In the YML Configuration section of the Cluster Configuration page of your Alibaba Cloud Elasticsearch cluster, you can enable the Auto Indexing, Audit Log Indexing, or Watcher feature. You can also configure Index Deletion and Other Configurations. This topic describes how to configure the following items: parameters in the YML file of the cluster, cross-origin resource sharing (CORS), a remote reindex whitelist, the Audit Log Indexing feature, and queue sizes.

Precautions

The network architecture of Alibaba Cloud Elasticsearch was adjusted in October 2020. Due to this adjustment, you cannot use the reindex API to migrate data between clusters in some scenarios. For more information, see the "Limits" section in Migrate data from a self-managed Elasticsearch cluster to an Alibaba Cloud Elasticsearch cluster deployed in the new network architecture.
Note The time when the network architecture in the China (Zhangjiakou) region and the regions outside China was adjusted is uncertain. If you want to perform the preceding operations between a cluster created before October 2020 and a cluster created in October 2020 or later in such a region, submit a ticket to contact Alibaba Cloud technical support to check whether the clusters are deployed in the same network architecture.

Configure the parameters in the YML file

  1. Log on to the Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
    2. In the left-side navigation pane, click Elasticsearch Clusters. On the Elasticsearch Clusters page, find the cluster and click its ID.
  4. In the left-side navigation pane of the page that appears, choose Configuration and Management > Cluster Configuration.
  5. On the Cluster Configuration page, click Modify Configuration on the right side of YML Configuration.
  6. In the YML File Configuration panel, configure the following parameters.
    Parameter Description
    Auto Indexing Specifies whether to automatically create an index if a new document is uploaded to the Elasticsearch cluster but no index exists. We recommend that you disable the Auto Indexing feature because the indexes that are automatically created may not meet your business requirements.

    This parameter corresponds to the action.auto_create_index configuration item in the YML file. The default value of this configuration item is false.

    Index Deletion Specifies whether to specify the index name when you delete an index. If you set this parameter to Allow Wildcards, you can use wildcards to delete multiple indexes at a time. Deleted indexes cannot be recovered. Exercise caution when you configure this parameter.

    This parameter corresponds to the action.destructive_requires_name configuration item in the YML file. The default value of this configuration item is true.

    Audit Log Indexing If you enable Audit Log Indexing, the system generates audit logs for the create, delete, modify, and search operations that are performed in the Elasticsearch cluster. These logs consume disk space and affect cluster performance. Therefore, we recommend that you disable Audit Log Indexing and exercise caution when you configure this parameter. For more information about the parameters related to the Audit Log Indexing feature, see Configure the Audit Log Indexing feature.
    Notice For Elasticsearch V7.X clusters, you can view their audit logs in the Elasticsearch console. Before you view the audit logs of a cluster, make sure that the Audit Log Indexing feature is enabled. For more information about how to view the audit logs of a cluster, see Query logs. For Elasticsearch clusters of other versions, you need to run the related commands to view their audit logs. For example, to view the audit logs of such a cluster, you can log on to the Kibana console of the cluster and run the related command in the Kibana console to view indexes whose names start with .security_audit_log-.

    This parameter corresponds to the xpack.security.audit.enabled configuration item in the YML file. The default value of this configuration item is false.

    Watcher If you enable Watcher, you can use the X-Pack Watcher feature. You must clear the .watcher-history* index on a regular basis to free up disk space.

    This parameter corresponds to the xpack.watcher.enabled configuration item in the YML file. The default value of this configuration item is false.

    Other Configurations The following description provides some of the supported configuration items. Unless otherwise specified, these items are available for Elasticsearch V5.X, V6.X, and V7.X clusters.
    • Configure CORS
      • http.cors.enabled
      • http.cors.allow-origin
      • http.cors.max-age
      • http.cors.allow-methods
      • http.cors.allow-headers
      • http.cors.allow-credentials
    • Configure a remote reindex whitelist

      reindex.remote.whitelist

    • Configure the Audit Log Indexing feature
      Notice Elasticsearch V7.X clusters supports only the xpack.security.audit.logfile.events.include parameter.
      • xpack.security.audit.enabled
      • xpack.security.audit.index.bulk_size
      • xpack.security.audit.index.flush_interval
      • xpack.security.audit.index.rollover
      • xpack.security.audit.index.events.include
      • xpack.security.audit.index.events.exclude
      • xpack.security.audit.index.events.emit_request_body
    • Configure queue sizes
      • thread_pool.bulk.queue_size (available for Elasticsearch V5.X clusters)
      • thread_pool.write.queue_size (available for Elasticsearch V6.X and V7.X clusters)
      • thread_pool.search.queue_size
    • Configure a custom SQL plug-in

      xpack.sql.enabled

      By default, Elasticsearch clusters use the built-in SQL plug-in provided by X-Pack. If you want to upload a custom SQL plug-in to your Elasticsearch cluster, set xpack.sql.enabled to false.

