Add Elasticsearch user settings

edit

Change how Elasticsearch runs by providing your own user settings. User settings are appended to the elasticsearch.yml configuration file for your cluster and provide custom configuration options. Elastic Cloud Enterprise supports many of the user settings for the version of Elasticsearch that your cluster is running.

Some settings that could break your cluster if set incorrectly are blacklisted, such as certain zen discovery and security settings. For examples of a few of the settings that are generally safe in cloud environments, see Additional Examples of Supported User Settings and Editing Your User Settings that can be enabled on our Elastic Cloud hosted offering.

To add user settings:

  1. Log into the Cloud UI.
  2. On the Deployments page, select your deployment.

    Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.

  3. From your deployment menu, go to the Edit page.
  4. In the Elasticsearch section, click Edit elasticsearch.yml. (For deployments with existing user settings, you may have to expand the User setting overrides caret for each node type instead.)
  5. Update the user settings.
  6. Click Save changes.

    If you see the Edit elasticsearch.yml carets, be sure to make your changes on all Elasticsearch node types.

Example: Enable email notifications from Gmail

edit

The following examples configure email notifications to Gmail for a user that you specify. Which example you use depends on the version of Elasticsearch that your cluster is running.

+ CAUTION: Before you add the xpack.notification.email* setting in Elasticsearch user settings, make sure you add the account SMTP password to the keystore as a secret value.

For version 6.3 and later: See Configuring email actions.

For version 5.0 to 6.2: See Configuring email actions.

xpack.notification.email.account:
    gmail_account:
        profile: gmail
        smtp:
            auth: true
            starttls.enable: true
            host: smtp.gmail.com
            port: 587
            user: <username>
            password: <password>

For versions before 5.0: Use Watcher to configure an email watch action. To learn more, see Configuring Email Actions.

watcher.actions.email.service.account:
  work:
    profile: gmail
    email_defaults:
      from: <email>
    smtp:
      auth: true
      starttls.enable: true
      host: smtp.gmail.com
      port: 587
      user: <username>
      password: <password>

Additional examples of supported user settings

edit

These example user settings cover only a subset of all user settings that you can include in the elasticsearch.yml configuration file. To learn more about available settings, see Configuring Elasticsearch.

Examples of Elasticsearch user settings that you can specify:

cluster.indices.close.enable

Enables closing indices in Elasticsearch version 2.2 and later. Defaults to true for versions 7.2.0 and later, and to false for previous versions. In versions 7.1 and below, closed indices represent a data loss risk: if you close an index, it is not included in snapshots and you will not be able to restore the data. Similarly, closed indices are not included when you make cluster configuration changes, such as scaling to a different capacity, failover, and many other operations. Lastly, closed indices can lead to inaccurate disk space counts.

For versions 7.1 and below, closed indices represent a data loss risk. Enable this setting only temporarily for these versions.

reindex.remote.whitelist
Whitelists the hosts that can be reindexed from remotely. Consists of a comma-delimited list of host:port entries. Defaults to ["\*.io:*", "\*.com:*"].
script.painless.regex.enabled
Enables regular expressions for the Painless scripting language.
X-Pack alerting features (formerly Watcher)

Enables watches, including integration with Slack, HipChat, and PagerDuty. For example:

For version 6.3 and later:

For version 5.0 to 6.2:

For versions before 5.0:

Remember to check your user settings when performing a major version upgrade. For version 5.0 and later, the syntax for alerts is different when compared to earlier versions, for example.

Disk-based shard allocation settings

The following disk-based allocation settings are supported:

cluster.routing.allocation.disk.watermark.low
Configures disk-based shard allocation’s low watermark.
cluster.routing.allocation.disk.watermark.high
Configures disk-based shard allocation’s high watermark.
cluster.routing.allocation.disk.watermark.flood_stage
Configures disk-based shard allocation’s flood_stage (available only on 6.x and higher).
Monitoring settings

Examples of Elasticsearch monitoring settings:

For versions 5.0 and later:

xpack.monitoring.collection.interval
Controls how often data samples are collected.
xpack.monitoring.collection.min_interval_seconds

Specifies the minimum number of seconds that a time bucket in a chart can represent. If you modify the xpack.monitoring.collection.interval, use the same value in this setting.

Defaults to 10 (10 seconds).

xpack.monitoring.history.duration
Sets the retention duration beyond which the indices created by a monitoring exporter will be automatically deleted.
Audit settings
Examples of Elasticsearch audit settings:
xpack.security.audit.enabled
Enables auditing on Elasticsearch cluster nodes. Defaults to false.
xpack.security.audit.logfile.events.include
Specifies which events to include in the auditing output.
xpack.security.audit.logfile.events.exclude
Specifies which events to exclude from the output. No events are excluded by default.
xpack.security.audit.logfile.events.emit_request_body
Specifies whether to include the request body from REST requests on certain event types, for example authentication_failed. Defaults to false.
xpack.security.audit.logfile.emit_node_name
For versions above 6.5.0: Specifies whether to include the node name as a field in each audit event. Defaults to true.
xpack.security.audit.logfile.prefix.emit_node_name
For versions below 6.5.0: Specifies whether to include the node name as a field in each audit event. Defaults to true.
xpack.security.audit.logfile.emit_node_host_address
For versions above 6.5.0: Specifies whether to include the node’s IP address as a field in each audit event. Defaults to false.
xpack.security.audit.logfile.prefix.emit_node_host_address
For versions below 6.5.0: Specifies whether to include the node’s IP address as a field in each audit event. Defaults to false.
xpack.security.audit.logfile.emit_node_host_name
For versions above 6.5.0: Specifies whether to include the node’s host name as a field in each audit event. Defaults to false.
xpack.security.audit.logfile.prefix.emit_node_host_name
For versions below 6.5.0: Specifies whether to include the node’s host name as a field in each audit event. Defaults to false.
xpack.security.audit.logfile.emit_node_id
For versions above 6.5.0: Specifies whether to include the node ID as a field in each audit event. Defaults to true.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users
A list of user names or wildcards. The specified policy will not print audit events for users matching these values.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms
A list of authentication realm names or wildcards. The specified policy will not print audit events for users in these realms.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles
A list of role names or wildcards. The specified policy will not print audit events for users that have these roles.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices
A list of index names or wildcards. The specified policy will not print audit events when all the indices in the event match these values.

To enable and change audit settings, you must first enable deployment logging.