Install Elasticsearch from archive on Linux or MacOSedit

Elasticsearch is available as a .tar.gz archive for Linux and MacOS.

This package contains both free and subscription features. Start a 30-day trial to try out all of the features.

The latest stable version of Elasticsearch can be found on the Download Elasticsearch page. Other versions can be found on the Past Releases page.

Elasticsearch includes a bundled version of OpenJDK from the JDK maintainers (GPLv2+CE). To use your own version of Java, see the JVM version requirements

Download and install archive for Linuxedit

The Linux archive for Elasticsearch v8.13.4 can be downloaded and installed as follows:

shasum -a 512 -c elasticsearch-8.13.4-linux-x86_64.tar.gz.sha512 
tar -xzf elasticsearch-8.13.4-linux-x86_64.tar.gz
cd elasticsearch-8.13.4/ 

Compares the SHA of the downloaded .tar.gz archive and the published checksum, which should output elasticsearch-{version}-linux-x86_64.tar.gz: OK.

This directory is known as $ES_HOME.

Download and install archive for MacOSedit

The MacOS archive for Elasticsearch v8.13.4 can be downloaded and installed as follows:

curl -O
curl | shasum -a 512 -c - 
tar -xzf elasticsearch-8.13.4-darwin-x86_64.tar.gz
cd elasticsearch-8.13.4/ 

Compares the SHA of the downloaded .tar.gz archive and the published checksum, which should output elasticsearch-{version}-darwin-x86_64.tar.gz: OK.

This directory is known as $ES_HOME.

Enable automatic creation of system indicesedit

Some commercial features automatically create indices within Elasticsearch. By default, Elasticsearch is configured to allow automatic index creation, and no additional steps are required. However, if you have disabled automatic index creation in Elasticsearch, you must configure action.auto_create_index in elasticsearch.yml to allow the commercial features to create the following indices:

action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*

If you are using Logstash or Beats then you will most likely require additional index names in your action.auto_create_index setting, and the exact value will depend on your local configuration. If you are unsure of the correct value for your environment, you may consider setting the value to * which will allow automatic creation of all indices.

Run Elasticsearch from the command lineedit

Run the following command to start Elasticsearch from the command line:


When starting Elasticsearch for the first time, security features are enabled and configured by default. The following security configuration occurs automatically:

  • Authentication and authorization are enabled, and a password is generated for the elastic built-in superuser.
  • Certificates and keys for TLS are generated for the transport and HTTP layer, and TLS is enabled and configured with these keys and certificates.
  • An enrollment token is generated for Kibana, which is valid for 30 minutes.

The password for the elastic user and the enrollment token for Kibana are output to your terminal.

We recommend storing the elastic password as an environment variable in your shell. Example:

export ELASTIC_PASSWORD="your_password"

If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.

By default Elasticsearch prints its logs to the console (stdout) and to the <cluster name>.log file within the logs directory. Elasticsearch logs some information while it is starting, but after it has finished initializing it will continue to run in the foreground and won’t log anything further until something happens that is worth recording. While Elasticsearch is running you can interact with it through its HTTP interface which is on port 9200 by default.

To stop Elasticsearch, press Ctrl-C.

All scripts packaged with Elasticsearch require a version of Bash that supports arrays and assume that Bash is available at /bin/bash. As such, Bash should be available at this path either directly or via a symbolic link.

Enroll nodes in an existing clusteredit

When Elasticsearch starts for the first time, the security auto-configuration process binds the HTTP layer to, but only binds the transport layer to localhost. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration.

Before enrolling a new node, additional actions such as binding to an address other than localhost or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically.

Additionally, only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need to set to a supported value (such as uncommenting the suggested value of, or an IP address that’s bound to an interface where other hosts can reach it. Refer to transport settings for more information.

To enroll new nodes in your cluster, create an enrollment token with the elasticsearch-create-enrollment-token tool on any existing node in your cluster. You can then start a new node with the --enrollment-token parameter so that it joins an existing cluster.

  1. In a separate terminal from where Elasticsearch is running, navigate to the directory where you installed Elasticsearch and run the elasticsearch-create-enrollment-token tool to generate an enrollment token for your new nodes.

    bin/elasticsearch-create-enrollment-token -s node

    Copy the enrollment token, which you’ll use to enroll new nodes with your Elasticsearch cluster.

  2. From the installation directory of your new node, start Elasticsearch and pass the enrollment token with the --enrollment-token parameter.

    bin/elasticsearch --enrollment-token <enrollment-token>

    Elasticsearch automatically generates certificates and keys in the following directory:

  3. Repeat the previous step for any new nodes that you want to enroll.

Check that Elasticsearch is runningedit

You can test that your Elasticsearch node is running by sending an HTTPS request to port 9200 on localhost:

curl --cacert $ES_HOME/config/certs/http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200 

Ensure that you use https in your call, or the request will fail.

Path to the generated http_ca.crt certificate for the HTTP layer.

