Single-Node Elasticsearch Installation Guide for Windows

TLDR

• It is recommended to set path.data and path.logs outside the installation directory to facilitate future version upgrades.
• JVM memory should be set to 50% of the system's available memory, and -Xms and -Xmx should be set to the same value to avoid performance degradation.
• Setting network.host to 0.0.0.0 allows external connections, but be mindful of security implications.
• SSL and x.509 certificate paths must be relative to the config directory; using absolute paths will prevent the service from starting.
• Certificate passwords should be managed via the elasticsearch-keystore tool rather than being written directly into configuration files.
• If cluster_uuid displays _na_ after startup, check the cluster.initial_master_nodes configuration.

Basic Configuration and Best Practices

YAML Configuration File (config/elasticsearch.yml)

When performing basic configuration, it is recommended to point data and log paths to locations outside the installation directory. This ensures that when performing minor version upgrades, you can simply point the newly installed Elasticsearch to the existing data directory.

• Nodes and Clusters: Set node.name for easy identification; when creating a cluster for the first time, cluster.initial_master_nodes must be configured.
• Networking and CORS: To allow external access, set network.host to 0.0.0.0. If there are frontend cross-origin requirements, you can enable http.cors.enabled and configure http.cors.allow-origin.

JVM Memory Tuning (config/jvm.options)

When do you encounter performance issues? When the JVM frequently performs memory reallocation.

• Recommended Practice: Set -Xms and -Xmx to the same value.
• Configuration Principles: The total memory should not exceed 50% of the system's available memory, and at least 2GB should be reserved for the operating system. If memory is greater than 32GB, it is recommended to set it to 31GB to take advantage of JVM compressed pointers.

Security Settings: Certificate Management

SSL/TLS Certificate Configuration

When do you encounter startup errors? When using absolute paths to specify certificate locations in elasticsearch.yml.

• Verification Result: Certificate paths must be relative to the config directory.
• Certificate Password Management: Use elasticsearch-keystore to add the password to the keystore instead of writing it in plain text in the configuration file:

  elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

x.509 Transport Layer Encryption

When do you encounter environmental differences? In different server environments, some may work even without transport SSL configured, while others strictly require it.

• Recommended Practice: If you need to enable xpack.security.transport.ssl, ensure that the keystore and truststore paths are correctly configured and set verification_mode to certificate.

TIP

The http.p12 file generated using elasticsearch-certutil http already contains the CA certificate and can be used as both a Keystore and a Truststore. By default, the system points the Truststore to the Keystore setting.

WARNING

The CA certificate file generated by elasticsearch-certutil ca cannot be used directly as a Truststore. Additionally, all certificate path settings must be relative to the config directory; using absolute paths will cause the service to fail to start.

User Management

Use built-in tools to manage access permissions:

• Create a Superuser:

  elasticsearch-users useradd {username} -p {password} -r superuser

• Notes: The password must be at least 6 characters long. User information is stored in the config/users and config/users_roles files.

Service Startup and Registration

If you access http://localhost:9200 via a browser after startup and find that cluster_uuid is _na_, it means the cluster initialization failed. Please ensure that cluster.initial_master_nodes correctly corresponds to node.name.

• Manual Startup: You must run bin/elasticsearch.bat with administrator privileges.
• Register as a Windows Service: Run elasticsearch-service.bat install and set it to "Automatic" startup in the Service Manager to ensure the service runs normally after a system reboot.

Change Log

• 2025-01-23 Initial document creation.
• 2025-03-05 Added x.509 certificate settings.
• 2025-03-18 Added keystore description.