Elasticsearch security_stats metricset
This is the security_stats metricset of the Elasticsearch module. It queries the Security Stats API endpoint (GET /_security/stats, available since Elasticsearch 9.2) to collect per-node security counters. The endpoint exposes Document Level Security (DLS) cache statistics, which are useful for spotting cache thrash, oversized working sets, and unhealthy hit/miss ratios across a fleet.
Each emitted event is enriched with node.{name,roles,version} (alongside node.id) via a single side-channel /_nodes call per scrape, so consumers can slice by node, role, or stack version without joining across data streams.
The /_security/stats endpoint is only served when the Elasticsearch security feature is enabled (xpack.security.enabled: true). The metricset checks GET /_xpack on each scrape. When security is disabled, it emits a throttled debug log, but no events.
Authorization follows the same model as /_cluster/stats and /_nodes/stats: the caller needs the monitor cluster privilege.
For a description of each field in the metricset, see the exported fields section.
Here is an example document generated by this metricset:
{
"@timestamp": "2026-04-27T20:00:00.000Z",
"elasticsearch": {
"cluster": {
"id": "WocBBA0QRma0sGpdQ7vLfQ",
"name": "docker-cluster"
},
"node": {
"id": "f5i3v9hMT_q__q6B9WOo5A",
"name": "instance-0000000019",
"roles": ["data_hot", "ingest"],
"version": "9.2.0"
},
"security": {
"stats": {
"dls": {
"cache": {
"entries": {
"count": 12
},
"memory": {
"bytes": 4096
},
"hits": {
"count": 8421,
"time": {
"ms": 51
}
},
"misses": {
"count": 137,
"time": {
"ms": 219
}
},
"evictions": {
"count": 4
}
}
}
}
}
},
"event": {
"dataset": "elasticsearch.security.stats",
"duration": 115000,
"module": "elasticsearch"
},
"metricset": {
"name": "security_stats",
"period": 10000
},
"service": {
"address": "172.19.0.2:9200",
"type": "elasticsearch"
}
}