Search Guard | Security for Elasticsearch and the ELK stack

Rock solid enterprise security on all levels

Search Guard gives you full security control over your entire Elasticsearch environment. Whether you just want to encrypt data in transit, authenticate users against Active Directory, use Kerberos or JSON web tokens for Single Sign On or need to monitor and log malicious access attempts, Search Guard is your one-stop-shop solution.

View plans & pricing Read the official documentation

Search Guard puts “Security First”. Your data is too valuable and sensitive to take any shortcut.

Completely
Open Source

Worried about backdoors or hidden functionalities? Want to check that Search Guard does not “call home”? Need to do an internal audit before using it in production? We think that security software has to be Open Source by definition, so all of our code is available for you to download, inspect, evaluate and audit.

Compliance
Features

Security compliance regulations like GDPR, HIPAA, PCI-DSS or SOX require a business to protect, track and control access to sensitive data. Search Guard offers an extensive range of features that will help you to meet the technical requirements of compliance regulations.

Fortune
500 companies

A wide variety of enterprises, from Fortune 500 companies to the most innovative start-ups around the world, are trusting in Search Guard to secure their environments, and for good reason. Search Guard runs on high-scale mission-critical production clusters protecting sensitive data in the finance, healthcare, pharmaceutical, aviation, telecommunications, security, and data intelligence sectors.

What do you get with Search Guard?

Search Guard is your one-stop-shop solution when it comes to security and compliance. Versatile, flexible and battle-proven.

Unlimited Nodes Licensing

Search Guard is licensed per production cluster, not per node. The license has no node-limit, so you don’t need to worry about ever increasing prices. Scale your cluster, not your cost! All other systems, like development, staging, integration, test and the like, are also included at no additional cost.

TLS encryption for data in transit

We support TLS encryption for all data in transit, on REST and also on Transport layer. Make sure your traffic cannot be stolen or tampered with, and that only trusted nodes can join your cluster. Take the first step towards compliance!

Encryption at rest support

Search Guard supports encryption at rest on a file system level by using libraries like dm-crypt.

Active directory & LDAP

Leverage your existing Active Directory or LDAP servers for Elasticsearch authentication and authorization. Our flexible configuration makes it possible to map nearly any Directory structure to Search Guard roles. We support role subtrees, attribute-based roles and also nested roles.

Kerberos / SPNEGO

Especially in Windows environments, Kerberos is the authentication method of choice. Search Guard supports Kerberos and SPNEGO natively, so it integrates perfectly with any Windows-based Single Sign On infrastructure.

Index-level security / RBAC

Search Guard provides fine-grained role-based access to any index in your cluster. Control exactly what a user is able to do with your valuable data by using either pre-defined permission sets like READ, WRITE, DELETE, or by granting access based on individual Elasticsearch actions.

Document- and field-level security

Document-level security restricts a user’s access to certain documents within an index. Field-level security enables you to include or exclude fields from the documents in the search result. This gives you full control over which roles can see what data, all the way down to individual fields.

Audit logging enables you to track access to your Elasticsearch cluster, log security related events and provide evidence in case of an attack. Audit logging helps you to stay compliant with security regulations like GDPR, HIPAA, ISO, PCI or SOX.

Document-level security restricts a user’s access to certain documents within an index. Field-level security enables you to include or exclude fields from the documents in the search result. This gives you full control over which roles can see what data, all the way down to individual fields.

Read and write history

Sometimes logging audit events is not enough, and you need to keep track of what is going on in your cluster at a deeper level. For example, to maintain compliance with GDPR. Search Guard can monitor and store any read or write access at document and field level. You know exactly which user has seen or modified which documents and fields, and when. This is compliance implemented in the right way.

System integrity checks

Any change to your Elasticsearch and Search Guard infrastructure can be monitored and recorded. Need to prove that your security configuration has not been altered? Want to know what access permissions a particular role had seven months ago? Or need to make sure that critical security patches have been installed on time? Our compliance features enable you to do all of these things.

Field anonymization

Before returning results to the client Search Guard can anonymise fields on a per-role basis. No need to anonymise at ingest time anymore!

