Blog Feed Post

Search Guard – Security for Elasticsearch

Note: This is a guest post by Jochen Kressin, the CTO of floragunn GmbH, the makers of Search Guard, an open-source X-Pack Security alternative.

Elasticsearch is a great piece of software. We really love it. However, there is one major drawback: Elasticsearch does not have any security capabilities built in. Anyone who has access to your network can see, modify and delete any data. Which leaves your cluster wide open for malicious hackers, as the Elasticsearch ransomware attacks earlier this year have clearly shown.

Welcome to Search Guard – the security suite for Elasticsearch and the entire ELK stack.

When it comes to security for Elasticsearch, Search Guard is your Swiss army knife to implement security solutions tailored to your needs and your infrastructure. Regardless of whether you just want to encrypt data in transit, authenticate users against Active Directory, use Kerberos or JSON web tokens for Single Sign On or need to monitor and log malicious access attempts, Search Guard is your one-stop solution. And the best part is that the basic version comes for free!


https://sematext.com/wp-content/uploads/2017/05/image6-300x185.png 300w, https://sematext.com/wp-content/uploads/2017/05/image6-768x473.png 768w, https://sematext.com/wp-content/uploads/2017/05/image6-1024x631.png 1024w" sizes="(max-width: 1999px) 100vw, 1999px" />

The four pillars of security

Encryption – protect against sniffing, snooping and tampering

The first step of securing your data is to implement encryption. Search Guard provides SSL/TLS encryption for node-to-node traffic, REST traffic and transport client traffic. Your sensitive data is always secure as it travels across the network, even if an attacker gains access to your infrastructure. By leveraging TLS, you make sure that

  • No one can sniff your data
  • No one can tamper with your data
  • Only authenticated nodes can join your cluster

In order to minimize the performance impact of applying encryption, Search Guard supports native OpenSSL. OpenSSL provides superior performance over the standard Java Cryptography Extensions, and also comes with a wider, more modern range of cipher suites.

https://sematext.com/wp-content/uploads/2017/05/image1-1-300x224.png 300w, https://sematext.com/wp-content/uploads/2017/05/image1-1-768x574.png 768w, https://sematext.com/wp-content/uploads/2017/05/image1-1-1024x765.png 1024w" sizes="(max-width: 1426px) 100vw, 1426px" />

Authentication and authorization – control who has access to your data

Search Guard offers a wide range of pluggable authentication modules to choose from. The free version comes with an integrated user database, HTTP Basic Authentication as well as certificate- and proxy based authentication. The enterprise version offers advanced authentication modules for LDAP/Active Directory, Kerberos and JSON web tokens. You can even combine authorization modules! Depending on your configuration, Search Guard extracts the user credentials from the request, authenticates them against the configured modules, and assigns roles to the user.

https://sematext.com/wp-content/uploads/2017/05/image2-300x137.png 300w, https://sematext.com/wp-content/uploads/2017/05/image2-768x352.png 768w, https://sematext.com/wp-content/uploads/2017/05/image2-1024x469.png 1024w" sizes="(max-width: 1590px) 100vw, 1590px" />

Role-based permissions – at every level, as granular as you need

Permissions can be configured on cluster, index, document and field level, and they can be as granular as you need them to be.

  • Cluster-level
    • Who can access nodes stats or check the cluster health?
  • Index-level
    • Who can create, modify or delete documents of certain types?
  • Document-level
    • Who has access to sensitive documents in the result set?
  • Field-level
    • Which fields are visible for the currently logged in user?

Search Guard ships with many predefined permission sets, like READ, WRITE, SEARCH or CREATE_INDEX. If you need more fine grained permissions, simply define and use your own permission set. Want to restrict the execution of bulk operations to DevOps only? Want to exclude certain users from creating an index alias? Search Guard gives you full control over all permitted activities, down to the single action level.

Audit logging – stay compliant

The audit log module keeps track of all user activity in your cluster, and lets you configure which events you want to record. From tracking failed login attempts only to record everything that’s going on in your cluster, just configure what you want to see and let Search Guard do the rest.

