Siren Platform User Guide

Using Siren Alert with Search Guard

Caution

In a production environment, you should use unique passwords and valid trusted certificates. For more information, refer to the  Search Guard documentation.

Install Search Guard
  • Install the Search Guard plugin for your Elasticsearch version, for example:

    <ES folder>/bin/elasticsearch-plugin install https://github.com/floragunncom/search-guard/releases/tag/ves-5.5.2-16
  • cd <ES folder>/plugins/search-guard-<version>/tools
  • Execute ./install_demo_configuration.sh, chmod the script first if necessary. This will generate all required TLS certificates and add the Search Guard configuration to your elasticsearch.yml file.
  • Start Elasticsearch ./bin/elasticsearch.
  • Execute ./sgadmin_demo.sh, chmod the script if necessary first. This will execute sgadmin and populate the Search Guard configuration index with the files contained in the plugins/search-guard-/sgconfig folder.
  • Test the installation.

    curl -uadmin:admin -sS -i --insecure -H "Content-Type: application/json" -XGET https://localhost:9200/_searchguard/authinfo?pretty
Allow Siren Alert access

Allow Siren Alert to access watcher and credit_card indices in sg_roles.yml.

sg_kibana_server:
  cluster:
      - CLUSTER_MONITOR
      - CLUSTER_COMPOSITE_OPS
      - cluster:admin/xpack/monitoring*
  indices:
    '?kibana':
      '*':
        - INDICES_ALL
    'watcher*':
      '*':
       - indices:data/read/search
       - MANAGE
       - CREATE_INDEX
       - INDEX
       - READ
       - WRITE
       - DELETE
    'credit_card':
      '*':
       - indices:data/read/search
Apply Search Guard configuration
  • cd into elasticsearch
  • For Search Guard 6, execute:

    ./plugins/search-guard-6/tools/sgadmin.sh -cd plugins/search-guard-6/sgconfig/ -ts config/truststore.jks -ks config/kirk.jks -icl -nhnv

    For Search Guard 5, change the version number to 5. For more information, see http://docs.search-guard.com/latest/sgadmin.

Installing the Search Guard plugin
  • cd into siren-investigate folder.
  • Execute:

    ./bin/investigate-plugin install https://github.com/floragunncom/search-guard-kibana-plugin/releases/download/v5.6.13-7/searchguard-kibana-5.6.13-7.zip
  • Set HTTPS connection for Elasticsearch in siren-investigate/config/investigate.yml.

    elasticsearch.url: "https://localhost:9200"
  • Set Siren Investigate user and password in siren-investigate/config/investigate.yml.

    elasticsearch.username: "investigateserver"
    elasticsearch.password: "investigateserver"
  • Disregard validity of SSL certificate in siren-investigate/config/investigate.yml.

    elasticsearch.ssl.verificationMode: 'none'