Kibana multitenancy

Tired of Kibana users being able to see all your dashboards and visualizations? Meet Search Guard multitenancy, which allows you to set up different spaces in Kibana which are only accessible for certain roles. Want to separate dashboards by department or role? With Search Guard multitenancy you can!

Kibana Single Sign-On

We support Kibana Single Sign-On and offer a variety of technologies to choose from, including SAML, OpenID, Kerberos, JWT or Proxy authentication.

Search Guard supports SAML and integrates perfectly with identity providers like Okta, Auth0, Keycloak, OneLogin or any other SAML compliant provider.

JSON Web Token / OpenID

JSON Web Tokens (JWT) are an open, industry standard method for implementing lightweight Single Sign On solutions. We support JWT out of the box, so Search Guard integrates perfectly with any Identity Provider that supports JWT or OpenID.

REST management API

The REST management API is a great tool to automate the management of users, roles and permissions in your running cluster. Integrate Search Guard with tools like Ansible, Chef or Puppet, or configure any aspect of Search Guard with a simple curl command.

Configuration GUI

Search Guard can be configured by using our powerful command line tools from any machine that has access to your cluster. But sometimes you want a more visual way of configuration, or give your users and customers self-access. Meet our Kibana-based configuration GUI which makes it super-easy to manage all aspects of Search Guard.

Fully compatible with the Elastic stack

Search Guard is compatible with the Elastic stack, including Kibana, Logstash, Beats and X-Pack.

Cross cluster search support

Search Guard is compatible with Cross Cluster Search and tribe nodes. You can use all Search Guard features without limitations.

Fully compatible with Docker and AWS

Search Guard runs perfectly on virtualised or containerised environments like Docker or AWS.

View complete feature comparison Download licensing overview pdf

Our licensing model

Search Guard offers several licensing models to fit your infrastructure and requirements.

Search Guard

Community Edition

Your basic needs are covered,
completely free of charge.

Search Guard

Enterprise Edition

Unlimited nodes.
Scale your cluster, not your cost.

Get a quote now!

Search Guard

Compliance Edition

Stay compliant with
Data Protection Regulations.

Get a quote now!

If you need a custom solution because your infrastructure
doesn’t fit in with any of the editions, get in touch with us.
If you need an academic license, please fill in the form here.

Find a distribution partner near you Interested in an OEM contract?

Search Guard in use

Search Guard is in use worldwide, by companies of all sizes and in a broad range of industry sectors.

Main industry sectors

Finance

Healthcare

Science

Governmental

Big Data

Aerospace

E-Commerce

Legal

Telecommunications

Education

What people say

"The protection of personal information is very important at the British School of Bucharest. After extensive research we have come to the conclusion that Search Guard, is the best option in order to protect our ELK stack. Being an open source software, with very good documentation and features to help with compliance, including GDPR, we believe Search Guard is a must for any business that wants to stay on top of their IT systems security."

Alexandru Voinea, IT Manager British School of Bucharest
"The Steinbuch Centre for Computing at KIT is using Search Guard to secure Elasticsearch instances operated in the World Wide LHC Computing Grid Tier-1 center "GridKa" and in the Large Scale Data Facility. Without fine-grained access control we would be unable to expose Elasticsearch to individual users or use single instances for both private and public data. The multitenancy features for Kibana offered by Search Guard are specially useful, enabling us to also use Kibana for public dashboards."

Andreas Petzold, Manager “GridKa” WLCG Tier-1 Center Karlsruhe Institute of Technology (KIT) Steinbuch Centre for Computing (SCC)
"Search Guard makes it possible for us to use the ELK-Stack in a productive environment. We chose Search Guard primarily because of the Active Directory and role-permission features. We find their licensing model incredibly helpful, as well as the fact that we are able to use an unlimited amount of nodes."

Arno Haß, Projektleiter Max-Delbrück-Centrum für molekulare Medizin
"Security is the prerequisite for every project in the IT industry, especially when it comes to data. HEAnet chooses Search Guard to protect its ELK cluster because it provides node-to-node encryption (TLS) and more features such as multi-tenancy, compliance, unlike its competitors who only provide security on the REST layer."

Yasvanth Babu, Middleware System Administrator HEAnet CLG

Sign up for our newsletter

Sign up for the Search Guard newsletter. We will only send out useful updates, and never spam you. And that's a promise!