The audit events can be stored in the same or a separate Elasticsearch cluster for further analysis. You can also use an off-site service such as Logsene, so malicious hackers won’t be able to cover their tracks. Do you already have a SIEM system in place? No problem, Search Guard can ship the audit events to any external system that supports webhooks, too. And it even has a public API so that you can create your own storage implementation if necessary.

https://sematext.com/wp-content/uploads/2017/05/image3-300x259.png 300w, https://sematext.com/wp-content/uploads/2017/05/image3-768x663.png 768w, https://sematext.com/wp-content/uploads/2017/05/image3-1024x884.png 1024w" sizes="(max-width: 1108px) 100vw, 1108px" />

Bonus: Kibana Multitenancy

Kibana does not support multi tenancy out of the box. This means that all saved objects, like visualizations and dashboards, are stored globally and are potentially accessible by any user. This is where the Search Guard multi tenancy module comes to the rescue!

Define one or more tenants for each Search Guard role, and enjoy true separation of saved searches, visualizations and dashboards in Kibana. Create dedicated dashboards for each department, and perhaps share other dashboards company wide. The multi tenancy module integrates deeply into Elasticsearch itself and uses the same battle-proven access control as Search Guard. So even if someone tries to access your sensitive dashboards by circumventing Kibana, your data is always safe.

https://sematext.com/wp-content/uploads/2017/05/image5-300x152.png 300w, https://sematext.com/wp-content/uploads/2017/05/image5-768x388.png 768w, https://sematext.com/wp-content/uploads/2017/05/image5-1024x517.png 1024w" sizes="(max-width: 1999px) 100vw, 1999px" />

Configuration management simplified

The complete user, role and permission configuration is stored in a dedicated Search Guard index in Elasticsearch itself. You can use the sgadmin command line tool, or the REST management API to apply changes.

https://sematext.com/wp-content/uploads/2017/05/image4-233x300.png 233w" sizes="(max-width: 337px) 100vw, 337px" />

This approach simplifies the configuration management in many aspects:

  • Config hot reloading – no restarts required
    • Any changes to the configuration are propagated to all nodes in the cluster automatically. They take effect immediately without requiring a node restart. Add and remove roles, change permissions or activate document level security, all while you’re cluster is running.
  • Single place for configuration
    • Since the configuration is kept in an Elasticsearch index, there’s no need anymore to place sensitive configuration files on each node physically. Manage the complete Search Guard configuration from a single place.
  • Update from any machine
    • You can change the configuration from any machine that has access to the transport port of your cluster.

Security means Open Source by definition

When talking about security solutions, then closed source software is a no go. If you cannot inspect the code, you cannot be sure that the implementation is sound, solid and does what it’s supposed to do. You can’t even make sure that the software does not call home, or that it does not contain backdoors.

We strongly believe that if you are serious about security, you need to have the option to inspect the code, run your own security audits, and build the software yourself if required. Search Guard is completely Open Source, so you have full access to the source code, including all enterprise modules. Don’t just take our word for granted, and audit our code yourself, like many major companies already did.

Where to go next?

Read our post on how to secure Kibana for free by using the Community edition of Search Guard:

Secure Kibana for free

Explore other alternatives to X-Pack components

Head over to the Search Guard GitHub repository and check the quick start guide:


Deep-dive into Search Guard by reading the official documentation:


Ask questions on the Search Guard Google Group:


Read about our fair, flexible and affordable enterprise license model:


Follow us on Twitter to stay up-to-date with new releases and features:



Read the original blog entry...

More Stories By Sematext Blog

Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.

Latest Stories
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
SYS-CON Events announced today that TMC has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo and Big Data at Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Global buyers rely on TMC’s content-driven marketplaces to make purchase decisions and navigate markets. Learn how we can help you reach your marketing goals.
Managing mission-critical SAP systems and landscapes has never been easy. Add public cloud with its myriad of powerful cloud native services and this may not change any time soon. Public cloud offers exciting new possibilities for enterprise workloads. But to make use of these possibilities and capabilities, IT teams need to re-think everything they have done before. Otherwise, they will just end up using public cloud as a hosting platform for their workloads, aka known as “lift and shift.”
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
SYS-CON Events announced today that TechTarget has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets.
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara California. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infras...
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organi...