mode.

sudo nano /etc/elasticsearch/elasticsearch.yml

For a secure single-node (dev/test):

cluster.name: my-es-cluster
node.name: node-1
network.host: 0.0.0.0            # or a private IP; avoid exposing to the internet
discovery.type: single-node
xpack.security.enabled: true     # On by default in 8.x

For a production-ready multi-node cluster (example):

cluster.name: prod-es
node.name: es-1
network.host: 10.0.1.10

discovery.seed_hosts: ["10.0.1.10", "10.0.1.11", "10.0.1.12"]
cluster.initial_master_nodes: ["es-1", "es-2", "es-3"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true

For TLS, use the built-in cert tool or your PKI. Elasticsearch 8 generates service certificates during install; you can regenerate with the elasticsearch-certutil tool.

Start, Enable, and Verify the Service

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
sudo systemctl status elasticsearch
# Logs
sudo journalctl -u elasticsearch -f

Get or reset the built-in superuser password if needed:

# If shown at install, use that. Otherwise:
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Verify over HTTPS (certificate may be self-signed):

curl -u elastic https://localhost:9200 -k
# Expect cluster info JSON

Open Firewall Ports (If Needed)

For single-node dev, you may only need 9200. For clusters, open 9300 on private networks only.

# UFW (Ubuntu)
sudo ufw allow 9200/tcp
sudo ufw allow 9300/tcp
sudo ufw reload

# firewalld (RHEL-based)
sudo firewall-cmd --permanent --add-port=9200/tcp
sudo firewall-cmd --permanent --add-port=9300/tcp
sudo firewall-cmd --reload

Basic Elasticsearch Usage: Create Index, Index Docs, Search

Use the REST API to validate functionality. Replace password accordingly.

# Create an index with 1 shard and 1 replica (adjust for your cluster)
curl -k -u elastic:YOUR_PASSWORD -X PUT "https://localhost:9200/blog?pretty" \
  -H 'Content-Type: application/json' \
  -d '{ "settings": { "number_of_shards": 1, "number_of_replicas": 1 } }'

# Index a document (auto-generate ID)
curl -k -u elastic:YOUR_PASSWORD -X POST "https://localhost:9200/blog/_doc?pretty" \
  -H 'Content-Type: application/json' \
  -d '{ "title": "Hello Elasticsearch", "tags": ["linux","search"], "published": true }'

# Search
curl -k -u elastic:YOUR_PASSWORD "https://localhost:9200/blog/_search?q=title:hello&pretty"

Optional: Install Kibana

Kibana provides a GUI for management, dashboards, and Dev Tools.

# Ubuntu/Debian
sudo apt install -y kibana

# RHEL-based
sudo dnf install -y kibana

Bind Kibana to a secure interface and enroll it with Elasticsearch 8:

# /etc/kibana/kibana.yml
server.host: "0.0.0.0"        # or private IP
elasticsearch.hosts: ["https://localhost:9200"]

# Enrollment (generates a token from ES)
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
sudo /usr/share/kibana/bin/kibana-setup --enrollment-token <TOKEN>

sudo systemctl enable --now kibana

Performance Tuning Essentials

• Heap size: Set ~50% of RAM (max ~31 GB) for compressed oops efficiency.
• Storage: Prefer NVMe/SSD. Avoid remote or networked storage for hot data.
• Shards: Don’t overshard. Start with 1–2 primary shards per index; adjust by data volume and SLA.
• Refresh and replicas: Lower replicas for ingest speed; increase for availability.
• Ingest pipeline: Use Elasticsearch ingest nodes or Logstash for heavy parsing.

Set heap via jvm.options.d override:

echo "-Xms4g" | sudo tee /etc/elasticsearch/jvm.options.d/heap.options
echo "-Xmx4g" | sudo tee -a /etc/elasticsearch/jvm.options.d/heap.options
sudo systemctl restart elasticsearch

Security Hardening Checklist

• Never expose 9200/9300 to the public internet. Use private networks, VPN, or reverse proxies with TLS.
• Use strong passwords or SSO (SAML/OIDC). Create limited-scope roles for apps.
• Rotate certificates, disable weak ciphers, and pin to TLS 1.2+.
• Enable audit logging for compliance needs.
• Back up regularly with snapshots (S3-compatible or NFS).

# Create a repository for snapshots (example: S3)
PUT _snapshot/my_s3_repo
{
  "type": "s3",
  "settings": {
    "bucket": "my-es-backups",
    "region": "us-east-1"
  }
}

# Trigger a snapshot
PUT _snapshot/my_s3_repo/snap-001?wait_for_completion=true

Upgrades and Rolling Restarts

• Snapshot before upgrades.
• Check plugin compatibility and deprecation warnings in _cluster/settings and logs.
• In clusters, do rolling restarts: stop one node, upgrade, start, wait for green, repeat.
• Keep minor versions aligned across nodes to avoid incompatibilities.

Troubleshooting Common Issues

• Service won’t start: Check journalctl -u elasticsearch -e for permission or memory lock errors.
• max virtual memory areas vm.max_map_count: Reapply sysctl and reboot if needed.
• Cluster red/yellow: Inspect /_cluster/health and /_cat/shards; fix allocation issues or storage limits.
• Auth failures: Reset the elastic user password and verify certificates.
• High heap usage: Increase heap cautiously, reduce shard count, or optimize queries/mappings.

Cost‑Efficient Hosting Tip (From the Trenches)

Elasticsearch thrives on fast CPU, RAM, and SSDs, but costs can escalate. If you’re starting small or migrating from shared environments, YouStable’s SSD-backed VPS and cloud servers offer a balanced price-to-performance baseline for Elasticsearch. Ask support for tuned images with the kernel limits and JVM defaults preconfigured to shorten your time-to-value.

Best Practices Recap

• Install Elasticsearch 8 from official repositories to get security defaults and updates.
• Apply kernel limits (vm.max_map_count, nofile, nproc) and enable memory lock.
• Bind to private IPs and protect ports with a firewall or security groups.
• Right-size heap (≈50% RAM), avoid oversharding, and use SSDs.
• Automate snapshots and test restores regularly.

FAQs