Skip to content

[elasticsearch] Add security_stats data stream#19938

Open
ebarlas wants to merge 4 commits into
elastic:mainfrom
ebarlas:es-security-stats-data-stream
Open

[elasticsearch] Add security_stats data stream#19938
ebarlas wants to merge 4 commits into
elastic:mainfrom
ebarlas:es-security-stats-data-stream

Conversation

@ebarlas

@ebarlas ebarlas commented Jul 2, 2026

Copy link
Copy Markdown

Proposed commit message

Surface per-node security statistics from the Elasticsearch Security
Stats API (GET /_security/stats, available in ES 9.2+) through Stack
Monitoring. The first metric group is the Document Level Security
(DLS) bitset cache: entries, memory, hits, misses, evictions, and
hit/miss latency.

The data stream mirrors the existing X-Pack per-node metrics streams
(ccr, enrich): identical base-fields, ecs, and agent stream config,
plus the same manifest shape. The field schema and sample event are
transcribed from the merged Metricbeat security_stats metricset
(elastic/beats#50674), which the agent runs to collect the data.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices (N/A: no dashboards in this PR)

Author's Checklist

  • Confirm the package version bump (1.22.0) is correct relative to the concurrently landed querylog data stream (1.21.0/1.21.1).
  • Confirm CI runs the security_stats system test on a stack whose agent contains the metricset (9.3.5+/9.4.2+/9.5.0+). On older agents the system test will collect zero documents and fail, so a version guard may be needed.
  • Confirm whether the changelog and docs should spell out the Agent 9.3.5+/9.4.2+ collection floor in addition to the ES 9.2 endpoint floor.

How to test this PR locally

This data stream requires an Elastic Agent build that contains the security_stats metricset (9.3.5+, 9.4.2+, or 9.5.0+). Older agents will collect nothing.

# from the repo root
elastic-package stack up -d --version 9.5.0-SNAPSHOT

cd packages/elasticsearch
elastic-package check
elastic-package test system --data-streams security_stats -v

elastic-package stack down

A bare, security-enabled cluster reports the DLS bitset cache block with zero-valued counters, so the system test collects and validates documents without any DLS role/query fixture. This PR was validated with elastic-package check and a passing elastic-package test system on a 9.5.0-SNAPSHOT stack.

Related issues

Screenshots

N/A. This PR adds a data stream and its field schema only; no dashboards or configuration UI changes are included.

ebarlas added 2 commits July 2, 2026 12:15
Surface per-node security statistics from the Elasticsearch Security
Stats API (GET /_security/stats, available in ES 9.2+) through Stack
Monitoring. The first metric group is the Document Level Security
(DLS) bitset cache: entries, memory, hits, misses, evictions, and
hit/miss latency.

The data stream mirrors the existing X-Pack per-node metrics streams
(ccr, enrich): identical base-fields, ecs, and agent stream config,
plus the same manifest shape. The field schema and sample event are
transcribed from the merged Metricbeat security_stats metricset
(elastic/beats#50674), which the agent runs to collect the data.
…tream

# Conflicts:
#	packages/elasticsearch/changelog.yml
#	packages/elasticsearch/elasticsearch/transform/index_pivot/transform.yml
#	packages/elasticsearch/manifest.yml
@ebarlas ebarlas requested a review from a team as a code owner July 2, 2026 19:39
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:elasticsearch Elasticsearch Team:Stack Monitoring Stack Monitoring team [elastic/stack-monitoring] labels Jul 2, 2026

@pickypg pickypg left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with simple suggestions to make testing easier and perhaps a little more lighter and more predictable.

# own deploy version instead of using the package-level 8.5.0 service.
image: "docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION:-9.2.0-SNAPSHOT}"
environment:
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need 1g instead of 512m?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with 512m and applied change in commit aea224c

ebarlas and others added 2 commits July 2, 2026 15:28
…docker/docker-compose.yml

Co-authored-by: Chris Earle <pickypg@users.noreply.github.com>
Reduce the deploy service heap from 1g to 512m (verified sufficient
for a single-node 9.2.0 cluster to boot and serve /_security/stats),
per review suggestion.

Skip the security_stats system test with a documented reason: the
metricset requires Elastic Agent 9.3.5+/9.4.2+/9.5.0+, but package CI
runs the minimum supported stack (8.10.1) where the metricset is
absent, so the test collects zero documents and fails.

Reword the docs "hit/miss behavior" to "cache efficiency" to satisfy
the Elastic docs Vale style check.
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

🚀 Benchmarks report

Package elasticsearch 👍(2) 💚(3) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
server 5988.02 3773.58 -2214.44 (-36.98%) 💔

To see the full report comment with /test benchmark fullreport

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

@mergify

mergify Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:elasticsearch Elasticsearch Team:Stack Monitoring Stack Monitoring team [elastic/stack-monitoring]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[elasticsearch] Add security_stats data stream (DLS bitset cache, ES 9.2+)

3 participants