Elasticsearch tuning
This guide summarizes the relevant settings that enable Elasticsearch optimization.
Change users' password
Changing the default passwords of Elasticsearch is highly recommended in order to improve security.
The following script allows changing the password for a given user. In this example it is used the user admin
:
Download the script:
# curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/resources/4.1/open-distro/tools/wazuh-passwords-tool.sh
Run the script:
# bash wazuh-passwords-tool.sh -u admin -p mypassword
This is the output of the script:
Creating backup... Backup created Generating hash Hash generated Loading changes... Done Password changed. Remember to update the password in /etc/filebeat/filebeat.yml and /etc/kibana/kibana.yml if necessary and restart the services.
The script allows changing the password for either a single user or all the users present on the /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
file. All the available options to run the script are:
Options |
Purpose |
---|---|
-a / --change-all |
Generates random passwords, changes all the Open Distro user passwords and prints them on screen |
-p / --password <password> |
Indicates the new password, must be used with option |
-u / --user <user> |
Indicates the name of the user whose password will be changed. If no password specified it will generate a random one |
-v / --verbose |
Shows the complete script execution output |
-h / --help |
Shows help |
To generate and change passwords for all users, run the script with the -a
option:
Run the script:
# bash wazuh-passwords-tool.sh -a
This is the output of the script:
Generating random passwords Done Creating backup... Backup created Generating hashes Hashes generated Loading changes... Done The password for admin is Re6dEMVUcB_c6rEDf_C_nkBCZkwFKtZL The password for kibanaserver is 4KLxLHor69cq2i1jFXmSUjBTVjG2yhU9 The password for kibanaro is zCd-SrihVwzfRxj5qPrwlSgmZJP9RsMA The password for logstash is OmbPImuV5fv11R6XYAG92cUjaDy9PkdH The password for readall is F2vglVGFJHXohwqEW5G4Tfjsiz-qqkTU The password for snapshotrestore is rd35bCchP3Uf-0w77VCEJzHF7WEP3fNw Passwords changed. Remember to update the password in /etc/filebeat/filebeat.yml and /etc/kibana/kibana.yml if necessary and restart the services.
Note
The password may need to be updated in both /etc/filebeat/filebeat.yml
and /etc/kibana/kibana.yml
. After changing the configuration files, remember to restart the corresponding services.
During the installation of Elasticsearch, the passwords for the different users were automatically generated. These passwords can be changed afterwards using API requests. Replace the following variables and execute the corresponding API call:
<elasticsearch_ip>
: The IP of the Elasticsearch node.
<username>
: The name of the user whose password is going to be changed.
<user_password>
: Current user's password.
<new_password>
: The new password that will be assigned to the<username>
user.
# curl -k -X POST -u <username>:<user_password> "https://<elasticsearch_ip>:9200/_security/user/<username>/_password?pretty" -H 'Content-Type: application/json' -d '
# {
# "password" : "<new_password>"
# }
# '
If the call was successful it returns an empty JSON structure { }
.
Note
The password may need to be updated in /etc/filebeat/filebeat.yml
and /etc/kibana/kibana.yml
.
Memory locking
Elasticsearch malfunctions when the system is swapping memory. It is crucial for the health of the node that none of the JVM is ever swapped out to disk. The following steps show how to set the bootstrap.memory_lock
setting to true so Elasticsearch will lock the process address space into RAM. This prevents any Elasticsearch memory from being swapped out.
Set
bootstrap.memory_lock
:Uncomment or add this line to the
/etc/elasticsearch/elasticsearch.yml
file:bootstrap.memory_lock: true
Edit the limit of system resources:
Where to configure system settings depends on which package and operating system used for the Elasticsearch installation.
In a case where systemd is used, system limits need to be specified via systemd. To do this, create the folder executing the command:
# mkdir -p /etc/systemd/system/elasticsearch.service.d/
Then, in the new directory, add a file called
elasticsearch.conf
and specify any changes in that file:# cat > /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf << EOF [Service] LimitMEMLOCK=infinity EOF
Edit the proper file
/etc/sysconfig/elasticsearch
for RPM or/etc/default/elasticsearch
for Debian:MAX_LOCKED_MEMORY=unlimited
Limit memory:
The previous configuration might cause node instability or even node death with an
OutOfMemory
exception if Elasticsearch tries to allocate more memory than is available. JVM heap limits will help limit memory usage and prevent this situation. Two rules must be applied when setting Elasticsearch's heap size:Use no more than 50% of available RAM.
Use no more than 32 GB.
It is also important to consider the memory usage of the operating system, services and software running on the host. By default, Elasticsearch is configured with a heap of 1 GB. It can be changed via JVM flags using the
/etc/elasticsearch/jvm.options
file:# Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -Xms4g -Xmx4g
Warning
The values min
(Xms)
and max(Xmx)
sizes must be the same to prevent JVM heap resizing at runtime as this is a very costly process.Restart Elasticsearch:
# systemctl daemon-reload
# systemctl restart elasticsearch
# service elasticsearch restart
After starting Elasticsearch, run the following request to verify that the setting was successfully changed by checking the value of mlockall
:
# curl "http://localhost:9200/_nodes?filter_path=**.mlockall&pretty"
{
"nodes" : {
"sRuGbIQRRfC54wzwIHjJWQ" : {
"process" : {
"mlockall" : true
}
}
}
}
If the output of the "mlockall"
field is false, the request has failed. In addition, the following line will appear in /var/log/elasticsearch/elasticsearch.log
:
Unable to lock JVM Memory
References: