How to Install Elasticsearch 9 on Ubuntu

Elasticsearch 9 is a powerful open-source search and analytics engine that sits at the heart of the Elastic Stack. This guide walks you through installing Elasticsearch 9 on Ubuntu from the official Elastic repository using the modern DEB822 format. By the end, you’ll have a running Elasticsearch instance ready for log analysis, semantic search, or real-time analytics workloads.

Elasticsearch 9 builds on Lucene 10 and brings notable improvements over version 8. The semantic_text field type is now generally available for simplified semantic search, the new rank_vectors field enables late-interaction reranking with models like ColBERT, and ES|QL gains LOOKUP JOIN support for cross-index queries. Security defaults are also tightened, with TLSv1.1 now disabled by default.

The Elastic repository uses a universal package format that works on all current Ubuntu releases, including 22.04 LTS, 24.04 LTS, and 26.04 LTS. Commands shown in this guide work identically regardless of your specific Ubuntu LTS version.

Compare Elasticsearch Versions for Ubuntu

Before proceeding, consider which Elasticsearch version best fits your requirements. Major version upgrades involve breaking changes, so choose carefully based on your project needs and existing infrastructure.

Elasticsearch Version	Key Features	Choose It When	Trade-offs
Install Elasticsearch 8 on Ubuntu	Lucene 9, automatic security enabled, faster indexing, kNN vector search	Running production workloads with established 8.x clusters, using plugins not yet updated for 9.x, or needing maximum ecosystem compatibility	Will eventually reach end-of-life; lacks ES|QL LOOKUP JOIN, rank_vectors, and other 9.x features
Elasticsearch 9 (This Guide)	Lucene 10, GA semantic_text field, rank_vectors for ColBERT-style reranking, ES|QL LOOKUP JOIN, TLSv1.1 disabled by default	New deployments that benefit from semantic search features, projects using ColBERT or similar models, or environments requiring the latest security defaults	Some plugins and integrations may lag initial releases; newer ecosystem with less community troubleshooting available

For most new installations, Elasticsearch 9 is recommended unless you have specific compatibility requirements with existing 8.x clusters or plugins. Both versions receive security updates from Elastic, but version 9 includes the latest features and performance improvements.

Update Ubuntu System Packages

Before installing any new software, first update your package index and upgrade existing packages. This step ensures you have the latest security patches and avoids dependency conflicts during installation:

sudo apt update && sudo apt upgrade

After the upgrade completes, proceed with the installation steps below.

Install Required Prerequisites

The installation process requires curl to download the signing key and gpg to convert it to the binary format APT expects. Install these packages if they are not already present:

sudo apt install curl gpg

Generally, both packages are pre-installed on standard Ubuntu desktop and server installations, but they may be absent in minimal or container environments.

Import the Elasticsearch GPG Key

Next, download the Elasticsearch signing key and convert it to the binary format used by APT. This key verifies that packages genuinely come from Elastic and have not been tampered with:

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

The --dearmor flag converts the ASCII-armored key to binary format, which is required for modern APT repository configurations. The key is stored in /usr/share/keyrings/, the standard location for third-party repository keys on Ubuntu.

Add the Elasticsearch Repository

Now create a repository source file using the DEB822 format. This modern format replaced the legacy one-line .list format and provides clearer, more maintainable configuration:

cat <<EOF | sudo tee /etc/apt/sources.list.d/elasticsearch.sources
Types: deb
URIs: https://artifacts.elastic.co/packages/9.x/apt
Suites: stable
Components: main
Architectures: amd64
Signed-By: /usr/share/keyrings/elasticsearch-keyring.gpg
EOF

This configuration tells APT to fetch Elasticsearch 9.x packages from the official Elastic repository. The Signed-By field links to the GPG key you imported earlier, ensuring package authenticity. The Suites: stable entry means Elastic uses a universal repository that works across all Debian-based distributions without requiring codename-specific branches.

Once the repository is configured, update your package index to make the new packages available:

sudo apt update

Install Elasticsearch

With the repository in place, you can now install Elasticsearch:

sudo apt install elasticsearch

The installation downloads approximately 600 MB of data (Elasticsearch bundles its own Java runtime) and may take several minutes depending on your connection speed. During installation, the package configures the elasticsearch user and group, sets up directories, and generates initial security credentials.

