Add Elasticsearch user settingsedit
Change how Elasticsearch runs by providing your own user settings. User settings are appended to the elasticsearch.yml
configuration file for your cluster and provide custom configuration options.
Some settings that could break your cluster if set incorrectly are blacklisted, such as certain zen discovery and security settings. Review the list of settings that are generally safe in cloud environments.
To add user settings:
- Log in to the Elasticsearch Service Console.
-
Select your deployment on the home page in the Elasticsearch Service card or go to the deployments page.
Narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
- From your deployment menu, go to the Edit page.
- At the bottom of each Elasticsearch node, expand the User settings overrides caret.
- Update the user settings.
- Click Save changes.
Supported Elasticsearch settingsedit
Elasticsearch Service supports the following Elasticsearch settings:
-
http.cors.*
-
Enables cross-origin resource sharing (CORS) settings for the HTTP module.
If your use case depends on the ability to receive CORS requests and you have a cluster that was provisioned prior to January 25th 2019, you must manually set
http.cors.enabled
totrue
and allow a specific set of hosts withhttp.cors.allow-origin
. Applying these changes in your Elasticsearch configuration allows cross-origin resource sharing requests. -
http.compression
-
Support for compression when possible (with Accept-Encoding). Defaults to
true
. -
repositories.url.allowed_urls
- Enables whitelisting of read-only URL repositories.
-
reindex.remote.whitelist
-
Whitelists the hosts that can be reindexed from remotely. Expects a YAML array of
host:port
strings. Consists of a comma-delimited list ofhost:port
entries. Defaults to["\*.io:*", "\*.com:*"]
. -
script.painless.regex.enabled
- Enables regular expressions for the Painless scripting language.
-
index.number_of_shards
- The number of primary shards that an index should have.
-
action.auto_create_index
- Automatically create index if it doesn’t already exist.
-
action.destructive_requires_name
-
When set to
true
, users must specify the index name to delete an index. It’s not possible to delete _all or use wildcards. -
cluster.indices.close.enable
-
Enables closing indices in Elasticsearch version 2.2 and later. You might enable this setting temporarily in order to change the analyzer configuration for an existing index. We strongly recommend leaving this set to
false
(the default) otherwise. Closed indices are a data loss risk: closed indices are not included when you when you make cluster configuration changes, such as scaling to a different capacity, failover, and many other operations. Lastly, closed indices can lead to inaccurate disk space counts.Closed indices are a data loss risk. Enable this setting only temporarily.
- Circuit breaker settings
-
The following circuit breaker settings are supported:
-
indices.breaker.total.limit
- Configures the parent circuit breaker settings.
-
indices.breaker.fielddata.limit
- Configures the limit for the fielddata breaker.
-
indices.breaker.fielddata.overhead
- Configures a constant that all field data estimations are multiplied with to determine a final estimation.
-
indices.breaker.request.limit
- Configures the limit for the request breaker.
-
indices.breaker.request.overhead
- Configures a constant that all request estimations are multiplied by to determine a final estimation.
-
- Indexing pressure settings (for version 7.9 and later)
-
The following indexing pressure settings are supported:
-
indexing_pressure.memory.limit
- Configures the indexing pressure settings.
-
- X-Pack (for versions from 6.8.11 to 7.0.0 and 7.8.1 and later)
-
The following X-Pack settings are supported:
-
xpack.security.sameSiteCookies
-
Sets the
SameSite
attribute ofSet-Cookie
HTTP header. It allows you to declare whether your cookie should be restricted to a first-party or same-site context. Not set by default, which makes modern browsers treat it asLax
. If you use Kibana embedded in an iframe in modern browsers, you might need to set it toNone
. Note thatNone
usage requires secure context:xpack.security.secureCookies: true
. Some old versions of IE11 do not supportSameSite: None
, so you should not specifyxpack.security.sameSiteCookies
at all.
-
- X-Pack (for version 7.6 and later)
-
The following X-Pack settings are supported:
-
xpack.ml.inference_model.time_to_live
- Sets the duration of time that the inference models are cached.
-
- X-Pack (for versions from 6.8.9 to 7.0.0 and 7.6 and later)
-
The following X-Pack settings are supported:
-
xpack.security.loginAssistanceMessage
- Adds a message to the login screen. Useful for displaying corporate messages.
-
- X-Pack (for version 6.0 and later)
-
The following X-Pack settings are supported:
-
xpack.watcher.encrypt_sensitive_data
-
Allows enabling/disabling encryption of sensitive watcher configurations. Note that it requires adding
xpack.watcher.encryption_key
on the keystore. - SAML
-
All SAML settings are whitelisted for the reserved
cloud-saml
realm name. -
xpack.security.authc.realms.saml.cloud-saml.*
- To learn more on how to enable SAML and related user settings, see secure your clusters with SAML.
- OpenID Connect
-
All OpenID Connect settings are whitelisted for the reserved
cloud-oidc
realm name. -
xpack.security.authc.realms.oidc.cloud-oidc.*
- To learn more on how to enable OpenID Connect and related user settings, see secure your clusters with OpenID Connect.
- Kerberos
-
All Kerberos settings are whitelisted for the reserved
cloud-krb
realm name. -
xpack.security.authc.realms.kerberos.cloud-krb.*
- To learn more on how to enable Kerberos and relate user settings, see secure your clusters with Kerberos.
