elastic · shainaraskas · Apr 7, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -1,7 +1,7 @@
 If you're deploying the {{stack}} in a self-managed cluster, then install the {{stack}} products you want to use in the following order:
 
-* {{es}}
-* {{kib}}
+* [{{es}}](/deploy-manage/deploy/self-managed/installing-elasticsearch.md)
+* [{{kib}}](/deploy-manage/deploy/self-managed/install-kibana.md)
 * [Logstash](logstash://reference/index.md)
 * [{{agent}}](/reference/fleet/index.md) or [Beats](beats://reference/index.md)
 * [APM](/solutions/observability/apps/application-performance-monitoring-apm.md)

@@ -0,0 +1,11 @@
+When you start {{es}} for the first time, it automatically performs the following security setup:
+
+* Generates [TLS certificates](#stack-security-certificates) for the [transport and HTTP layers](/deploy-manage/security/secure-cluster-communications.md#communication-channels)
+* Applies TLS configuration settings to `elasticsearch.yml`
+* Creates an enrollment token to securely connect {{kib}} to {{es}}
+
+You can then start {{kib}} and enter the enrollment token, which is valid for 30 minutes. This token automatically applies the security settings from your {{es}} cluster, authenticates to {{es}} with the built-in `kibana` service account, and writes the security configuration to `kibana.yml`.
+
+::::{note}
+There are [some cases](/deploy-manage/security/self-auto-setup.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled.
+::::
@@ -5,7 +5,7 @@ curl --cacert {{es-conf}}{{slash}}certs{{slash}}http_ca.crt {{escape}} <1>
 -u elastic:$ELASTIC_PASSWORD https://localhost:9200 <2>
 ```
 1. `--cacert`: Path to the generated `http_ca.crt` certificate for the HTTP layer.
-2. Replace `$ELASTIC_PASSWORD` with the `elastic` superuser password that you copied from the install command output. Ensure that you use `https` in your call, or the request will fail.
+2. Replace `$ELASTIC_PASSWORD` with the `elastic` superuser password. Ensure that you use `https` in your call, or the request will fail.
 
 
 

@@ -0,0 +1,9 @@
+Perform the following steps on each node in the cluster:
+
+1. Open `elasticsearch.yml` in a text editor.
+2. Comment out or remove the `cluster.initial_master_nodes` setting.
+3. Update the `discovery.seed_hosts` value so it contains the IP address and port of each of the master-eligible {{es}} nodes in the cluster.
+
+If you don't perform these steps, then one or more nodes will fail the [discovery configuration bootstrap check](/deploy-manage/deploy/self-managed/bootstrap-checks.md#bootstrap-checks-discovery-configuration) when they are restarted.
+
+For more information, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md).
@@ -1,10 +1,16 @@
-::::{note}
-To add a node to a cluster running on multiple machines, you must also set [`discovery.seed_hosts`](/deploy-manage/deploy/self-managed/important-settings-configuration.md#unicast.hosts) so that the new node can discover the rest of its cluster.
-::::
-
 To enroll new nodes in your cluster, create an enrollment token with the [`elasticsearch-create-enrollment-token`](elasticsearch://reference/elasticsearch/command-line-tools/create-enrollment-token.md) tool on any existing node in your cluster. You can then start a new node with the `--enrollment-token` parameter so that it joins an existing cluster.
 
-1. In a separate terminal from where {{es}} is running, navigate to the directory where you installed {{es}} and run the `elasticsearch-create-enrollment-token` tool to generate an enrollment token for your new nodes.
+
+1. Using a text editor, update the `cluster.name` in `elasticsearch.yml` to match the other nodes in your cluster. 
+
+   :::{tip}
+   If this value isn't updated and you attempt to join an existing cluster, then the connection will fail with the following error:
+
+   ```
+   handshake failed: remote cluster name [cluster-to-join] does not match local cluster name [current-cluster-name]
+   ```
+
+2. In a separate terminal from where {{es}} is running, navigate to the directory where you installed {{es}} and run the `elasticsearch-create-enrollment-token` tool to generate an enrollment token for your new nodes.
 
     ```sh subs=true
     bin{{slash}}elasticsearch-create-enrollment-token -s node
@@ -14,7 +20,7 @@ To enroll new nodes in your cluster, create an enrollment token with the [`elast
 
     An enrollment token has a lifespan of 30 minutes. You should create a new enrollment token for each new node that you add.
 
-2. From the installation directory of your new node, start {{es}} and pass the enrollment token with the `--enrollment-token` parameter.
+3. From the installation directory of your new node, start {{es}} and pass the enrollment token with the `--enrollment-token` parameter.
 
     ```sh subs=true
     bin{{slash}}elasticsearch --enrollment-token <enrollment-token>

@@ -1,25 +1,24 @@
 Update the {{es}} configuration on this first node so that other hosts are able to connect to it by editing the settings in [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md):
 
-1. Retrieve the external IP address of your host. You’ll need this value later.
-2. Open `elasticsearch.yml` in a text editor.
+1. Open `elasticsearch.yml` in a text editor.
 
-3. In a multi-node {{es}} cluster, all of the {{es}} instances need to have the same name.
+2. In a multi-node {{es}} cluster, all of the {{es}} instances need to have the same name.
 
     In the configuration file, uncomment the line `#cluster.name: my-application` and give the {{es}} instance any name that you’d like:
 
     ```yaml
     cluster.name: elasticsearch-demo
     ```
 
-4. By default, {{es}} runs on `localhost`. For {{es}} instances on other nodes to be able to join the cluster, you need to set up {{es}} to run on a routable, external IP address.
+3. By default, {{es}} runs on `localhost`. For {{es}} instances on other nodes to be able to join the cluster, you need to set up {{es}} to run on a routable, external IP address.
 
-    Uncomment the line `#network.host: 192.168.0.1` and replace the default address with the value that you retrieved in step one. For example:
+    Uncomment the line `#network.host: 192.168.0.1` and replace the default address with `0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment, you might want to [use a different value](elasticsearch:///reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings).
 
     ```yaml
-    network.host: 10.128.0.84
+    network.host: 0.0.0.0
     ```
 
-5. {{es}} needs to be enabled to listen for connections from other, external hosts.
+4. {{es}} needs to be enabled to listen for connections from other, external hosts.
 
     Uncomment the line `#transport.host: 0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment you might want to restrict this by setting this value to match the value set for `network.host`.
 
@@ -31,4 +30,4 @@ Update the {{es}} configuration on this first node so that other hosts are able
     You can find details about the `network.host` and `transport.host` settings in the {{es}} [networking settings reference](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md).
     ::::
 
-6. Save your changes and close the editor.
+5. Save your changes and close the editor.
@@ -25,9 +25,9 @@ When you install {{es}}, the installation process configures a single-node clust
    The `elasticsearch-reconfigure-node` tool has updated several settings. For example:
 
    * The `transport.host: 0.0.0.0` setting is already uncommented.
-   * The `discovery_seed.hosts` setting has the value that you added for `network_host` on the first {{es}} node. As you add each new {{es}} node to the cluster, the `discovery_seed.hosts` setting will contain an array of the IP addresses and port numbers to connect to each {{es}} node that was previously added to the cluster.
+   * The `discovery_seed.hosts` setting has the value has the IP address and port of the other {{es}} nodes added the cluster so far. As you add each new {{es}} node to the cluster, the `discovery_seed.hosts` setting will contain an array of the IP addresses and port numbers to connect to each {{es}} node that was previously added to the cluster.
 
-6. In the configuration file, uncomment the line `#cluster.name: my-application` and set it to match the name you specified for the first Elasti{{es}} node:
+6. In the configuration file, uncomment the line `#cluster.name: my-application` and set it to match the name you specified for the first {{es}} node:
 
    ```yml
    cluster.name: elasticsearch-demo

@@ -6,4 +6,6 @@ These settings can be overridden in the relevant configuration file.
 | --- | --- | --- | --- |
 | 9200-9300	| HTTP (REST) | REST API for Elasticsearch. This is the primary interface used for access to the cluster from external sources, including {{kib}} and {{ls}}. | Elasticsearch [`http.port`](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings) |
 | 9300-9400	| TCP |	Transport API. Used for intra-cluster communications and client access via the transport API (Java client). | Elasticsearch [`transport.port`](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings) |
-| 5601 | HTTP |	{{kib}} default access port. | Kibana [`server.port`](kibana://reference/configuration-reference/general-settings.md#server-port) |
+| 5601 | HTTP |	{{kib}} default access port. | Kibana [`server.port`](kibana://reference/configuration-reference/general-settings.md#server-port) |
+
+Additional ports might be required for [optional {{stack}} components](/get-started/the-stack.md). Refer to the installation guide for the component that you want to install.
@@ -1,5 +1,3 @@
-The password for the `elastic` user and the enrollment token for {{kib}} are output to your terminal.
-
 We recommend storing the `elastic` password as an environment variable in your shell. For example:
 
 ```sh subs=true

@@ -0,0 +1,5 @@
+Because {{es}} runs with `systemd` and not in a terminal, the `elastic` superuser password is not output when {{es}} starts for the first time. Use the [`elasticsearch-reset-password`](elasticsearch://reference/elasticsearch/command-line-tools/reset-password.md) tool tool to set the password for the user:
+
+```shell
+bin/elasticsearch-reset-password -u elastic
+```
@@ -26,6 +26,10 @@ applies_to:
 :::{include} _snippets/java-version.md
 :::
 
+:::{tip}
+Elastic recommends that you run the commands in this guide using a normal user account, and avoid running the commands as `root`.
+:::
+
 ## Before you start
 
 :::{include} _snippets/prereqs.md
@@ -91,21 +95,29 @@ Alternatively, you can add a security override by following the instructions in
 :::{include} _snippets/cluster-formation-brief.md
 :::
 
-If you're installing a subsequent node, then skip to [Enroll the node in an existing cluster](#existing-cluster).
+* If you're installing the first node in a multi-node cluster across multiple hosts, then you need to [configure the node so that other hosts are able to connect to it](#first-node).
 
-### Set up a node as the first node in a multi-host cluster
+* If you're installing additional nodes for a cluster, then you need to [generate an enrollment token and pass it when starting {{es}} for the first time](#existing-cluster).
+
+### Set up a node as the first node in a multi-host cluster [first-node]
 
 :::{include} _snippets/first-node.md
 :::
 
+### Enroll the node in an existing cluster [existing-cluster]
+
+:::{include} _snippets/enroll-nodes.md
+:::
+
 ## Step 4: Start {{es}} [targz-running]
 
 You have several options for starting {{es}}:
 
 * [Run from the command line](#command-line)
-* [Run the node to be enrolled in an existing cluster](#existing-cluster)
 * [Run as a daemon](#setup-installation-daemon)
 
+If you're starting a node that will be enrolled in an existing cluster, refer to [Enroll the node in an existing cluster](#existing-cluster).
+
 ### Run {{es}} from the command line [command-line]
 
 :::{include} _snippets/targz-start.md
@@ -116,6 +128,8 @@ You have several options for starting {{es}}:
 :::{include} _snippets/auto-security-config.md
 :::
 
+The password for the `elastic` user and the enrollment token for {{kib}} are output to your terminal.
+
 :::{include} _snippets/pw-env-var.md
 :::
 
@@ -124,11 +138,6 @@ You have several options for starting {{es}}:
 :::{include} _snippets/cmd-line-config.md
 :::
 
-### Enroll the node in an existing cluster [existing-cluster]
-
-:::{include} _snippets/enroll-nodes.md
-:::
-
 ### Run as a daemon [setup-installation-daemon]
 
 :::{include} _snippets/targz-daemon.md

@@ -145,17 +145,29 @@ sudo dpkg -i elasticsearch-{{stack-version}}-amd64.deb
 
 ### Security at startup [deb-security-configuration]
 
-:::{include} _snippets/auto-security-config.md
+:::{include} _snippets/auto-security-config-rpm-deb.md
+:::
+
+## Step 6: Reset the `elastic` superuser password
+
+:::{include} _snippets/reset-superuser-rpm-deb.md
 :::
 
 :::{include} _snippets/pw-env-var.md
 :::
 
-## Step 6: Check that {{es}} is running [deb-check-running]
+## Step 7: Check that {{es}} is running [deb-check-running]
 
 :::{include} _snippets/check-es-running.md
 :::
 
+## Step 8 (Multi-node clusters only): Clean up the config files
+
+If you are deploying a multi-node cluster, then the `elasticsearch-reconfigure-node` tool adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected.
+
+:::{include} _snippets/clean-up-multinode.md
+:::
+
 ## Configuring {{es}} [deb-configuring]
 
 :::{include} _snippets/etc-elasticsearch.md

@@ -137,17 +137,29 @@ sudo zypper modifyrepo --enable elasticsearch && \
 
 ### Security at startup [deb-security-configuration]
 
-:::{include} _snippets/auto-security-config.md
+:::{include} _snippets/auto-security-config-rpm-deb.md
+:::
+
+## Step 6: Reset the `elastic` superuser password
+
+:::{include} _snippets/reset-superuser-rpm-deb.md
 :::
 
 :::{include} _snippets/pw-env-var.md
 :::
 
-## Step 6: Check that {{es}} is running [rpm-check-running]
+## Step 7: Check that {{es}} is running [rpm-check-running]
 
 :::{include} _snippets/check-es-running.md
 :::
 
+## Step 8 (Multi-node clusters only): Clean up the config files
+
+If you are deploying a multi-node cluster, then the `elasticsearch-reconfigure-node` tool adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected.
+
+:::{include} _snippets/clean-up-multinode.md
+:::
+
 ## Configuring {{es}} [rpm-configuring]
 
 :::{include} _snippets/etc-elasticsearch.md

@@ -58,22 +58,28 @@ cd C:\Program Files\elasticsearch-{{stack-version}}
 :::{include} _snippets/cluster-formation-brief.md
 :::
 
-If you're installing a subsequent node, then skip to [Enroll the node in an existing cluster](#existing-cluster).
+* If you're installing the first node in a multi-node cluster across multiple hosts, then you need to [configure the node so that other hosts are able to connect to it](#first-node).
 
-### Set up a node as the first node in a multi-host cluster
+* If you're installing additional nodes for a cluster, then you need to [generate an enrollment token and pass it when starting {{es}} for the first time](#existing-cluster).
+
+### Set up a node as the first node in a multi-host cluster [first-node]
 
 :::{include} _snippets/first-node.md
 :::
 
+### Enroll the node in an existing cluster [existing-cluster]
+
+:::{include} _snippets/enroll-nodes.md
+:::
+
 ## Step 4: Run {{es}}
 
 You have several options for starting {{es}}:
 
 * [Run from the command line](#command-line)
-* [Run the node to be enrolled in an existing cluster](#existing-cluster)
 * [Install and run as a service](#windows-service)
 
-You can run {{es}} [from the command line](#command-line), or install and run {{es}} [as a service](#windows-service).
+If you're starting a node that will be enrolled in an existing cluster, refer to [Enroll the node in an existing cluster](#existing-cluster).
 
 ### Run {{es}} from the command line [command-line]
 
@@ -85,6 +91,8 @@ You can run {{es}} [from the command line](#command-line), or install and run {{
 :::{include} _snippets/auto-security-config.md
 :::
 
+The password for the `elastic` user and the enrollment token for {{kib}} are output to your terminal.
+
 :::{include} _snippets/pw-env-var.md
 :::
 
@@ -93,11 +101,6 @@ You can run {{es}} [from the command line](#command-line), or install and run {{
 :::{include} _snippets/cmd-line-config.md
 :::
 
-### Enroll the node in an existing cluster [existing-cluster]
-
-:::{include} _snippets/enroll-nodes.md
-:::
-
 ### Install and run {{es}} as a service on Windows [windows-service]
 
 You can install {{es}} as a service that runs in the background or starts automatically at boot time without user interaction.
@@ -217,6 +220,13 @@ Most changes (like JVM settings) made through the manager GUI will require a res
 :::{include} _snippets/check-es-running.md
 :::
 
+## Step 6 (Multi-node clusters only): Clean up the config files
+
+If you are deploying a multi-node cluster, then the enrollment process adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected.
+
+:::{include} _snippets/clean-up-multinode.md
+:::
+
 ## Connect clients to {{es}} [_connect_clients_to_es_4]
 
 :::{include} _snippets/connect-clients.md

@@ -98,7 +98,14 @@ By default, {{kib}} runs in the foreground, prints its logs to the standard outp
 :::{include} _snippets/enroll-steps.md
 :::
 
-## Step 5: Configure {{kib}} using the config file [targz-configuring]
+## Step 5 (Multi-node clusters only): Clean up the config files
+
+If you are deploying a multi-node cluster, then the enrollment process adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected.
+
+:::{include} _snippets/clean-up-multinode.md
+:::
+
+## Configure {{kib}} using the config file [targz-configuring]
 
 {{kib}} loads its configuration from the `$KIBANA_HOME/config/kibana.yml` file by default. The format of this config file is explained in [](configure-kibana.md).