Elasticsearch Dangerous Default Settings

Elasticsearch Dangerous Default Settings

Opster Team

July 2020, Version: 1.7-8.0

Before you begin reading the explanation below, try running the free ES Health Check-Up get actionable recommendations that can improve Elasticsearch performance and prevent serious incidents. Just 2 minutes to complete and you can check your threadpools, memory, snapshots and many more

A review of two dangerous default settings in Elasticsearch: Cluster Name and Data Path.

Cluster Name is Default ‘elasticsearch’

What Does it Mean?

It is important to change the name of the cluster in elasticsearch.yml to avoid Elasticsearch nodes joining the wrong cluster. This is particularly important when development, staging and production environments can find themselves on the same network. 

How to Prevent it from Happening

If you want to change the name of the cluster, then you need to modify the setting in elasticsearch.yml and perform a rolling restart:

cluster.name: myapp-prod

Remember that changing the cluster name will also change the default name of your Elasticsearch log files.

Data Path Should Not Be Default

What Does it Mean?

If you have installed Elasticsearch using zip or tar.gz files, then by default the data directory is a subdirectory of the Elasticsearch home directory. This creates a high risk of potentially deleting your data when upgrading Elasticsearch.

How to Prevent it from Happening

Make sure you set the data and logs directories in elasticsearch.yml to a path separated from your Elasticsearch program files:

  logs: /var/log/elasticsearch
  data: /var/data/elasticsearch

These directories must be writable by the Elasticsearch user.

If you have already created data in the default path, and you want to move the directory, then you should follow the steps in the procedure below.

How to change the data path:

  1. Double check to ensure you have a recent snapshot of all indices on the node

  2. Temporarily stop shard relocation using:

    curl -XPUT localhost:9200/_cluster/settings -d ‘{
            “transient” : {
                “cluster.routing.allocation.enable” : “none”

  3. Stop the Elasticsearch node.

  4. Move the entire data directory to its new location.

  5. Modify the path in elasticsearch.yml

  6. Start the Elasticsearch node.

Please be extra careful when taking the above steps and make sure they fit your system, as misusing them can lead to loss of production data.

It is recommended to use RPM or Debian packages to avoid this, and other installation issues. RPM and Debian packages by default store data separately from program files.

About Opster

Opster detects, prevents, optimizes and automates everything needed to run mission-critical Elasticsearch

Find Configuration Errors

Analyze Now