diff --git a/src/main/java/org/elasticsearch/shield/SecurityFilter.java b/src/main/java/org/elasticsearch/shield/SecurityFilter.java
index a0bccfa3601..685eb10a884 100644
--- a/src/main/java/org/elasticsearch/shield/SecurityFilter.java
+++ b/src/main/java/org/elasticsearch/shield/SecurityFilter.java
@@ -59,6 +59,7 @@ public class SecurityFilter extends AbstractComponent {
 
         AuthenticationToken token = authcService.token(action, request, defaultToken);
         User user = authcService.authenticate(action, request, token);
+
         authzService.authorize(user, action, request);
         return user;
     }
diff --git a/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
index 01ed547fec4..45b55b735ef 100644
--- a/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@@ -62,6 +62,11 @@ public class InternalAuthenticationService extends AbstractComponent implements
         for (Realm realm : realms) {
             token = realm.token(message);
             if (token != null) {
+
+                if (logger.isTraceEnabled()) {
+                    logger.trace("Realm [{}] resolved auth token [{}] from transport request with action [{}]", realm.type(), token.principal(), action);
+                }
+
                 message.putInContext(TOKEN_CTX_KEY, token);
                 return token;
             }
diff --git a/src/main/java/org/elasticsearch/shield/authz/Privilege.java b/src/main/java/org/elasticsearch/shield/authz/Privilege.java
index 821a93fb333..45d0d463eaf 100644
--- a/src/main/java/org/elasticsearch/shield/authz/Privilege.java
+++ b/src/main/java/org/elasticsearch/shield/authz/Privilege.java
@@ -76,7 +76,9 @@ public abstract class Privilege<P extends Privilege<P>> {
     public static class System extends Privilege<System> {
 
         protected static final Predicate<String> PREDICATE = new AutomatonPredicate(patterns(
-                "internal:*"
+                "internal:*",
+                "indices:monitor/*",  // added for marvel
+                "cluster:monitor/*"   // added for marvel
         ));
 
         private System() {
diff --git a/src/test/java/org/elasticsearch/shield/authz/PrivilegeTests.java b/src/test/java/org/elasticsearch/shield/authz/PrivilegeTests.java
index 2b70ef0fa91..339d9ba3b45 100644
--- a/src/test/java/org/elasticsearch/shield/authz/PrivilegeTests.java
+++ b/src/test/java/org/elasticsearch/shield/authz/PrivilegeTests.java
@@ -7,6 +7,7 @@ package org.elasticsearch.shield.authz;
 
 import com.carrotsearch.randomizedtesting.annotations.Repeat;
 import org.elasticsearch.ElasticsearchIllegalArgumentException;
+import org.elasticsearch.common.base.Predicate;
 import org.elasticsearch.shield.support.AutomatonPredicate;
 import org.elasticsearch.shield.support.Automatons;
 import org.elasticsearch.test.ElasticsearchTestCase;
@@ -147,4 +148,14 @@ public class PrivilegeTests extends ElasticsearchTestCase {
         }
     }
 
+    @Test
+    public void testSystem() throws Exception {
+        Predicate<String> predicate = Privilege.SYSTEM.predicate();
+        assertThat(predicate.apply("indices:monitor/whatever"), is(true));
+        assertThat(predicate.apply("cluster:monitor/whatever"), is(true));
+        assertThat(predicate.apply("internal:whatever"), is(true));
+        assertThat(predicate.apply("indices:whatever"), is(false));
+        assertThat(predicate.apply("cluster:whatever"), is(false));
+        assertThat(predicate.apply("whatever"), is(false));
+    }
 }
diff --git a/src/test/java/org/elasticsearch/shield/authz/SystemRoleTests.java b/src/test/java/org/elasticsearch/shield/authz/SystemRoleTests.java
new file mode 100644
index 00000000000..fcc6673d569
--- /dev/null
+++ b/src/test/java/org/elasticsearch/shield/authz/SystemRoleTests.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.shield.authz;
+
+import org.elasticsearch.test.ElasticsearchTestCase;
+import org.junit.Test;
+
+import static org.hamcrest.Matchers.*;
+
+/**
+ *
+ */
+public class SystemRoleTests extends ElasticsearchTestCase {
+
+    @Test
+    public void testCheck() throws Exception {
+        assertThat(SystemRole.INSTANCE.check("indices:monitor/whatever"), is(true));
+        assertThat(SystemRole.INSTANCE.check("cluster:monitor/whatever"), is(true));
+        assertThat(SystemRole.INSTANCE.check("internal:whatever"), is(true));
+        assertThat(SystemRole.INSTANCE.check("indices:whatever"), is(false));
+        assertThat(SystemRole.INSTANCE.check("cluster:whatever"), is(false));
+        assertThat(SystemRole.INSTANCE.check("whatever"), is(false));
+    }
+}