Version: 7.x-51.0.0

Using Cerebro with Search Guard

Cerebro connects to Elasticsearch on the REST layer, just like a browser or curl. Cerebro detects HTTP Basic Authentication automatically, so you only need to set up TLS. If you are using self-signed certificates, you have two options:

  • disable certificate validation (not recommended)
  • configure the root CA in Cerebro (recommended)

Setting up a root CA

To configure your root CA in Cerebro, add the following configuration to application.conf: {
  trustManager = {
    stores = [
      { type = "PEM", path = "/path/to/root-ca.pem" }

Disabling certificate validation

To disable certificate validation, add the following configuration to application.conf:

Cerebro user

Since Cerebro is an admin tool for Elasticsearch, the user should have full permissions to manage the cluster. If you use the sample configuration Search Guard ships with, you can use the SGS_ALL_ACCESS role.

Pre-configuring clusters

Cerebro also allows to pre-configure clusters in application.conf, for example:

hosts = [
    host = ""
    name = "Search Guard Secured Cluster"
    auth = {
      username = "admin"
      password = "admin"

Not what you were looking for? Try the search.