Getting Started with Securityedit

To secure a cluster, you must install X-Pack on every node in the cluster. Basic authentication is enabled by default—​to communicate with the cluster, you must specify a username and password. Unless you enable anonymous access, all requests that don’t include a user name and password are rejected.

X-Pack security provides a built-in elastic superuser you can use to start setting things up. This elastic user has full access to the cluster, including all indices and data, so make sure you change the default password and protect the elastic user credentials accordingly.

To get started with X-Pack security:

  1. Install X-Pack and start Elasticsearch and Kibana.
  2. Change the passwords of the built in kibana, logstash_system and elastic users:

    curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{
      "password" : "elasticpassword"
    curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{
      "password" : "kibanapassword"
    curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{
      "password" : "logstashpassword"

    The default password for the elastic user is changeme.

  3. Set up roles and users to control access to Elasticsearch and Kibana. For example, to grant John Doe full access to all indices that match the pattern events* and enable him to create visualizations and dashboards for those indices in Kibana, you could create an events_admin role and and assign the role to a new johndoe user.

    curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{
      "indices" : [
          "names" : [ "events*" ],
          "privileges" : [ "all" ]
          "names" : [ ".kibana*" ],
          "privileges" : [ "manage", "read", "index" ]
    curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{
      "password" : "userpassword",
      "full_name" : "John Doe",
      "email" : "john.doe@anony.mous",
      "roles" : [ "events_admin" ]
  4. Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:

    1. Add the following setting to elasticsearch.yml on all nodes in your cluster: true
    2. Restart Elasticsearch.

    By default, events are logged to a dedicated elasticsearch-access.log file in ES_HOME/logs. You can also store the events in an Elasticsearch index for easier analysis and control what events are logged. For more information, see Configuring Auditing.

Once you get these basic security measures in place, we strongly recommend that you secure communications to and from nodes by configuring your cluster to use SSL/TLS encryption. Nodes that do not have encryption enabled send passwords in plain text!

Depending on your security requirements, you might also want to: