Integrating Search Guard FLX
This section describes how to install and configure Search Guard FLX on an Elasticsearch cluster and integrate it with Siren Investigate. If you need to migrate from a previous Classic deployment, see the upgrade / migration page.
Before you begin
-
Ensure that Siren Investigate is running with HTTPS enabled. For more information, see Enabling HTTPS in Siren Investigate.
-
Ensure that you have prepared all required security certificates (cluster CA, node certs, admin cert, optional client certs). For more information, see Setting up security certificates.
-
Download the FLX admin tool compatible with your Elasticsearch / FLX version from the official Search Guard download portal.
Installing Search Guard FLX
A first installation requires a rolling restart (or full restart for single‑node) because TLS must be enabled on the transport layer across all nodes.
Disable shard allocation (multi‑node clusters)
Optionally disable shard allocation to speed up the restart sequence:
./sgctl.sh rest put _cluster/settings --json '{"persistent":{"cluster.routing.allocation.enable": "none"}}'
or using curl:
curl -s -XPUT 'http://localhost:9200/_cluster/settings?pretty' -H 'Content-Type: application/json' -d'
{
"persistent": {
"cluster.routing.allocation.enable": "none"
}
}
'
Install the plugin
Install the Search Guard FLX plugin on every node (run inside the Elasticsearch home directory):
bin/elasticsearch-plugin install -b <link to a compatible Search Guard FLX release>
If Elasticsearch was installed from a package, the command is usually at |
After installation, copy these files into each node’s config
directory:
-
CA bundle (e.g.
chain-ca.pem
). -
Node certificate (e.g.
node01.crtfull.pem
). -
Node private key (e.g.
node01.key.pem
). -
(Optional) Admin certificate/key pair if not already present on the node where you will run the admin tool.
Configure elasticsearch.yml
Add (or adjust) the following minimal FLX TLS and admin settings (adapt filenames, passwords):
# Disable built‑in security if required for your distribution/version
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: "node01.crtfull.pem"
searchguard.ssl.transport.pemkey_filepath: "node01.key.pem"
searchguard.ssl.transport.pemkey_password: "password"
searchguard.ssl.transport.pemtrustedcas_filepath: "chain-ca.pem"
searchguard.ssl.transport.enforce_hostname_verification: true
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: "node01.crtfull.pem"
searchguard.ssl.http.pemkey_filepath: "node01.key.pem"
searchguard.ssl.http.pemkey_password: "password"
searchguard.ssl.http.pemtrustedcas_filepath: "chain-ca.pem"
# Distinguished names (DNs) of admin certificates allowed to upload FLX configs
searchguard.authcz.admin_dn:
- "CN=sgadmin"
# Allow Siren Federate custom headers
searchguard.allow_custom_headers: "_siren_.*"
Ensure files in the |
Restart each node (rolling) and verify logs for successful FLX initialization.
Search Guard FLX configuration
FLX configuration (authc chain, users / backends, roles, action groups, tenants) resides in a set of YAML files uploaded to a special index via the admin tool.
Typical files:
-
sg_config.yml
– general / auth chain. -
sg_action_groups.yml
– reusable permission groupings. -
sg_roles.yml
– role definitions. -
sg_internal_users.yml
– internal user store (if used). -
sg_roles_mapping.yml
– map external backend roles / users to FLX roles. -
sg_tenants.yml
– tenant definitions (required even if tenants unused).
Sample (role excerpt):
investigate_user:
cluster_permissions:
- CLUSTER_COMPOSITE_OPS_RO
- CLUSTER_INTERNAL_FEDERATE
index_permissions:
- index_patterns:
- 'data-*'
allowed_actions:
- READ
- VIEW_INDEX_METADATA
Action group names and structure may evolve between Classic and FLX. Always verify against the FLX version matrix. |
Connecting to the cluster
The admin tool must connect to the cluster over HTTPS. If using a client certificate for authentication, provide the certificate and key files. Example command:
sgctl connect localhost --ca-cart /path/to/root-ca.pem --cert /path/to/admin-cert.pem --key /path/to/admin-cert-private-key.pem
Upload configuration
Use the sgctl
command line tool to upload your configuration files. Replace the paths and filenames as needed:
sgctl update-config path/to/config/dir/
This command uploads all YAML configuration files from the sgconfig
directory to the cluster. For more options and details, consult the Search Guard FLX documentation.
Check output for success messages (index created / config updated).