How to Install Elasticsearch 8 on Ubuntu 26.04, 24.04 and 22.04

Existing Elastic Stack deployments often need Elasticsearch 8 even after Elasticsearch 9 is available, especially when clients, plugins, or cluster upgrade plans are pinned to the 8.x branch. You can install Elasticsearch 8 on Ubuntu from Elastic’s official APT repository and run it as a normal systemd service with security enabled by default.

On Ubuntu 26.04, 24.04, and 22.04, Elastic’s 8.x APT repository currently installs Elasticsearch 8.19.15 on amd64 and arm64 systems. Elastic’s version policy lists Elastic Stack 8.x support through July 15, 2027, giving existing 8.x clusters time to plan a controlled Elasticsearch 9 upgrade.

Install Elasticsearch 8 on Ubuntu

The Elastic APT repository installs the Debian package, configures the elasticsearch user and group, enables security auto-configuration, and leaves service startup under your control. Run these commands from an account with sudo access.

Update APT and Install Prerequisites

Refresh package metadata, then install the tools needed to fetch and store Elastic’s signing key. Minimal or server Ubuntu images may not include curl or gpg.

sudo apt update
sudo apt install curl gpg ca-certificates

Import the Elastic Signing Key

Store the Elastic signing key in /usr/share/keyrings/ so the key is scoped to the Elastic source file instead of being trusted globally.

sudo install -d -m 0755 /usr/share/keyrings
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor --yes -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo chmod 0644 /usr/share/keyrings/elasticsearch-keyring.gpg

The chmod command leaves the keyring readable by APT while keeping the file owned by root.

Confirm the key fingerprint before adding the repository. Elastic’s current Elasticsearch signing key fingerprint is 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4.

gpg --show-keys --with-fingerprint /usr/share/keyrings/elasticsearch-keyring.gpg

Add the Elasticsearch 8 APT Source

Create a DEB822 source file for Elastic’s 8.x APT repository. The stable suite is Elastic’s repository suite name, not an Ubuntu codename, so do not replace it with resolute, noble, or jammy. Elastic’s repository metadata advertises additional indexes for the wider Elastic Stack, but the Elasticsearch package is published for amd64 and arm64, so this source file limits APT to those package architectures.

printf '%s\n' \
'Types: deb' \
'URIs: https://artifacts.elastic.co/packages/8.x/apt' \
'Suites: stable' \
'Components: main' \
'Architectures: amd64 arm64' \
'Signed-By: /usr/share/keyrings/elasticsearch-keyring.gpg' | sudo tee /etc/apt/sources.list.d/elasticsearch.sources >/dev/null

Refresh APT so the new source is available.

sudo apt update

Verify the Candidate and Install Elasticsearch

Check the package policy before installation. The candidate should begin with 8., and the source line should reference https://artifacts.elastic.co/packages/8.x/apt. If the candidate begins with 9., another Elastic 9.x source is still enabled and should be disabled before installing Elasticsearch 8.

apt-cache policy elasticsearch

Relevant output includes:

  Candidate: 8.19.15
     8.19.15 500
        500 https://artifacts.elastic.co/packages/8.x/apt stable/main amd64 Packages

Install Elasticsearch after the candidate check points at the Elastic 8.x repository.

sudo apt install elasticsearch

The package is large because it bundles its own Java runtime. During installation, Elastic’s post-install scripts create the service account, generate TLS material, enable authentication, and print the initial password for the elastic built-in superuser. Store that password securely when it appears.

The Debian package does not start Elasticsearch automatically after installation. This gives you a chance to review configuration, memory, and network settings before the first service start.

Start and Enable Elasticsearch

Reload systemd, enable Elasticsearch for future boots, and start the service.

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service

Check both the runtime state and the boot-time enablement state.

systemctl is-active elasticsearch.service
systemctl is-enabled elasticsearch.service

Expected output:

active
enabled

Reset the Elastic Password if Needed

If the installation password scrolled away or you want a fresh password, reset the elastic user after the service is running. The default command generates a new strong password; add -i if you want to set one interactively.

