Kurrent logo
Kurrent logo
Login Sign Up

EventStoreDB 23.10 LTS

Kurrentdb Lts

We are excited to introduce EventStoreDB version 23.10.0 LTS, available for both OSS & Commercial users, and supported through to October 2025. The full changelog is available and for upgrade assistance or support inquiries, please get in touch.

Available platforms:

  • Windows
  • Ubuntu (versions 18.04, 20.04, 22.04)
  • CentOS 7, Amazon Linux 2, Oracle Linux 7 (Commercial)
  • Docker images (including ARM64 preview) on Dockerhub

Downloads and Installation

Packages can be installed via PackageCloud, Chocolatey, or Docker. See detailed commands/instructions for each platform.

Release highlights

  • Database Telemetry: Anonymous usage data from running clusters optimizes user experience and guides development (opt-out available).
  • Prometheus Metrics: Enhanced, actionable database metrics in Prometheus format.
  • Security Updates: Includes wildcard support for CertificateReservedCommonName, default admin/ops passwords setup, and tightened anonymous access.
  • FIPS Compliance (Commercial): EventStoreDB now runs on FIPS-restricted systems via a commercial plugin.

Database Telemetry

The database now collects anonymous usage data from running clusters. We’ll be using this data to improve user experience and inform our future development.

You can opt out of sending telemetry by setting the EVENTSTORE_TELEMETRY_OPTOUT environment variable to true.

For more information visit the Usage Telemetry page.

Prometheus Metrics

We introduced more helpful and usable metrics in Prometheus format, making it easier to understand what is happening in the database, and to make better decisions about how to operate it.

Check out our metrics blog post to learn how to set up some default dashboards with this new feature.

You can find a full list of the new metrics, how to configure them, and what the outputs of each look like in the metrics documentation.

Security Improvements

Default Admin and Ops passwords

We want to eventually remove the default password changeit because having a known default password can leave the database vulnerable if the admin and ops passwords aren’t updated.

As such we have added new options to set the default admin and ops passwords on the first run of EventStore. You can do this by setting the EVENTSTORE_DEFAULT_ADMIN_PASSWORD and EVENTSTORE_DEFAULT_OPS_PASSWORD environment variables.

These settings won’t affect a database that has already been created.

In a future version we will be removing the changeit default password and require a default password to be configured at startup.

INFO

These new options can only be set by environment variable so that the passwords aren’t saved in plaintext to config files.

Wildcard support for ReservedCommonName

In addition to the security updates included in version 23.6.0, we have improved the experience around configuring node certificates in a cluster. We now support using a wildcard in the ReservedNodeCommonName option, so you no longer have to use wildcard certificates or certificates with the same CN on every node.

You can read more about these changes in our post about the Security Updates in version 23.10.

Disable Anonymous Access by Default

Historically, anonymous users with network access have been allowed to read/write streams that do not have access control lists. Anonymous access has also been available to the /stats, /info, and other HTTP endpoints.

Anonymous access is now disabled by default, except for the /info and /ping endpoints. Gossip is also still anonymous by default while we update our supported clients to use authenticated gossip.

If you need to re-enable anonymous access, you can do this with the new AllowAnonymousEndpointAccess and AllowAnonymousStreamAccess options.

Support FPS-compliant systems

There is now a commercial plugin to allow EventStoreDB to run on a FIPS-compliant system. You can find instructions on how to download and use this plugin on the commercial downloads site.

We will also be updating our certificate generation tools to create certificates that work on FIPS systems to make testing easier.

Configuration improvements

We want to make configuration of EventStoreDB easier, whether it’s through more informative logs or through better and more streamlined options.

This release has some quality-of-life improvements around configuring certificates as well as some helpful logs to identify misconfigurations in the cluster.

  • Add support for encrypted and unencrypted PKCS8 private key files
  • Set the default trusted root certificate path on Linux to /etc/ssl/certs so this does not need to be configured for most systems.
  • Include more detailed errors and warnings about certificate mismatches, and other issues preventing a cluster from running correctly.
  • Periodically log a warning when the certificate is nearing expiry.

Configuration Quality of Life

  • Suggest the closest available option when a configuration option is unrecognised
  • Log a warning when the versions between nodes are mismatched
  • Log a warning when the connection between nodes is blocked - for example because of a firewall

More clear networking options

We found that network interfaces configuration might be confusing when it comes to External and Internal interface options. Since the legacy TCP-based proprietary client protocol has been deprecated, we decided to rename its configuration use the Replication prefix instead. External interface options are now prefixed with Node going forward.

The old options have been deprecated and will be removed in 24.10 next year, but are still usable in 23.10. All the deprecated and new options are listed in the Upgrade Guide.

Breaking changes

There are some breaking changes when upgrading from 22.10 to 23.10. None of these changes prevent you from performing a rolling upgrade between these two versions.

The breaking changes are:

  • gRPC Clients connecting to EventStoreDB must be authenticated (by default).
  • Requests to the HTTP API must be authenticated (by default).
  • PrepareCount and CommitCount options have been removed.
  • The Persistent Subscriptions config event type PersistentConfig1 has been renamed to $PersistentConfig.
  • Options prefixed with Ext and Int have been deprecated. Use the options prefixed with Node and Replication respectively.

You can read more about these breaking changes and what you should be aware of during an upgrade in the Upgrade Guide.

Resources and feedback

Issues or questions? Open a GitHub issue, join our Discord Server, or post on our forum.

Back to all posts