    Warning
    • Before you configure the YML file of your Elasticsearch cluster, you must make sure that the cluster is in a normal state. After you configure the YML file, the system restarts the cluster. The time required for the restart depends on the size, data volume, and load of the cluster. We recommend that you configure the YML file of a cluster during off-peak hours.
    • In most cases, if the indexes of your cluster have replica shards and the load of your cluster is normal, your cluster can still provide services during a cluster configuration change. The following items indicate that the load of a cluster is normal: The CPU utilization of each node in the cluster is about 60%, the heap memory usage of each node in the cluster is about 50%, and the value of NodeLoad_1m for each node is less than the number of vCPUs for the node.
    • If the indexes of your cluster do not have replica shards, the load of the cluster is excessively high, and large amounts of data are written to or queried in your cluster, access timeouts may occur during a cluster modification. We recommend that you configure an access retry mechanism for your client before you perform a cluster modification. This reduces the impact on your business.
  7. In the lower part of the panel, select This operation will restart the cluster. Continue? and click OK.
    Then, the system restarts the Elasticsearch cluster. You can view the restart progress in the Tasks dialog box. After the cluster is restarted, the configurations in the YML file are updated.

Configure CORS

You can configure CORS to allow browsers on other origins to access your Elasticsearch cluster. CORS can be configured in the YML File Configuration panel. The following table lists the parameters that you can configure.
Notice
  • The parameters in the following table are custom parameters provided by Alibaba Cloud Elasticsearch to support HTTP.
  • The parameters in the following table support only static configurations. For the parameter settings to take effect, you must add the settings to the elasticsearch.yml file.
  • The parameters in the following table depend on the network settings of your Elasticsearch cluster.
Parameter Default value Description
http.cors.enabled false Specifies whether to enable CORS. CORS allows browsers on other origins to access your Elasticsearch cluster. Valid values:
  • true: indicates that CORS is enabled. In this case, the system can process OPTIONS CORS requests. If the origin in a request is declared in http.cors.allow-origin, the system returns a response whose header contains Access-Control-Allow-Origin.
  • false: indicates that CORS is disabled. In this case, the system ignores the origin in the request header and returns a response whose header does not contain Access-Control-Allow-Origin. If a client cannot send a pre-flight request that has origin information included in the request header or does not verify Access-Control-Allow-Origin in the response header returned from the server, cross-origin access security is compromised. If CORS is disabled, a client can send only an OPTIONS request to check whether Access-Control-Allow-Origin exists.
http.cors.allow-origin "" The origins from which requests are allowed. By default, no origin is allowed. You can set this parameter to a regular expression, such as /https?:\/\/localhost(:[0-9]+)?/. This regular expression indicates that the system responds to requests that match the regular expression.
Notice Asterisks (*) are valid characters but may cause security risks. If an asterisk is used, your cluster is open to all origins. We recommend that you do not use asterisks.
http.cors.max-age 1728000 (20 days) Browsers can send OPTIONS requests to query CORS configurations. This parameter specifies the cache duration of the retrieved CORS configurations. Unit: seconds.
http.cors.allow-methods OPTIONS, HEAD, GET, POST, PUT, DELETE The request methods.
http.cors.allow-headers X-Requested-With, Content-Type, Content-Length The request headers.
http.cors.allow-credentials false The credential configuration item. This item specifies whether Access-Control-Allow-Credentials can be contained in the response header. Valid values:
  • true: indicates that Access-Control-Allow-Credentials can be contained in the response header.
  • false: indicates that Access-Control-Allow-Credentials cannot be contained in the response header.

Configure a remote reindex whitelist

Before you call the reindex API to migrate index data from a remote Elasticsearch cluster to the current Elasticsearch cluster, you must configure a remote reindex whitelist for the current Elasticsearch cluster. You can configure the whitelist in the YML File Configuration panel. The following table describes the parameter that you can configure.
Parameter Default value Description
reindex.remote.whitelist [] The address of the remote cluster.

Specify the address in the Host IP address:Port number format. If you want to specify multiple addresses, separate them with commas (,), such as otherhost:9200,another:9200,127.0.10.**:9200,localhost:**. The whitelist does not identify protocols.

If the remote cluster is a single-zone Elasticsearch cluster, specify the address of the cluster in the <Domain name of the cluster>:9200 format. If the remote cluster is a multi-zone Elasticsearch cluster, specify the addresses of the cluster by using the IP addresses of all data nodes in the cluster and the port number of the cluster. The following description provides configuration examples:
  • Single-zone clusterReindex whitelist for a single-zone cluster
    reindex.remote.whitelist: ["es-cn-09k1rgid9000g****.elasticsearch.aliyuncs.com:9200"]
  • Multi-zone clusterReindex whitelist for a multi-zone cluster
    reindex.remote.whitelist: ["10.0.xx.xx:9200","10.0.xx.xx:9200","10.0.xx.xx:9200","10.15.xx.xx:9200","10.15.xx.xx:9200","10.15.xx.xx:9200"]
    Note After the remote reindex whitelist is configured, you can call the reindex API to reindex data. For more information, see Use the reindex API to migrate data.