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

Test the Local HTTPS API

Elasticsearch 8 enables HTTPS and authentication during security auto-configuration. Use the generated CA certificate and let curl prompt for the elastic password instead of putting the password in your shell history. The sudo prefix is required because the generated CA file is owned by root:elasticsearch with restrictive permissions.

sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

Relevant output includes the cluster name, the installed Elasticsearch 8 version, build_type set to deb, and the standard tagline.

{
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "8.19.15",
    "build_type" : "deb"
  },
  "tagline" : "You Know, for Search"
}

Check the Installed Elasticsearch Version

Use the package policy view when you need the installed package, candidate package, and repository source in one place. Use the Elasticsearch binary when you only need the installed branch and build details.

apt-cache policy elasticsearch
sudo /usr/share/elasticsearch/bin/elasticsearch --version

The binary check uses sudo because Elastic’s launcher reads /etc/default/elasticsearch, which is not world-readable on the package-managed install.

Choose Elasticsearch 8 or Elasticsearch 9 on Ubuntu

Use Elasticsearch 8 when an existing cluster, plugin, application client, or upgrade plan is tied to the 8.x branch. Use Elasticsearch 9 on Ubuntu for new self-managed deployments that need the current major branch and do not have an 8.x compatibility requirement.

Branch	Best Fit	Notes
Elasticsearch 8.x	Existing Elastic Stack 8 clusters, plugin compatibility, staged major-version upgrades	Elastic’s version policy lists Elastic Stack 8.x support through July 15, 2027, as of May 15, 2026.
Elasticsearch 9.x	New deployments that want the current major branch	Use the separate Elasticsearch 9 article because it uses a different APT path, package candidate, and feature branch.

Elasticsearch 8 is not an Ubuntu archive LTS package. Its maintenance and support window follows Elastic’s version policy and support matrix, not Ubuntu’s five-year LTS lifecycle.

Resolve Download and Package Method Questions

Elastic publishes both an APT repository and direct Debian package downloads. The APT repository is the better Ubuntu server path because updates arrive through APT, the source file remains visible, and package policy checks show exactly where the candidate comes from.

If you only need an Elasticsearch 8 download for an offline or pinned-version workflow, use Elastic’s official downloads or past releases pages and verify the published checksum before installing the local .deb. Do not use old hostnames such as download.elasticsearch.org or stale pool URLs from search results for a maintained Ubuntu install.

Docker images are a separate deployment model. They change data paths, networking, service management, and upgrades, so keep container workflows separate from this host-managed systemd service.

Configure Elasticsearch Paths and JVM Settings

The Debian package uses standard Linux paths for binaries, configuration, data, logs, generated certificates, and plugins.

Path	Role
/usr/share/elasticsearch/	Elasticsearch home, binaries, bundled JDK, and plugins
/etc/elasticsearch/	Main configuration, including elasticsearch.yml and generated TLS files
/etc/elasticsearch/certs/http_ca.crt	Generated CA certificate for HTTPS API trust
/etc/default/elasticsearch	Environment settings such as ES_PATH_CONF and restart-on-upgrade behavior
/var/lib/elasticsearch/	Index data, cluster state, and node data
/var/log/elasticsearch/	Elasticsearch logs

Edit the Main Configuration File

Most single-node development installs can start with the package defaults. When you need to change the cluster name, node name, paths, discovery behavior, or network binding, edit elasticsearch.yml and restart the service afterward.

sudo nano /etc/elasticsearch/elasticsearch.yml
sudo systemctl restart elasticsearch.service

Adjust JVM Heap Size

Elasticsearch automatically sizes the JVM heap for many installations. If you need a fixed heap, put custom options in /etc/elasticsearch/jvm.options.d/ instead of editing the package-owned root jvm.options file. Set Xms and Xmx to the same value.

printf '%s\n' '-Xms2g' '-Xmx2g' | sudo tee /etc/elasticsearch/jvm.options.d/heap.options >/dev/null
sudo systemctl restart elasticsearch.service

Keep the heap under 50% of available memory and below the compressed ordinary object pointer threshold. Elastic documents 26 GB as safe on most systems, with about 30 GB possible on some systems.

