Single-node Elasticsearch Installation Guide for Windows

TLDR

• It is recommended to set path.data and path.logs outside the installation directory to facilitate minor version upgrades.
• JVM memory should be set to 50% of the system's available memory, and -Xms and -Xmx should be set to the same value to reduce performance overhead.
• When configuring SSL/TLS, xpack.security.http.ssl.keystore.path must use a path relative to the config directory; absolute paths are not allowed.
• If cluster_uuid displays as _na_ after startup, it means the cluster was not initialized correctly; please check the cluster.initial_master_nodes setting.
• Certificate files generated using elasticsearch-certutil require the password to be written into the keystore via the elasticsearch-keystore command; otherwise, the service will be unable to read the certificates.

Basic Configuration and Best Practices

YAML Configuration File (config/elasticsearch.yml)

When performing basic configuration, it is recommended to move the data and log paths outside the installation directory to ensure data continuity during upgrades.

• Node and Cluster Settings:

  node.name: node-1
  cluster.initial_master_nodes: ["node-1"]

• Path Settings:

  path.data: /path/to/data
  path.logs: /path/to/logs

• Network and CORS Settings: When does this issue occur: When you need to access Elasticsearch via API from a browser or external service, failing to enable CORS will result in the connection being refused.

  network.host: 0.0.0.0
  http.cors.enabled: true
  http.cors.allow-origin: "*"

JVM Memory Settings (config/jvm.options)

When does this issue occur: When JVM memory is improperly configured, leading to frequent memory reallocation, which in turn affects system performance.

• It is recommended to set -Xms and -Xmx to the same value.
• Memory allocation should not exceed 50% of the total system memory, and at least 2GB should be reserved for the operating system.

Security Settings: SSL and Certificate Management

Creating SSL Certificates and Keystore

When does this issue occur: After enabling xpack.security.http.ssl, if the keystore password or path is not configured correctly, Elasticsearch will fail to start.

1. Use elasticsearch-certutil http to generate certificates.
2. Create a keystore and add the certificate password:

   elasticsearch-keystore create
   elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

3. Pitfall Note: In elasticsearch.yml, xpack.security.http.ssl.keystore.path must use a path relative to the config directory (e.g., certs/http.p12). Using an absolute path will cause the startup to fail.

Creating x.509 Transport Certificates

When does this issue occur: In multi-node environments or specific server configurations, if SSL for the transport layer is not set up, it may lead to abnormal communication between nodes.

• Generate certificates:

  elasticsearch-certutil cert --ca elastic-stack-ca.p12 --days 1825

• Configure keystore:

  elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
  elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

TIP

The http.p12 file generated using elasticsearch-certutil http already contains the CA certificate and can be used as both a Keystore and Truststore. If xpack.security.http.ssl.truststore.path is not specified, the system will automatically use the Keystore settings.

Service Startup and Management

Startup and Verification

When starting manually, please run bin/elasticsearch.bat with administrator privileges. After startup, you can verify by accessing https://localhost:9200 in your browser.

• Verification Result: If the cluster_uuid in the returned JSON is _na_, please check if cluster.initial_master_nodes matches node.name.

Registering as a Windows Service

To prevent the service from stopping when the window is closed, it is recommended to register it as a Windows service:

elasticsearch-service.bat install

After registration, please go to the Windows Services manager and set the Elasticsearch service to start "Automatically".

Change Log

• 2025-01-23 Initial document creation.
• 2025-03-05 Added x.509 certificate configuration.
• 2025-03-18 Added description for keystore.