Blog Feed Post

Securing Elasticsearch and Kibana with Search Guard for free

Note: This is a guest post by Jochen Kressin, the CTO of floragunn GmbH, the makers of Search Guard, an open-source X-Pack Security alternative.

In this article, we show you how to secure Elasticsearch and Kibana for free using the Community edition of Search Guard. We start with a vanilla Elasticsearch and Kibana setup, install and configure Search Guard for Elasticsearch, and use the Search Guard Kibana plugin to add session management capabilities to Kibana.


As a prerequisite, install the latest Elasticsearch and Kibana version. At the time of writing, this is 5.4.0.

Installing Elasticsearch


Installing Kibana:


Installing Search Guard

Search Guard is an Elasticsearch plugin, and can thus be installed by using the standard plugin installation procedure of Elasticsearch.

First, figure out which version of Search Guard you need for your Elasticsearch installation. Due to compatibility checks in Elasticsearch, the version of Search Guard must match the version of Elasticsearch exactly. So if you run Elasticsearch 5.4.0, you need to install Search Guard 5.4.0. Other versions will not work. If in doubt, you can always refer to our version matrix, which lists all available versions of Search Guard. In this tutorial, we use Elasticsearch and Kibana 5.4.0.

First, stop all running nodes, change to the installation directory of Elasticsearch and install Search Guard:

bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:5.4.0-12

The plugin will be downloaded from Maven and installed automatically. Once the installation is complete, you will find a new folder plugins/search-guard-5 in your Elasticsearch installation directory.

Configuring TLS

Search Guard makes heavy use of TLS to encrypt and secure the complete traffic in your cluster. In order for TLS to work, you need to generate and install TLS certificates on all nodes. This makes sure that no one can sniff or tamper with your data, and that only trusted nodes can join the cluster.

There are several ways of generating the necessary certificates, but for this quickstart tutorial we will use the demo installation script that ships with Search Guard. For other ways of generating certificates, please refer to the section “Configuring Search Guard SSL” of the official Search Guard documentation.

In order to execute the demo installation script, change to the directory

<ES installation directory>/plugins/search-guard-5/tools

and execute the script


Depending on which platform you are on, you may need to set execution permissions first. The script will generate the TLS certificates and add the corresponding configuration settings to the elasticsearch.yml file. Once this is finished, you can start your nodes again.

Initializing Search Guard

After your nodes are up, you need to initialize Search Guard. In this tutorial, we will use the sample configuration files that ship with Search Guard. They already contain the correct users, roles and permissions for the Kibana integration.

The configuration files are located in this directory:

<ES installation directory>/plugins/search-guard-5/sgconfig

In order to upload this configuration to Search Guard, you can either use the sgadmin command line tool, or the REST management API. When using the sgadmin command line tool, you need to specify various parameters, such as the path to your certificates or the name of your cluster. You can read all about sgadmin in the official documentation.

For our quick start tutorial, we will use the demo sgadmin script, which already contains all required parameters. Change to:

<ES installation directory>/plugins/search-guard-5/tools

and execute the script


As with the installation script, you might need to set execution permissions first. After the script has been executed, Search Guard is initialized and your cluster is fully secured by TLS.

You can verify that everything works as expected by visiting the following URL with a browser:


Since we are using self-signed certificates, ignore the browser warning and accept the Root certificate that Search Guard is using. The warning message varies from browser to browser. Note that because TLS is now enabled on the REST layer, you have to use https when talking to Elasticsearch. Connecting with unsecured http will not work anymore.

When prompted for a username and password, you can use admin/admin. This user has full access to the cluster and all indices. You should see information about the currently logged in user in JSON format.

Congratulations, Search Guard is now installed and configured properly.

If you want to learn more about the structure and contents of the configuration files, refer to chapter Search Guard configuration of the documentation. After you make changes to the configuration, simply execute sgadmin_demo.sh again for the changes to take effect.

Adding Kibana to the mix

As with Elasticsearch, Kibana does not provide any security or session management out of the box. As the first step, we will configure Kibana so that it is able to talk to our Search Guard secured cluster. In the second step, we will install the Search Guard Kibana plugin which adds session management capabilities.

Configuring Kibana

For Kibana to work with a Search Guard secured cluster, we need to make some adjustments in the kibana.yml configuration file. First, change the default Elasticsearch URL from http to https:

elasticsearch.url: "https://localhost:9200"

And since we are using self-signed certificates in this tutorial, we need to tell Kibana to accept them explicitly by disabling certificate verification:

elasticsearch.ssl.verificationMode: none

This is of course not recommended for production. In production, you would rather install and configure your Root CA in Kibana, but that’s out of the scope of this tutorial.

Kibana is using a service user under the hood to manage the Kibana index, check the cluster health etc. This service user has to be present in Search Guard, and it needs to have the correct permissions to execute all required actions. The demo configuration already contains such a service user. The username and password of this user is “kibanaserver”. To tell Kibana to use these credentials when talking to Elasticsearch, add the following lines to kibana.yml:

elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

These are the minimal changes you need to perform. You can now start Kibana again and check that the connection to Elasticsearch works correctly.

Installing the Kibana plugin

If you now try to access Kibana, you will see a Basic Authentication dialog popping up. This works, but we’d like to have a proper login dialogue and the possibility to logout again, without closing the browser. This is where the Kibana plugin comes into play.

As with Search Guard, you need to install the plugin that matches your Kibana version exactly. In our case, this is version 5.4.0-2. You can find all available versions on the GitHub release page:


Stop Kibana and download the zip file of the plugin to a directory on your machine:


After that, install it like any other Kibana plugin: Change to the Kibana installation directory and execute:

bin/kibana-plugin install file:///path/to/searchguard-kibana-5.4.0-2.zip

This will install the plugin, and run the Kibana optimizer afterwards. This may take a couple of minutes. After that, restart Kibana and access it via


You will be redirected to the login page and are prompted to provide username and password.

https://sematext.com/wp-content/uploads/2017/05/image1-237x300.png 237w" sizes="(max-width: 704px) 100vw, 704px" />Use the demo Kibana user to login, the username and password is “kibanaro”. This user is mapped to the role sg_kibana and has access to all indices.

That’s it. Both Elasticsearch and Kibana are secured with Search Guard.

Where to go next?

Deep-dive into Search Guard by reading the official documentation:


Learn more about integrating Kibana and Search Guard:


Add Kibana multi tenancy to separate dashboards and visualizations


Ask questions on the Search Guard Google Group:


Read about our fair, flexible and affordable enterprise license model:


Follow us on Twitter to stay up-to-date with new releases and features:



Read the original blog entry...

More Stories By Sematext Blog

Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.

Latest Stories
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 C...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Daniel Jones is CTO of EngineerBetter, helping enterprises deliver value faster. Previously he was an IT consultant, indie video games developer, head of web development in the finance sector, and an award-winning martial artist. Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory? In her Day 2 Keynote at @DevOpsSummit at 21st Cloud Expo, Aruna Ravichandran, VP, DevOps Solutions Marketing, CA Technologies, was jo...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...