Search Guard Classic overview
Search Guard Classic is the original security and authentication plugin for Elasticsearch, providing access control, authentication, authorization, and TLS encryption. This section documents the setup and integration process for Search Guard Classic with Siren Investigate, as it was prior to the introduction of Search Guard FLX.
Search Guard Classic is not supported on Elasticsearch 8 and later. For new installations or upgrades to Elasticsearch 8+, use Search Guard FLX or Elastic Stack security instead. |
Overview
Search Guard Classic secures Elasticsearch clusters by enforcing authentication and authorization for all requests. It supports multiple authentication backends (LDAP, Active Directory, Kerberos, proxy, etc.), role-based access control, and audit logging. TLS encryption is required for all node-to-node and client-to-node communication.
Typical steps to secure a cluster with Search Guard Classic:
-
Install the Classic plugin on every Elasticsearch node (version must match Elasticsearch).
-
Generate or provide a certificate authority (CA) and issue:
-
Node certificates (with required OID for Classic)
-
Admin certificate (for the sgadmin tool)
-
Optional client certificates (if using mutual TLS)
-
-
Enable TLS on both transport and HTTP layers in elasticsearch.yml.
-
Prepare Classic configuration files (sg_config.yml, sg_roles.yml, sg_roles_mapping.yml, sg_action_groups.yml, sg_internal_users.yml, etc.) and upload them with the sgadmin tool.
-
Configure Siren Investigate:
-
Set elasticsearch.url to the HTTPS endpoint.
-
Add CA certificate paths so the TLS handshake validates the cluster.
-
Configure credentials or client certificate depending on chosen auth backend.
-
-
Validate by logging in and running queries.
For detailed steps, see the integration and configuration sections above.