Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, and authorization. It supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens and many more, and includes fine grained role-based access control to clusters, indices, documents and fields. Enjoy true multi tenancy in Kibana, and stay compliant with GDPR, HIPAA, PCI, SOX and ISO by using audit logging.
Search Guard supports OpenSSL for maximum performance and security. The complete code is Open Source.
Search Guard offers all basic security features for free. The Community Edition of Search Guard can be used for all projects, including commercial projects, at absolutely no cost. The Community Edition includes:
- Full data in transit encryption
- Node-to-node encryption
- Index level access control
- Document type based access control
- User-, role- and permission management
- HTTP basic authentication
- User Impersonation
- Proxy support
Please see here for a feature comparison.
The Enterprise Edition on Search Guard adds:
- Active Directory / LDAP
- Kerberos / SPNEGO
- JSON web token (JWT)
- Document-level security
- Field-level security
- Audit logging to stay compliant with security compliance regulations
- True Kibana Multi Tenancy
- REST management API
Please see here for a feature comparison.
If you want to use our enterprise features in production, you need to obtain a license. We offer a very flexible licensing model, based on productive clusters with an unlimited number of nodes. Non-productive systems like Development, Staging or QA are covered by the license at no additional cost.
You can test all enterprise modules for 60 days. A trial license is automatically created when you first install Search Guard. You do not have to install the trial license manually. Just install Search Guard and you're good to go!
Please refer to the Official documentation for detailed information on installing and configuring Search Guard.
-
Install Elasticsearch
-
Install the Search Guard plugin for your Elasticsearch version, e.g.:
<ES directory>/bin/elasticsearch-plugin install \
-b com.floragunn:search-guard-6:6.0.0-17.beta1
-
cd
into<ES directory>/plugins/search-guard-<version>/tools
-
Execute
./install_demo_configuration.sh
,chmod
the script first if necessary. This will generate all required TLS certificates and add the Search Guard configuration to yourelasticsearch.yml
file. -
Start Elasticsearch
-
Test the installation by visiting
https://localhost:9200
. When prompted, use admin/admin as username and password. This user has full access to the cluster. -
Display information about the currently logged in user by visiting
https://localhost:9200/_searchguard/authinfo
. -
Deep dive into all Search Guard features by reading the Search Guard documentation
The Search Guard configuration is stored in a dedicated index in Elasticsearch itself. Changes to the configuration are pushed to this index via the sgadmin command line tool. This will trigger a reload of the configuration on all nodes automatically. This has several advantages over configuration via elasticsearch.yml:
- Configuration is stored in a central place
- No configuration files on the nodes necessary
- Configuration changes do not require a restart
- Configuration changes take effect immediately
- Commercial support available through floragunn GmbH
- Community support available via google groups
- Follow us and get community support on twitter @searchguard
Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.
Elasticsearch, Kibana and Logstash are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.
floragunn GmbH is not affiliated with Elasticsearch BV.