Check OS-Level Tuning

Elastic’s Debian package applies its own virtual-memory tuning during installation and sets vm.max_map_count to 262144, so a separate pre-install step is normally unnecessary for the APT method. If your host intentionally uses a higher value, reapply that local policy after installation or manage it with your own sysctl drop-in.

sysctl vm.max_map_count
sudo journalctl -u elasticsearch.service --no-pager -n 50

Elasticsearch treats non-loopback cluster networking as production mode and turns some startup warnings into hard failures. Review bootstrap-check messages carefully before exposing a node beyond localhost or adding it to a cluster.

Manage Elasticsearch Network Access on Ubuntu

Do not assume the HTTP API is local-only after security auto-configuration. Verify the active listener, keep port 9200 source-restricted, and plan transport-port access on 9300 only for trusted cluster nodes that need it.

Allow a Trusted Client IP with UFW

If another trusted host needs to reach the Elasticsearch HTTP API, restrict the firewall rule to that client, proxy, Kibana, Logstash, Beats, or application server address. Replace the example IP with your real client address.

sudo ufw allow from 192.168.1.50 to any port 9200 proto tcp
sudo ufw status numbered

Use the Ubuntu UFW firewall guide for broader firewall administration. Avoid broad rules such as sudo ufw allow 9200 on production systems.

Check the Active Listener

Use ss to see which address owns port 9200. A listener such as 127.0.0.1:9200 is local-only; 0.0.0.0:9200 or :::9200 means the HTTP API is listening on external interfaces and needs host firewall and upstream network controls.

sudo ss -tlnp | grep ':9200'

If the binding is not what you expect, review http.host, transport.host, network.host, and discovery settings in /etc/elasticsearch/elasticsearch.yml.

Update Elasticsearch 8 on Ubuntu

APT handles Elasticsearch 8 package updates from the same 8.x repository. Check the candidate first, apply the package upgrade, then restart a single-node install when appropriate.

sudo apt update
apt-cache policy elasticsearch
sudo apt install --only-upgrade elasticsearch

Restart a single-node service after the upgrade. For multi-node clusters, follow Elastic’s rolling-upgrade guidance and shard-allocation steps instead of restarting every node at once.

sudo systemctl restart elasticsearch.service
systemctl is-active elasticsearch.service

Troubleshoot Elasticsearch 8 on Ubuntu

Package Is Missing or APT Cannot Locate Elasticsearch

Confirm that the source file exists, refresh metadata, and recheck the candidate.

The install failure usually looks like this:

E: Unable to locate package elasticsearch

sudo test -f /etc/apt/sources.list.d/elasticsearch.sources && echo "source file exists"
sudo apt update
apt-cache policy elasticsearch

If the policy output does not show Elastic’s 8.x repository, recheck the URIs, Suites, Components, Architectures, and Signed-By fields in the source file.

Candidate Shows Elasticsearch 9 Instead of 8

The elasticsearch package name is shared by Elastic’s 8.x and 9.x repositories. If apt-cache policy elasticsearch shows a 9. candidate, find every enabled Elastic source and disable the unwanted 9.x entry before installing.

grep -R "artifacts.elastic.co/packages" /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null
sudo apt update
apt-cache policy elasticsearch

Repository Is Not Signed or Key Verification Fails

A signing error usually means the key file is missing, unreadable, or not the same path used by Signed-By. It can also happen when an older one-line Elastic source is still present. Search duplicate source entries with the grep command.

Common error lines include:

NO_PUBKEY D27D666CD88E42B4
E: The repository 'https://artifacts.elastic.co/packages/8.x/apt stable InRelease' is not signed.

ls -l /usr/share/keyrings/elasticsearch-keyring.gpg
grep -R "artifacts.elastic.co/packages" /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null

Remove stale duplicate source files, then refresh APT again.

sudo apt update

Plain HTTP curl localhost:9200 Fails

A plain curl localhost:9200 request fails because Elasticsearch 8 enables TLS and authentication on the HTTP layer. Use https, the generated CA certificate, and the elastic user.

