Elasticsearch Dangerous Default Settings

Elasticsearch Dangerous Default Settings

Opster Team

March 2021

In addition to reading this guide, we recommend you run the Elasticsearch Health Check-Up. It will detect issues and improve your Elasticsearch performance by analyzing your shard sizes, threadpools, memory, snapshots, disk watermarks and more.

The Elasticsearch Check-Up is free and requires no installation.

Run the Elasticsearch check-up to receive recommendations like this:

checklist Run Check-Up

The following configuration error was detected on node 123...



This error can have a severe impact on your system. It's important to understand that it was caused by...



In order to resolve this issue and prevent it from occurring again, we recommend that you begin by changing the configuration to...


X-PUT curl -H "Content-Type: application/json" [customized recommendation]


Cluster name

It is important to change the name of the cluster in elasticsearch.yml to avoid Elasticsearch nodes joining the wrong cluster. This is particularly important when development, staging and production environments can find themselves on the same network. 

How to prevent it from happening

If you want to change the name of the cluster, then you need to modify the setting in elasticsearch.yml and perform a rolling restart:

cluster.name: myapp-prod

Remember that changing the cluster name will also change the default name of your Elasticsearch log files.

Data path

If you have installed Elasticsearch using zip or tar.gz files, then by default the data directory is a subdirectory of the Elasticsearch home directory. This creates a high risk of potentially deleting your data when upgrading Elasticsearch.

How to prevent it from happening

Make sure you set the data and logs directories in elasticsearch.yml to a path separated from your Elasticsearch program files:

  logs: /var/log/elasticsearch
  data: /var/data/elasticsearch

These directories must be writable by the Elasticsearch user.

If you have already created data in the default path, and you want to move the directory, then you should follow the steps in the procedure below.

How to change the data path:

  1. Double check to ensure you have a recent snapshot of all indices on the node

  2. Temporarily stop shard relocation using:

    curl -XPUT localhost:9200/_cluster/settings -d ‘{
            “transient” : {
                “cluster.routing.allocation.enable” : “none”

  3. Stop the Elasticsearch node.

  4. Move the entire data directory to its new location.

  5. Modify the path in elasticsearch.yml

  6. Start the Elasticsearch node.

Please be extra careful when taking the above steps and make sure they fit your system, as misusing them can lead to loss of production data.

It is recommended to use RPM or Debian packages to avoid this, and other installation issues. RPM and Debian packages by default store data separately from program files.

Run the Check-Up to get a customized report like this:

Analyze your cluster