The call returns a response like this:

  "name" : "Cp8oag6",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "AT69_T_DTp-1qgIJlatQqA",
  "version" : {
    "number" : "8.13.4",
    "build_type" : "tar",
    "build_hash" : "f27399d",
    "build_flavor" : "default",
    "build_date" : "2016-03-30T09:51:41.449Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "1.2.3",
    "minimum_index_compatibility_version" : "1.2.3"
  "tagline" : "You Know, for Search"

Log printing to stdout can be disabled using the -q or --quiet option on the command line.

Run as a daemonedit

To run Elasticsearch as a daemon, specify -d on the command line, and record the process ID in a file using the -p option:

./bin/elasticsearch -d -p pid

If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore’s password. See Secure settings for more details.

Log messages can be found in the $ES_HOME/logs/ directory.

To shut down Elasticsearch, kill the process ID recorded in the pid file:

pkill -F pid

The Elasticsearch .tar.gz package does not include the systemd module. To manage Elasticsearch as a service, use the Debian or RPM package instead.

Configure Elasticsearch on the command lineedit

Elasticsearch loads its configuration from the $ES_HOME/config/elasticsearch.yml file by default. The format of this config file is explained in Configuring Elasticsearch.

Any settings that can be specified in the config file can also be specified on the command line, using the -E syntax as follows:

./bin/elasticsearch -d

Typically, any cluster-wide settings (like should be added to the elasticsearch.yml config file, while any node-specific settings such as could be specified on the command line.

Connect clients to Elasticsearchedit

When you start Elasticsearch for the first time, TLS is configured automatically for the HTTP layer. A CA certificate is generated and stored on disk at:


The hex-encoded SHA-256 fingerprint of this certificate is also output to the terminal. Any clients that connect to Elasticsearch, such as the Elasticsearch Clients, Beats, standalone Elastic Agents, and Logstash must validate that they trust the certificate that Elasticsearch uses for HTTPS. Fleet Server and Fleet-managed Elastic Agents are automatically configured to trust the CA certificate. Other clients can establish trust by using either the fingerprint of the CA certificate or the CA certificate itself.

If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate. You can also copy the CA certificate to your machine and configure your client to use it.

Use the CA fingerprintedit

Copy the fingerprint value that’s output to your terminal when Elasticsearch starts, and configure your client to use this fingerprint to establish trust when it connects to Elasticsearch.

If the auto-configuration process already completed, you can still obtain the fingerprint of the security certificate by running the following command. The path is to the auto-generated CA certificate for the HTTP layer.

openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt

The command returns the security certificate, including the fingerprint. The issuer should be Elasticsearch security auto-configuration HTTP CA.

issuer= /CN=Elasticsearch security auto-configuration HTTP CA
SHA256 Fingerprint=<fingerprint>
Use the CA certificateedit

If your library doesn’t support a method of validating the fingerprint, the auto-generated CA certificate is created in the following directory on each Elasticsearch node:


Copy the http_ca.crt file to your machine and configure your client to use this certificate to establish trust when it connects to Elasticsearch.

Directory layout of archivesedit

The archive distributions are entirely self-contained. All files and directories are, by default, contained within $ES_HOME — the directory created when unpacking the archive.

This is very convenient because you don’t have to create any directories to start using Elasticsearch, and uninstalling Elasticsearch is as easy as removing the $ES_HOME directory. However, it is advisable to change the default locations of the config directory, the data directory, and the logs directory so that you do not delete important data later on.

Type Description Default Location Setting


Elasticsearch home directory or $ES_HOME

Directory created by unpacking the archive


Binary scripts including elasticsearch to start a node and elasticsearch-plugin to install plugins



Configuration files including elasticsearch.yml




Generated TLS keys and certificates for the transport and HTTP layer.



The location of the data files of each index / shard allocated on the node.



Log files location.




Plugin files location. Each plugin will be contained in a subdirectory.



Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here.

Not configured


Security certificates and keysedit

When you install Elasticsearch, the following certificates and keys are generated in the Elasticsearch configuration directory, which are used to connect a Kibana instance to your secured Elasticsearch cluster and to encrypt internode communication. The files are listed here for reference.

The CA certificate that is used to sign the certificates for the HTTP layer of this Elasticsearch cluster.
Keystore that contains the key and certificate for the HTTP layer for this node.
Keystore that contains the key and certificate for the transport layer for all the nodes in your cluster.

http.p12 and transport.p12 are password-protected PKCS#12 keystores. Elasticsearch stores the passwords for these keystores as secure settings. To retrieve the passwords so that you can inspect or change the keystore contents, use the bin/elasticsearch-keystore tool.

Use the following command to retrieve the password for http.p12:

bin/elasticsearch-keystore show

Use the following command to retrieve the password for transport.p12:

bin/elasticsearch-keystore show

Next stepsedit

You now have a test Elasticsearch environment set up. Before you start serious development or go into production with Elasticsearch, you must do some additional setup: