This section provides information on how to deploy three node Elastic Search cluster. Execute all the steps in each node to install elastic search in cluster mode.

You can install Elastic Search in the following three ways:
  1. Use Elastic Search documentation to install Elastic Search.
  2. Use Elastic Search install script to install Elastic Search, which has below procedure automated in the script. You can refer KB article from
  3. Use below manual procedure to install Elastic Search.


  1. Stop firewall on all 3 nodes or open ports 9200 and 9300 on all 3 nodes.
  2. Verify Java 1.8, by invoking command:
    yum install -y java-1.8.0-openjdk.x86_64
    If not installed, install java 1.8.
  3. If operating system is RHEL 6.9 or 6.10, then edit /etc/security/limits.d/90-nproc.conf file:
    Change "* soft nproc 1024" to "* soft nproc 4096"
    Save and close the file.
  4. Download elastic search 6.4.2 rpm from and install it using command:
    rpm -ivh elasticsearch-oss-6.4.2.rpm
  5. Run below command to search for elastic search rpm:
    rpm -qa | grep elasticsearch
  6. Run below command to enable elasticsearch service in RHEL 7.5 or 7.6:
    systemctl enable elasticsearch
    Run below command to enable elasticsearch service in RHEL 6.9 or 6.10:
    chkconfig --add elasticsearch
    chkconfig elasticsearch on
  7. Download Readonlyrest Elastic Search plugin from the given link to enable security(Authentication) in Elastic Search –
    Note: On the download page, select Product as " Elastic Search Plugin (Free)", Elastic Search Version as " 6.4.2" and Send to email as " Your email". A link to the latest readonlyrest plugin will be sent to your inbox from which you can download the zip file.
  8. Install the plugin using below command:
    /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///<path to downloaded zip file>
    For example: /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/
    Note: Press ' y' when prompted to "continue with installation'
  9. List all installed plugins, using command:
    /usr/share/elasticsearch/bin/elasticsearch-plugin list
    Create a new file " readonlyrest.yml" under /etc/elasticsearch with below contents:
      - name: Accept GET,POST requests from user
        auth_key_unix: Test:$6$rounds=65635$koKSfnyc$4iZfsoA9mxZYcRMSXUylDa2T/mPWnh/WWNqI7lM.2hdXCIx5cVJY0Ni5NrBUXPc5F8xSVYGvs7ORVzAoyJeXq/
    1. Ensure the indentation while creating readonlyrest.yml file is maintained as shown above.
    2. The above readonlyrest.yml content will create a user with name "test" and password "test".
    3. To create some other user, refer to VMware Smart AssuranceUI Installation and Configuration Guide .
  10. Edit /etc/elasticsearch/elasticsearch.yml file:
    1. Change " my-application" to " <YourClusterName>"
      Note: Ensure <YourClusterName> is same across all 3 nodes.
    2. Change " node-1" to " <FQDN>"
      Note: must be unique accross the cluster.
    3. Add below two lines after line "#node.attr.rack: r1":
      node.master: true true
    4. Change " to _local_, _site_
    5. Change "#http.port: 9200" to "http.port: <port number>". This step is optional and required if you want to start elastic search on any other port other than 9200.
    6. Change ' ["host1", "host2"]' to ' ["<FQDN/IP Of Host1>", "<FQDN/IP Of Host2>", "<FQDN/IP Of Host3>"]'
    7. Change "discovery.zen.minimum_master_nodes:" to "discovery.zen.minimum_master_nodes: 2"
    8. Add a new line "bootstrap.system_call_filter: false" if operating system is Linux 6.9 or 6.10.
    9. Save and close the file.
  11. Edit /etc/elasticsearch/jvm.options. (Optional: If needed to increase java heap size. By default 1 GB heap space is allocated to ES):
    1. Change "-Xms1g" to "-Xms2g".
    2. Change "-Xmx1g" to "-Xmx2g"
  12. Start Elastic Search Service after executing steps from 1-11 on all 3 hosts.
  13. Verify Elastic Search Service status and it must be running on all 3 machines.
  14. Validate successful Elastic Search Cluster setup by executing below commands:
    1. curl -u username:password http://<ES FQDN/IP>:9200/ (The output must contain version as 6.4.2 and clustername as set in elasticsearch.yml file").
    2. curl -u user:password http://<ES FQDN/IP>:9200/_cat/master? (Command to list current primary node).
  15. Enable HTTPS in Elastic Search (Optional):
    1. Run cd /etc/elasticsearch
    2. Create Elastic Search keystore file by running the command:JRE_HOME>/bin/keytool -genkeypair -keystore keystore.jks -dname "CN=<FQDN>, OU=<Org Unit>, O=<Org Name>, L=<City>, ST=<State>, C=<Country>" -keypass readonlyrest -storepass readonlyrest -keyalg RSA -alias <alias name> -storetype PKCS12 -ext SAN=dns:<FQDN>,ip:<IP Address>.
    3. Edit /etc/elasticsearch/elasticsearch.yml file, and add line: http.type: ssl_netty4.
    4. Edit /etc/elasticsearch/readonlyrest.yml file and add below line:
      keystore_file: "keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
    5. Restart Elastic Search service.
  16. Other usefull commands:
    Get all indices in ES: curl -u user:password http://<ES FQDN/IP>:9200/_cat/indices?v
    Delete all data events indices: curl -u user:password -X DELETE http://<ES FQDN/IP>:9200/events
    Cluster Health: curl -u user:password http://<ES FQDN/IP>:9200/_cluster/health
    Monitor shard sizes: curl -u user:password http://<ES FQDN/IP>:9200/_cat/shards