After installation completes, the installer displays important security information including the generated password for the elastic superuser. Copy this password and store it securely. If you miss it, you can reset the password using the command shown in the troubleshooting section below.

Start and Enable the Elasticsearch Service

Elasticsearch does not start automatically after installation. This is intentional, allowing you to adjust configuration before the first startup if needed. To enable the service for automatic startup at boot and start it immediately, run:

sudo systemctl enable elasticsearch --now

The --now flag combines enable and start into a single command. Elasticsearch may take 30 to 60 seconds to fully initialize on first startup, especially on systems with limited memory, as it performs bootstrap checks and generates TLS certificates.

Verify the Service Status

Once the service has started, confirm that Elasticsearch is running correctly:

sudo systemctl status elasticsearch

You should see output showing an active service:

● elasticsearch.service - Elasticsearch
     Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-01-02 10:30:00 UTC; 30s ago
       Docs: https://www.elastic.co
   Main PID: 12345 (java)
     Memory: 1.2G
        CPU: 45.123s
     CGroup: /system.slice/elasticsearch.service
             └─12345 /usr/share/elasticsearch/jdk/bin/java ...

If you see Active: active (running), your installation was successful. If the status shows failed or inactive, check the troubleshooting section below.

Test the Elasticsearch API

Elasticsearch 9 enables security by default, including TLS encryption on all interfaces. For local testing, query the cluster information using the generated CA certificate:

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

When you run this command, it prompts for the elastic user password that was generated during installation. After entering the password, curl returns cluster information in JSON format:

{
  "name" : "ubuntu-server",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "abc123...",
  "version" : {
    "number" : "9.2.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    ...
  },
  "tagline" : "You Know, for Search"
}

A successful response confirms that Elasticsearch is running, TLS is working, and authentication is properly configured.

Understand Elasticsearch Directories and Configuration

Familiarizing yourself with key file locations helps with configuration, troubleshooting, and backup planning.

Key Directory Locations

Path	Purpose
/etc/elasticsearch/	Configuration files including elasticsearch.yml
/var/lib/elasticsearch/	Index data, cluster state, and snapshots
/var/log/elasticsearch/	Application and slow query logs
/etc/elasticsearch/certs/	TLS certificates for secure communication
/etc/default/elasticsearch	JVM options and environment variables

Main Configuration File

The primary configuration file controls cluster settings, network binding, and discovery options:

sudo nano /etc/elasticsearch/elasticsearch.yml

Default configurations work well for single-node development setups. For production clusters or remote access, you will need to modify network and discovery settings as described in the next section.

Configure Remote Access (Optional)

By default, Elasticsearch only listens on localhost (127.0.0.1). If you need to access Elasticsearch from other machines, for example to connect Kibana or Logstash running on different servers, you must configure network binding.

Edit Network Settings

To begin, open the main configuration file:

sudo nano /etc/elasticsearch/elasticsearch.yml

Then locate the Network section and modify the network.host setting. Common configurations include:

Bind to a specific private IP:

network.host: 192.168.1.100

Bind to all interfaces (use with caution):

network.host: 0.0.0.0

Additional Cluster Settings

Additionally, when enabling remote access, you may want to configure:

# Identify your cluster
cluster.name: my-elasticsearch-cluster

# Name this node
node.name: node-1

# For single-node setups, disable discovery
discovery.type: single-node

The discovery.type: single-node setting is essential for single-node deployments. Without it, Elasticsearch waits indefinitely for other nodes to form a cluster before becoming operational. For multi-node clusters, configure discovery.seed_hosts with the addresses of other nodes instead of using single-node mode.

Apply Configuration Changes

After making changes, restart Elasticsearch to apply them:

sudo systemctl restart elasticsearch

Verify the service started successfully with sudo systemctl status elasticsearch before proceeding. Configuration errors often prevent startup, so check the logs if the service fails.

Configure JVM Memory Settings

Elasticsearch runs on the Java Virtual Machine, and proper memory allocation is critical for performance. By default, Elasticsearch configures heap size based on available system memory, but you may need to adjust this for your workload.

To adjust memory settings, create a custom JVM options file:

sudo nano /etc/elasticsearch/jvm.options.d/heap.options

Then add your memory settings. Set both values equal to avoid performance issues from heap resizing:

-Xms2g
-Xmx2g

Memory guidance: Set heap to no more than 50% of available RAM, and never exceed 31GB. For a server with 8GB RAM, 2 to 4GB heap is appropriate. Always keep enough memory free for the operating system and filesystem cache, which Elasticsearch relies on heavily for search performance.

