[[backup-cluster-configuration]]
=== Back up a cluster's configuration
++++
<titleabbrev>Back up the cluster configuration</titleabbrev>
++++

In addition to backing up the data in a cluster, it is important to back up its configuration--especially when the cluster becomes large and difficult to
reconstruct.

Configuration information resides in
<<config-files-location, regular text files>> on every cluster node. Sensitive
setting values such as passwords for the {watcher} notification servers, are
specified inside a binary secure container, the
<<secure-settings, elasticsearch.keystore>> file. Some setting values are
file paths to the associated configuration data, such as the ingest geo ip
database. All these files are contained inside the `ES_PATH_CONF` directory.

NOTE: All changes to configuration files are done by manually editing the files
or using command line utilities, but *not* through APIs. In practice, these
changes are infrequent after the initial setup.

We recommend that you take regular (ideally, daily) backups of your {es} config
(`$ES_PATH_CONF`) directory using the file backup software of your choice.

TIP: We recommend that you have a configuration management plan for these
configuration files. You may wish to check them into version control, or
provision them though your choice of configuration management tool.

Some of these files may contain sensitive data such as passwords and TLS keys,
therefore you should investigate whether your backup software and/or storage
solution are able to encrypt this data.

Some settings in configuration files might be overridden by
<<cluster-update-settings,cluster settings>>. You can capture these settings in
a *data* backup snapshot by specifying the `include_global_state: true` (default)
parameter for the snapshot API. Alternatively, you can extract these
configuration values in text format by using the
<<cluster-get-settings, get settings API>>:

[source,console]
--------------------------------------------------
GET _cluster/settings?pretty&flat_settings&filter_path=persistent
--------------------------------------------------

You can store the output of this as a file together with the rest of
configuration files.

[NOTE]
====

* Transient settings are not considered for backup.
* {es} {security-features} store configuration data such as role definitions and
API keys inside a dedicate special index. This "system" data,
complements the <<secure-settings, security settings>> configuration and should
be <<backup-security-index-configuration, backed up as well>>.
* Other {stack} components, like Kibana and {ml-cap}, store their configuration
data inside other dedicated indices. From the {es} perspective these are just data
so you can use the regular <<backup-cluster-data, data backup>> process.

====