==== Run {es} from the command line

Run the following command to start {es} from the command line:

[source,sh]
----
.\bin\elasticsearch.bat
----

When starting {es} for the first time, security features are enabled and
configured by default. The following security configuration occurs
automatically: 

* Authentication and authorization are enabled, and a password is generated for
the `elastic` built-in superuser.
* Certificates and keys for TLS are generated for the transport and HTTP layer,
and TLS is enabled and configured with these keys and certificates.
* An enrollment token is generated for {kib}, which is valid for 30 minutes.

The password for the `elastic` user and the enrollment token for {kib} are
output to your terminal.

We recommend storing the `elastic` password as an environment variable in your shell. Example:

[source,sh]
----
$ELASTIC_PASSWORD = "your_password"
----

If you have password-protected the {es} keystore, you will be prompted to
enter the keystore's password. See <<secure-settings>> for more details.

By default {es} prints its logs to the console (`STDOUT`) and to the `<cluster
name>.log` file within the <<path-settings,logs directory>>. {es} logs some
information while it is starting, but after it has finished initializing it
will continue to run in the foreground and won't log anything further until
something happens that is worth recording. While {es} is running you can
interact with it through its HTTP interface which is on port `9200` by default.

To stop {es}, press `Ctrl-C`.

[discrete]
==== Enroll nodes in an existing cluster

// The following include pulls in steps for enrolling nodes in a cluster from
// a security page in the x-pack folder

:slash:     \

include::{es-ref-dir}/security/enroll-nodes.asciidoc[]