Skip to content
Search Guard is an Open Source Elasticsearch plugin that offers encryption, authentication, and authorisation.
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci [CI] Fix and optimize Circle CI builds Mar 26, 2019
.github add pull request template Dec 27, 2016
dev do not fail in case a veracode upload is currently in progress Mar 11, 2019
sgconfig Introduce authentication rate limiting feature to prevent brute force… Apr 19, 2019
src Allow get and exist aliases for all indices Apr 19, 2019
tools Fix sgadmin swallows stderr + show more details in case of config par… Apr 14, 2019
.gitignore update contributing info May 30, 2017
LICENSE 2.2.0-alpha2 Feb 13, 2016
NOTICE.txt Update README to point to the new Search Guard community forum Apr 2, 2019
THIRD-PARTY.txt Update third party info Feb 7, 2018
pom.xml Update Bouncy Castle dependency to 1.61 (ITT-1994) Apr 16, 2019
settings.xml deploy snapshot after successful build Jun 12, 2016 Fix sgadmin swallows stderr + show more details in case of config par… Apr 14, 2019

Search Guard - Security for Elasticsearch


Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, authorization. It supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens, SAML, OpenID and many more. It includes fine grained role-based access control to indices, documents and fields. Enjoy true multi tenancy in Kibana, and stay compliant with GDPR, HIPAA, PCI, SOX and ISO by using audit and compliance logging.

Search Guard supports OpenSSL for maximum performance and security. The complete code is Open Source.

Community Edition

Search Guard offers all basic security features for free. The Community Edition of Search Guard can be used for all projects, including commercial projects, at absolutely no cost. The Community Edition includes:

  • Full data in transit encryption
  • Node-to-node encryption
  • Certificate revocation lists
  • Role-based cluster level access control
  • Role-based index level access control
  • User-, role- and permission management
  • Internal user database
  • HTTP basic authentication
  • PKI authentication
  • Proxy authentication
  • User Impersonation

Please see here for a feature comparison.

Enterprise and Compliance Edition

The Enterprise Edition on Search Guard adds:

  • Active Directory / LDAP
  • Kerberos / SPNEGO
  • JSON web token (JWT)
  • OpenID
  • SAML
  • Document-level security
  • Field-level security
  • Audit logging
  • Compliance logging for GDPR, HIPAA, PCI, SOX and ISO compliance
  • True Kibana multi-tenancy
  • REST management API

Please see here for a feature comparison.

If you want to use our enterprise features in production, you need to obtain a license. We offer a very flexible licensing model, based on productive clusters with an unlimited number of nodes. Non-productive systems like Development, Staging or QA are covered by the license at no additional cost.

Trial license

You can test all enterprise modules for 60 days. A trial license is automatically created when you first install Search Guard. You do not have to install the trial license manually. Just install Search Guard and you're good to go!


Please refer to the Official documentation for detailed information on installing and configuring Search Guard.

Quick Start

<ES directory>/bin/elasticsearch-plugin install \
  -b com.floragunn:search-guard-6:6.4.0-23.0
  • cd into <ES directory>/plugins/search-guard-<version>/tools

  • Execute ./, chmod the script first if necessary. This will generate all required TLS certificates and add the Search Guard configuration to your elasticsearch.yml file.

  • Start Elasticsearch

  • Test the installation by visiting https://localhost:9200. When prompted, use admin/admin as username and password. This user has full access to the cluster.

  • Display information about the currently logged in user by visiting https://localhost:9200/_searchguard/authinfo.

  • Deep dive into all Search Guard features by reading the Search Guard documentation

Config hot reloading

The Search Guard configuration is stored in a dedicated index in Elasticsearch itself. Changes to the configuration are pushed to this index via the sgadmin command line tool. This will trigger a reload of the configuration on all nodes automatically. This has several advantages over configuration via elasticsearch.yml:

  • Configuration is stored in a central place
  • No configuration files on the nodes necessary
  • Configuration changes do not require a restart
  • Configuration changes take effect immediately



Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.

Elasticsearch, Kibana and Logstash are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

floragunn GmbH is not affiliated with Elasticsearch BV.

You can’t perform that action at this time.