-
- X-Pack (for version 5.0 and later)
-
The following X-Pack settings are supported:
-
xpack.notification.slack
-
Configures Slack notification settings
(up to 6.2 | 6.3 and later). Note that you need to add
secure_url
as a secret value to the keystore. -
xpack.notification.hipchat
- Configures HipChat notification settings (up to 6.2 | 6.3 to 6.7).
-
xpack.notification.pagerduty
- Configures PagerDuty notification settings (up to 6.2 | 6.3 and later).
-
xpack.watcher.trigger.schedule.engine
- Defines when the watch should start, based on date and time (6.3 and later).
-
xpack.notification.email.html.sanitization.*
- Enables email notification settings to sanitize HTML elements in emails that are sent.
-
xpack.monitoring.collection.interval
- Controls how often data samples are collected.
-
xpack.monitoring.collection.min_interval_seconds
-
Specifies the minimum number of seconds that a time bucket in a chart can represent. If you modify the
xpack.monitoring.collection.interval
, use the same value in this setting.Defaults to
10
(10 seconds). -
xpack.monitoring.history.duration
- Sets the retention duration beyond which the indices created by a monitoring exporter will be automatically deleted.
-
xpack.watcher.history.cleaner_service.enabled
- Controls whether old watcher indices are automatically deleted (requires 5.6.4 or greater).
-
xpack.http.ssl.cipher_suites
- Controls the list of supported cipher suites for all outgoing TLS connections.
-
- Scripting 5.x
-
The following settings are supported in Elasticsearch 5.x clusters:
-
script.inline
-
script.stored
-
script.file
-
script.allowed_types
-
script.allowed_contexts
-
To learn more, see Allowed script types setting and Allowed script contexts setting.
- Scripting 6.x
-
The following settings are supported in Elasticsearch 6.x clusters:
-
script.allowed_types
-
script.allowed_contexts
-
In Elasticsearch 6.0 you can encrypt sensitive data in watcher using
-
xpack.watcher.encrypt_sensitive_data
To learn more, see Allowed script types setting and Allowed script contexts setting.
- Watcher and Marvel (for versions before 5.0)
-
The following Watcher and Marvel settings are supported:
-
watcher.actions.slack.service
- Configures Slack notification settings.
-
watcher.actions.hipchat.service
-
Configures HipChat notification settings.
Deprecated in all versions.
Hipchat has ceased operation.
-
watcher.actions.pagerduty.service
- Configures Configures PagerDuty notification settings.
-
marvel.agent.interval
- Controls how often data samples are collected.
-
watcher.trigger.schedule.engine
- Defines when the watch should start, based on date and time.
-
- Disk-based shard allocation settings
-
The following disk-based allocation settings are supported:
-
cluster.routing.allocation.disk.threshold_enabled
-
Enable or disable disk allocation decider and defaults to
true
. -
cluster.routing.allocation.disk.watermark.low
- Configures disk-based shard allocation’s low watermark.
-
cluster.routing.allocation.disk.watermark.high
- Configures disk-based shard allocation’s high watermark.
-
cluster.routing.allocation.disk.watermark.flood_stage
- Configures disk-based shard allocation’s flood_stage (available only on 6.x and higher).
Remember to update user settings for alerts when performing a major version upgrade. For version 5.0 and later, the syntax is different when compared to earlier versions.
-
- Audit settings
- The following audit settings are supported:
-
xpack.security.audit.enabled
- Enables auditing on Elasticsearch cluster nodes. Defaults to false.
-
xpack.security.audit.logfile.events.include
- Specifies which events to include in the auditing output.
-
xpack.security.audit.logfile.events.exclude
- Specifies which events to exclude from the output. No events are excluded by default.
-
xpack.security.audit.logfile.events.emit_request_body
- Specifies whether to include the request body from REST requests on certain event types, for example authentication_failed. Defaults to false.
-
xpack.security.audit.logfile.emit_node_name
- For versions above 6.5.0: Specifies whether to include the node name as a field in each audit event. Defaults to true.
-
xpack.security.audit.logfile.prefix.emit_node_name
- For versions below 6.5.0: Specifies whether to include the node name as a field in each audit event. Defaults to true.
-
xpack.security.audit.logfile.emit_node_host_address
- For versions above 6.5.0: Specifies whether to include the node’s IP address as a field in each audit event. Defaults to false.
-
xpack.security.audit.logfile.prefix.emit_node_host_address
- For versions below 6.5.0: Specifies whether to include the node’s IP address as a field in each audit event. Defaults to false.
-
xpack.security.audit.logfile.emit_node_host_name
- For versions above 6.5.0: Specifies whether to include the node’s host name as a field in each audit event. Defaults to false.
-
xpack.security.audit.logfile.prefix.emit_node_host_name
- For versions below 6.5.0: Specifies whether to include the node’s host name as a field in each audit event. Defaults to false.
-
xpack.security.audit.logfile.emit_node_id
- For versions above 6.5.0: Specifies whether to include the node ID as a field in each audit event. Defaults to true.
-
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users
- A list of user names or wildcards. The specified policy will not print audit events for users matching these values.
-
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms
- A list of authentication realm names or wildcards. The specified policy will not print audit events for users in these realms.
-
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles
- A list of role names or wildcards. The specified policy will not print audit events for users that have these roles.
-
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices
- A list of index names or wildcards. The specified policy will not print audit events when all the indices in the event match these values.
To enable auditing you must first enable deployment logging.
If a setting is not on this list, it cannot be set and will be rejected. Additional user settings might added in the future.