« Add Elasticsearch user settings Add Kibana user settings »

› › › ›

Elasticsearch settings

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Elasticsearch settings

These example user settings cover only a subset of all user settings that you can include in the elasticsearch.yml configuration file. To learn more about available settings, check Configuring Elasticsearch. To update these settings, refer to Add Elasticsearch user settings.

Most of the user settings that are available for the Elasticsearch version that your cluster is running are also available on Elastic Cloud Enterprise, regardless of being marked as "supported on Elasticsearch Service".

Examples of Elasticsearch user settings that you can specify:

cluster.indices.close.enable

Enables closing indices in Elasticsearch. Defaults to true for versions 7.2.0 and later, and to false for previous versions. In versions 7.1 and below, closed indices represent a data loss risk: if you close an index, it is not included in snapshots and you will not be able to restore the data. Similarly, closed indices are not included when you make cluster configuration changes, such as scaling to a different capacity, failover, and many other operations. Lastly, closed indices can lead to inaccurate disk space counts.

For versions 7.1 and below, closed indices represent a data loss risk. Enable this setting only temporarily for these versions.

reindex.remote.whitelist

Explicitly allows the hosts that can be reindexed from remotely. Consists of a comma-delimited list of host:port entries. Defaults to ["\*.io:*", "\*.com:*"].

script.painless.regex.enabled

Enables regular expressions for the Painless scripting language.

X-Pack alerting features (formerly Watcher)

Enables watches, including integration with Slack and PagerDuty. For example:

xpack.notification.slack - Configures Slack notification settings.

xpack.notification.pagerduty - Configures PagerDuty notification settings.

Disk-based shard allocation settings

The following disk-based allocation settings are supported:

cluster.routing.allocation.disk.watermark.low: Configures disk-based shard allocation’s low watermark.
cluster.routing.allocation.disk.watermark.high: Configures disk-based shard allocation’s high watermark.
cluster.routing.allocation.disk.watermark.flood_stage: Configures disk-based shard allocation’s flood_stage (available only on 6.x and higher).

Monitoring settings

Examples of Elasticsearch monitoring settings:

xpack.monitoring.collection.interval

Controls how often data samples are collected.

xpack.monitoring.collection.min_interval_seconds

Specifies the minimum number of seconds that a time bucket in a chart can represent. If you modify the xpack.monitoring.collection.interval, use the same value in this setting.

Defaults to 10 (10 seconds).

xpack.monitoring.history.duration

Sets the retention duration beyond which the indices created by a monitoring exporter will be automatically deleted.

Audit settings

Examples of Elasticsearch audit settings:

xpack.security.audit.enabled: Enables auditing on Elasticsearch cluster nodes. Defaults to false.
xpack.security.audit.logfile.events.include: Specifies which events to include in the auditing output.
xpack.security.audit.logfile.events.exclude: Specifies which events to exclude from the output. No events are excluded by default.
xpack.security.audit.logfile.events.emit_request_body: Specifies whether to include the request body from REST requests on certain event types, for example authentication_failed. Defaults to false.
xpack.security.audit.logfile.emit_node_name: Specifies whether to include the node name as a field in each audit event. Defaults to true.
xpack.security.audit.logfile.emit_node_host_address: Specifies whether to include the node’s IP address as a field in each audit event. Defaults to false.
xpack.security.audit.logfile.emit_node_host_name: Specifies whether to include the node’s host name as a field in each audit event. Defaults to false.
xpack.security.audit.logfile.emit_node_id: Specifies whether to include the node ID as a field in each audit event. Defaults to true.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users: A list of user names or wildcards. The specified policy will not print audit events for users matching these values.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms: A list of authentication realm names or wildcards. The specified policy will not print audit events for users in these realms.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles: A list of role names or wildcards. The specified policy will not print audit events for users that have these roles.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices: A list of index names or wildcards. The specified policy will not print audit events when all the indices in the event match these values.

To enable and change audit settings, you must first enable deployment logging.

« Add Elasticsearch user settings Add Kibana user settings »

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

Elasticsearch settings

Elasticsearch settings

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards