Step 1: Install Elasticsearch
option # TLS/SSL settings for HTTP
and Basic Configuration
1.1 Download and Install
Elasticsearch
 Download and install
Elasticsearch on your
server (use the latest
version):
# Download and install
Elasticsearch (assuming you
use Ubuntu/Debian)
wget
https://artifacts.elastic.co/dow
nloads/elasticsearch/elasticse
arch-8.10.0-amd64.deb
sudo dpkg -i elasticsearch-
8.10.0-amd64.deb
 Start and enable
Elasticsearch
service:
sudo systemctl enable
elasticsearch
sudo systemctl start
elasticsearch
1.2 Basic Configuration
 Update the
elasticsearch.yml
configuration file
located in
/etc/elasticsearch/ela
sticsearch.yml.
Key settings:
cluster.name: my-secure-
cluster
node.name: node-1
network.host: 0.0.0.0 #
Adjust this based on your
network settings
http.port: 9200
You should also increase
JVM heap size
(/etc/elasticsearch/jvm.
s), typically to 50% of the
server's memory:
-Xms4g
-Xmx4g
Step 2: Set up Security
(TLS/SSL, RBAC)
2.1 Enable TLS/SSL for
Transport and HTTP Layer
(Open-Source and X-Pack)
 First, generate
certificates using the
Elasticsearch-certutil
tool:
cd
/usr/share/elasticsearch/bin/
./elasticsearch-certutil ca
./elasticsearch-certutil cert --
ca elastic-stack-ca.p12
 Move the generated
certificates to a
secure directory and
modify
elasticsearch.yml to
enable TLS
encryption:
# TLS/SSL settings for
transport layer
xpack.security.transport.ssl.e
nabled: true
xpack.security.transport.ssl.v
erification_mode: certificate
xpack.security.transport.ssl.k
ey: /path/to/your.key
xpack.security.transport.ssl.c
ertificate: /path/to/your.crt
xpack.security.transport.ssl.c
ertificate_authorities:
/path/to/ca.crt
layer
xpack.security.http.ssl.enable
d: true
xpack.security.http.ssl.key:
/path/to/http.key
xpack.security.http.ssl.certific
ate: /path/to/http.crt
xpack.security.http.ssl.certific
ate_authorities: /path/to/ca.crt
2.2 Set Up User
Authentication and Role-
Based Access Control
(RBAC) (X-Pack)
 Enable security and
user authentication in
elasticsearch.yml:
xpack.security.enabled: true
 Restart Elasticsearch
to enable security.
 Add users and roles
using the
Elasticsearch API:
# Create a role with restricted
access to logs index
PUT
/_security/role/log_reader
{
"cluster": ["monitor"],
"indices": [
{
"names": ["logs-*"],
"privileges": ["read"]
}
 ]  Navigate to the
"Monitoring" section
} Step 3: Set up Monitoring in Kibana.
with Elasticsearch and
Kibana  You can see cluster
# Create a user and assign metrics, node usage,
3.1 Install and Configure index statistics, etc.
the role
Kibana
POST /_security/user/analyst
 Download and install
{ Kibana on your
server:
"password": "password123",
wget
"roles": ["log_reader"], https://artifacts.elastic.co/dow
nloads/kibana/kibana-8.10.0-
"full_name": "Log Analyst"
amd64.deb
}
sudo dpkg -i kibana-8.10.0-
2.3 Enable API Key amd64.deb
Authentication (Optional, X-
 Start Kibana and Step 4: Enable Application
Pack)
modify kibana.yml Performance Monitoring
 Create API keys to configuration to (APM) (X-Pack)
allow services or connect to your
4.1 Install APM Server
users to interact with Elasticsearch
the cluster: instance:  Install the APM
server:
POST /_security/api_key server.port: 5601
wget
{ elasticsearch.hosts:
https://artifacts.elastic.co/dow
["https://localhost:9200"]
"name": "monitoring-key", nloads/apm-server/apm-
elasticsearch.username: server-8.10.0-amd64.deb
"expiration": "1d", "kibana_system"
sudo dpkg -i apm-server-
"role_descriptors": { elasticsearch.password: 8.10.0-amd64.deb
"monitoring": { "your-password"
 Configure the APM
"cluster": ["monitor"], server.ssl.enabled: true server to connect
with Elasticsearch:
"index": [ server.ssl.certificate:
/path/to/your.crt apm-server:
{ host: "0.0.0.0:8200"
server.ssl.key:
"names": ["metrics-*"], /path/to/your.key output.elasticsearch:
hosts:
"privileges": ["read"]  Enable monitoring of ["https://localhost:9200"]
Elasticsearch nodes username: "elastic"
} and indices: password: "your-password"
] ssl.certificate_authorities:
xpack.monitoring.collection.e ["/path/to/ca.crt"]
} nabled: true  Start the APM server:

} 3.2 Enable Monitoring and sudo systemctl start apm-

Visualize Metrics server
}
4.2 Instrument Your "actions": {  Enable audit logging
Applications "delete": {} to track all user
actions and access
 Add the APM agent } logs:
to your application
}
(e.g., Python, Java, xpack.security.audit.enabled:
Node.js) and send } true
performance data to }
the APM server. xpack.security.audit.logfile.ev
} ents.include:
# Example for Node.js [ "access_denied",
 Assign this policy to
"authentication_failed" ]
npm install elastic-apm-node indices:
--save 6.2 Field and Document
PUT /logs-*/_settings
Level Security (X-Pack)
 View performance {
data in Kibana under  Restrict access to
the APM section. "index.lifecycle.name": specific fields and
"log_policy" documents for users:
} PUT
Step 5: Data Management /_security/role/restricted_logs
5.2 Snapshot and Backup
and Index Lifecycle {
Data (X-Pack)
Management (ILM) "indices": [
 Set up snapshots to {
5.1 Set up Index Lifecycle "names": ["logs-*"],
periodically back up
Policies (Open-Source and "privileges": ["read"],
data:
X-Pack) "field_security": {
# Register a snapshot "grant": ["timestamp",
 Define policies that repository "message"]
automatically PUT /_snapshot/my_backup }
manage index { }
retention, rollover, "type": "fs", ]
and deletion: "settings": { }
"location": 6.3 IP Filtering
PUT _ilm/policy/log_policy "/mount/backups"
}  Limit access to
{
} Elasticsearch based
"policy": { on IP addresses:
"phases": { # Take a snapshot
PUT xpack.security.transport.filter.
"hot": { /_snapshot/my_backup/snaps allow: "192.168.0.0/24"
"actions": { hot_1 xpack.security.transport.filter.
{
"rollover": { deny: "0.0.0.0/0"
"indices": "logs-*",
"max_size": "50gb", "ignore_unavailable": true,
"include_global_state": false
"max_age": "30d" }
}
}
},
Step 6: Implement Security
"delete": { Best Practices
"min_age": "90d", 6.1 Audit Logging (X-Pack)