Search Guard FLX on Elasticsearch 8+

Siren Investigate can be integrated with Elasticsearch 8+ clusters secured by either Elastic Stack security (formerly X-Pack) or Search Guard FLX. Search Guard Classic is not supported on Elasticsearch 8+.

Choosing a Security Solution

  • For new installations on Elasticsearch 8+, you must use either Elastic Stack security or Search Guard FLX.

    === If you are upgrading from Elasticsearch 7.x and previously used Search Guard Classic, you must migrate to either Elastic Stack security or Search Guard FLX. ===

Setting up Search Guard FLX

The process for setting up Search Guard FLX is similar to Search Guard Classic, but with important differences:

  1. Install the Search Guard FLX plugin on every Elasticsearch node (version must match Elasticsearch).

  2. Generate or reuse TLS certificates for nodes and admin tool. See Setting up security certificates for FLX.

  3. Enable TLS on both transport and HTTP layers in elasticsearch.yml.

  4. Prepare FLX configuration files (roles, role mappings, authc/authz backends, action groups, tenants) and upload them with the FLX admin tool.

  5. Configure Siren Investigate to connect to the secured Elasticsearch endpoints (set elasticsearch.url to HTTPS, provide CA certs, configure credentials or client certs as needed).

  6. Test login and data access in Siren Investigate.

Migration Guide: Search Guard Classic to FLX

  1. Plan downtime or a rolling restart window.

  2. Export custom roles and action groups from Classic configuration.

  3. Validate or regenerate TLS certificates as needed.

  4. Translate Classic config blocks into FLX YAML layout.

  5. Remove Classic plugin and install FLX on all nodes.

  6. Apply FLX configuration using the admin tool.

  7. Restart nodes and verify cluster health and FLX license.

  8. Update Siren Investigate configuration for FLX endpoints and authentication.

  9. Test all user flows.

Do not mix Classic and FLX plugins in the same cluster. Always back up your configuration and keystore before migrating.

For more details, see the Search Guard FLX overview and FLX integration sections.