Siren Platform User Guide

Using Siren Alert with Search Guard


In a production environment, you should use unique passwords and valid trusted certificates. For more information, refer to the  Search Guard documentation.

Install Search Guard
  • Install the Search Guard plugin for your Elasticsearch version, for example:

    <ES folder>/bin/elasticsearch-plugin install
  • cd <ES folder>/plugins/search-guard-<version>/tools
  • Execute ./, chmod the script first if necessary. This will generate all required TLS certificates and add the Search Guard configuration to your elasticsearch.yml file.
  • Start Elasticsearch ./bin/elasticsearch.
  • Execute ./, chmod the script if necessary first. This will execute sgadmin and populate the Search Guard configuration index with the files contained in the plugins/search-guard-/sgconfig folder.
  • Test the installation.

    curl -uadmin:admin -sS -i --insecure -H "Content-Type: application/json" -XGET https://localhost:9200/_searchguard/authinfo?pretty
Allow Siren Alert access

Allow Siren Alert to access watcher and credit_card indices in sg_roles.yml.

      - cluster:admin/xpack/monitoring*
        - INDICES_ALL
       - indices:data/read/search
       - MANAGE
       - INDEX
       - READ
       - WRITE
       - DELETE
       - indices:data/read/search
Apply Search Guard configuration
  • cd into elasticsearch
  • For Search Guard 6, execute:

    ./plugins/search-guard-6/tools/ -cd plugins/search-guard-6/sgconfig/ -ts config/truststore.jks -ks config/kirk.jks -icl -nhnv

    For Search Guard 5, change the version number to 5. For more information, see

Installing the Search Guard plugin
  • cd into siren-investigate folder.
  • Execute:

    ./bin/investigate-plugin install
  • Set HTTPS connection for Elasticsearch in siren-investigate/config/investigate.yml.

    elasticsearch.url: "https://localhost:9200"
  • Set Siren Investigate user and password in siren-investigate/config/investigate.yml.

    elasticsearch.username: "investigateserver"
    elasticsearch.password: "investigateserver"
  • Disregard validity of SSL certificate in siren-investigate/config/investigate.yml.

    elasticsearch.ssl.verificationMode: 'none'

Search results

    No results found