Configure the Audit Log Indexing feature

You can enable the Audit Log Indexing feature in the YML File Configuration panel to view the related logs. After the feature is enabled, you can customize its configurations. The following code provides sample configurations:
  • Elasticsearch V7.X cluster
    xpack:
      security:
        audit:
          logfile:
            events:
              include: >-
                access_denied,anonymous_access_denied,authentication_failed,connection_denied,tampered_request,run_as_denied,run_as_granted
    Notice Elasticsearch V7.X clusters supports only the xpack.security.audit.logfile.events.include parameter.
  • Elasticsearch cluster of a version other than V7.X
    xpack.security.audit.index.bulk_size: 5000
    xpack.security.audit.index.events.emit_request_body: false
    xpack.security.audit.index.events.exclude: run_as_denied,anonymous_access_denied,realm_authentication_failed,access_denied,connection_denied
    xpack.security.audit.index.events.include: authentication_failed,access_granted,tampered_request,connection_granted,run_as_granted
    xpack.security.audit.index.flush_interval: 180s
    xpack.security.audit.index.rollover: hourly
    xpack.security.audit.index.settings.index.number_of_replicas: 1
    xpack.security.audit.index.settings.index.number_of_shards: 10
Parameter Default value Description
xpack.security.audit.index.bulk_size 1000 You can write audit events to an audit log index in batches. This parameter specifies the maximum number of audit events that can be written in each batch.
xpack.security.audit.index.flush_interval 1s The frequency at which buffered audit events are flushed to the audit log index.
xpack.security.audit.index.rollover daily The frequency at which audit events are rolled over to a new audit log index. Valid values: hourly, daily, weekly, and monthly.
xpack.security.audit.logfile.events.include access_denied,anonymous_access_denied,authentication_failed, connection_denied,tampered_request,run_as_denied,run_as_granted The types of audit events that can be written to audit log indexes. This parameter is available only for Elasticsearch V7.X clusters. For more information about how to view the audit logs of an Elasticsearch V7.X cluster, see Query logs. For more information about audit event types supported by Elasticsearch V7.X clusters, see Audit event types (7.x).
xpack.security.audit.index.events.include access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted The types of audit events that can be written to audit log indexes. This parameter is available only for Elasticsearch clusters of a version other than V7.X. For more information about audit event types supported by such clusters, see Audit event types (6.x).
xpack.security.audit.index.events.exclude null, which indicates that the system does not process audit events The types of audit events that cannot be written to audit log indexes.
xpack.security.audit.index.events.emit_request_body false Specifies whether to ignore or include REST request bodies when a specific audit event is triggered, such as authentication_failed.
Notice
  • If an audit event contains a request body, sensitive data may be exposed.
  • After the Audit Log Indexing feature is enabled for an Elasticsearch cluster of a version other than V7.X, audit events are stored in the audit log indexes of the cluster. The names of the indexes start with .security_audit_log-. These indexes consume the storage of your cluster. Elasticsearch does not automatically clear expired indexes. You must manually clear expired audit log indexes.
For an Elasticsearch cluster of a version other than V7.X, you can also use xpack.security.audit.index.settings to specify the indexes that are used to store audit events. The following code provides a configuration example. In this example, the numbers of primary shards and replica shards for the indexes are set to 1.
xpack.security.audit.index.settings:
  index:
    number_of_shards: 1
    number_of_replicas: 1
Note If you want to customize the configurations for audit log indexes, add the configurations to the YML file of your cluster after you set xpack.security.audit.enabled to true to enable Audit Log Indexing. If you do not customize the configurations, the system uses the default settings number_of_shards: 5 and number_of_replicas: 1 to create the indexes.

For more information, see Auditing Security Settings.

Configure queue sizes

You can customize queue sizes to adjust the sizes of the document write queue and document search queue. You can configure the queue sizes in the YML File Configuration panel. The following code provides configuration examples. In the examples, the size of the document write queue is set to 500 and that of the document search queue is set to 1000. You can change these values based on your business requirements.
  • Elasticsearch V5.X clusters
    thread_pool.bulk.queue_size: 500
    thread_pool.search.queue_size: 1000
  • Elasticsearch V6.X and V7.X clusters
    thread_pool.write.queue_size: 500
    thread_pool.search.queue_size: 1000
Parameter Default value Description
thread_pool.bulk.queue_size 200 The size of the document write queue. This parameter is available for Elasticsearch V5.X clusters.
thread_pool.write.queue_size 200 The size of the document write queue. This parameter is available for Elasticsearch V6.X and V7.X clusters.
thread_pool.search.queue_size 1000 The size of the document search queue.