The failed plain-HTTP request usually returns:

curl: (52) Empty reply from server

sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

Disabling xpack.security.enabled and xpack.security.http.ssl.enabled allows plain HTTP only on isolated lab systems. Keep security enabled for shared, networked, and production hosts.

Security Auto-Configuration Is Skipped

If package output says Skipping auto-configuration because security features appear to be already configured on what should be a fresh node, leftover data or configuration from an earlier Elasticsearch install may still exist. Do not delete these paths from a real cluster node casually; clean them only when you are intentionally rebuilding the node and have backups or snapshots.

sudo systemctl disable --now elasticsearch.service
sudo apt purge elasticsearch
sudo rm -rf /var/lib/elasticsearch
sudo rm -rf /var/log/elasticsearch
sudo rm -rf /etc/elasticsearch

After cleanup, reinstall from the Elastic 8.x source and watch for the security auto-configuration output that creates the generated password and /etc/elasticsearch/certs/http_ca.crt.

Service Fails or Bootstrap Checks Block Startup

Read the Elasticsearch service logs first. Bootstrap failures usually name the exact setting, resource limit, memory issue, or networking condition that needs attention.

sudo journalctl -u elasticsearch.service --no-pager -n 80
systemctl status elasticsearch.service

If the failure appears after changing network settings, review production-mode bootstrap checks before changing more options. If memory is the issue, reduce custom heap settings or increase system memory so the JVM, filesystem cache, and operating system all have room.

Port 9200 Is Already in Use

Identify the process already using the HTTP API port.

sudo ss -tlnp | grep ':9200'

Stop the conflicting service, change that service’s listener, or configure Elasticsearch to use a different HTTP port before restarting Elasticsearch.

Remove Elasticsearch 8 from Ubuntu

Stop the service first, then purge the package. Keep data and configuration until you have confirmed backups, snapshots, or migration requirements.

sudo systemctl disable --now elasticsearch.service
sudo apt purge elasticsearch

Preview unused dependency cleanup before running it. Continue only if the package list is acceptable for your system.

sudo apt autoremove --dry-run

sudo apt autoremove

Remove the Elastic 8.x APT source only if this system no longer needs Elasticsearch 8 packages. Remove the signing key only when no other Elastic repository on the host uses the same key.

sudo rm -f /etc/apt/sources.list.d/elasticsearch.sources
sudo rm -f /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt update
apt-cache policy elasticsearch

Delete local Elasticsearch data, logs, and configuration only when you are sure you no longer need the node’s indices, generated certificates, or local settings.

The cleanup commands permanently delete Elasticsearch indices, local node state, generated certificates, custom configuration, and logs. Back up snapshots, exported data, or configuration files before removing these paths.

sudo rm -rf /var/lib/elasticsearch
sudo rm -rf /var/log/elasticsearch
sudo rm -rf /etc/elasticsearch

Confirm that the package is no longer installed.

dpkg-query -W -f='${db:Status-Abbrev} ${binary:Package}\n' elasticsearch 2>/dev/null | grep '^ii' || echo "elasticsearch package is not installed"

Official Elasticsearch 8 Resources

• Elastic Debian package installation for Elasticsearch 8.19
• Elasticsearch 8.19 release highlights
• Elasticsearch downloads
• Elasticsearch past releases
• Elastic product and version policy
• Elastic support matrix
• Elasticsearch JVM settings

Conclusion

Elasticsearch 8 is running on Ubuntu from Elastic’s 8.x APT repository as a systemd service with TLS, authentication, version checks, update commands, and a clean removal path. Use Elasticsearch 9 on Ubuntu for new deployments that are ready for the current major branch, and keep HTTP API access narrow with the Ubuntu UFW firewall guide before exposing port 9200 beyond localhost.