Finally, restart Elasticsearch to apply the memory settings:

sudo systemctl restart elasticsearch

Configure UFW Firewall for Elasticsearch

If you have enabled remote access, you will also need to configure your firewall to allow connections. For detailed firewall management, see our comprehensive UFW firewall configuration guide on Ubuntu.

Allow Specific IP Addresses

For security, the best approach is to allow only specific IP addresses. Replace 192.168.1.50 with the actual IP of the client machine:

sudo ufw allow from 192.168.1.50 to any port 9200

Allow a Subnet

Alternatively, to allow all machines on a local network:

sudo ufw allow from 192.168.1.0/24 to any port 9200

Verify Firewall Rules

After adding rules, check your current firewall configuration:

sudo ufw status numbered

You should see output showing the new rule:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 9200                       ALLOW IN    192.168.1.0/24

Security note: Avoid using sudo ufw allow 9200 without source restrictions in production. This opens Elasticsearch to all incoming traffic, which is a significant security risk even with authentication enabled.

Troubleshooting Common Issues

Elasticsearch Fails to Start

If the service fails to start, check the logs for specific error messages:

sudo journalctl -u elasticsearch --no-pager -n 50

Common causes and solutions:

Insufficient memory: Elasticsearch requires at least 2GB of RAM. On systems with limited memory, reduce the heap size in /etc/elasticsearch/jvm.options.d/heap.options.

Permission errors: The elasticsearch user must own the data directory:

sudo chown -R elasticsearch:elasticsearch /var/lib/elasticsearch

Port already in use: Check if another process is using port 9200:

sudo ss -tlnp | grep 9200

Cannot Connect Remotely

If Elasticsearch runs but remote connections still fail, verify the following:

Verify network binding:

sudo ss -tlnp | grep 9200

If output shows 127.0.0.1:9200, Elasticsearch is only listening locally. Update network.host in the configuration and restart the service.

Check firewall rules:

sudo ufw status

Make sure port 9200 is allowed from the client’s IP address.

Reset the Elastic User Password

If you missed the initial password during installation or need to change it:

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

This command generates a new random password and displays it. You can also use the -i flag to interactively set a password of your choice.

Clear APT Cache After Repository Changes

If you encounter package conflicts or stale metadata after modifying repositories:

sudo apt clean
sudo apt update

Remove Elasticsearch

If you need to uninstall Elasticsearch, follow these steps to completely remove the software along with its associated files.

Stop and Disable the Service

First, stop the running service and prevent it from starting at boot:

sudo systemctl stop elasticsearch
sudo systemctl disable elasticsearch

Uninstall the Package

Next, uninstall Elasticsearch and clean up any unused dependencies:

sudo apt remove --purge elasticsearch
sudo apt autoremove

Delete Repository Configuration

Then delete the repository source file and GPG key that were created during installation:

sudo rm /etc/apt/sources.list.d/elasticsearch.sources
sudo rm /usr/share/keyrings/elasticsearch-keyring.gpg

Remove Data and Configuration (Optional)

The following commands permanently delete all Elasticsearch indices, configuration files, and logs. Back up any data you need before proceeding.

sudo rm -rf /var/lib/elasticsearch
sudo rm -rf /var/log/elasticsearch
sudo rm -rf /etc/elasticsearch

Finally, update your package index to confirm the repository was removed:

sudo apt update

Conclusion

You have installed Elasticsearch 9 on Ubuntu from the official Elastic repository using the modern DEB822 configuration format. Your Elasticsearch instance is now ready to index data and serve search queries. For production deployments, consider configuring TLS certificates for inter-node communication, setting up authentication for all users, and implementing regular snapshot backups.

To expand your Elastic Stack further, you can add Kibana for visualization and Logstash or Beats for data ingestion. Elasticsearch 9 also introduces new capabilities like the semantic_text field for simplified semantic search and rank_vectors for advanced reranking with models like ColBERT. The official Elastic documentation provides comprehensive guides for these features and advanced configuration options.

Useful Links

For further reading and official resources:

• Elasticsearch Debian/Ubuntu Installation Guide: Official installation documentation from Elastic.
• Elasticsearch Release Notes: Latest features and improvements in Elasticsearch 9.
• Elasticsearch Security Setup: Configure authentication and TLS for production use.