diff --git a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/KeyPairGeneratorTool.java b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/KeyPairGeneratorTool.java
index f4ba4af817a..0e31670f864 100644
--- a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/KeyPairGeneratorTool.java
+++ b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/KeyPairGeneratorTool.java
@@ -10,7 +10,7 @@ import joptsimple.OptionSpec;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.Terminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.PathUtils;
 
@@ -54,9 +54,9 @@ public class KeyPairGeneratorTool extends Command {
         Path publicKeyPath = parsePath(publicKeyPathOption.value(options));
         Path privateKeyPath = parsePath(privateKeyPathOption.value(options));
         if (Files.exists(privateKeyPath)) {
-            throw new UserError(ExitCodes.USAGE, privateKeyPath + " already exists");
+            throw new UserException(ExitCodes.USAGE, privateKeyPath + " already exists");
         } else if (Files.exists(publicKeyPath)) {
-            throw new UserError(ExitCodes.USAGE, publicKeyPath + " already exists");
+            throw new UserException(ExitCodes.USAGE, publicKeyPath + " already exists");
         }
 
         SecureRandom random = new SecureRandom();
diff --git a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseGeneratorTool.java b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseGeneratorTool.java
index 44ae2c474d4..feaa4dc3a74 100644
--- a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseGeneratorTool.java
+++ b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseGeneratorTool.java
@@ -12,7 +12,7 @@ import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.PathUtils;
@@ -62,9 +62,9 @@ public class LicenseGeneratorTool extends Command {
         Path publicKeyPath = parsePath(publicKeyPathOption.value(options));
         Path privateKeyPath = parsePath(privateKeyPathOption.value(options));
         if (Files.exists(privateKeyPath) == false) {
-            throw new UserError(ExitCodes.USAGE, privateKeyPath + " does not exist");
+            throw new UserException(ExitCodes.USAGE, privateKeyPath + " does not exist");
         } else if (Files.exists(publicKeyPath) == false) {
-            throw new UserError(ExitCodes.USAGE, publicKeyPath + " does not exist");
+            throw new UserException(ExitCodes.USAGE, publicKeyPath + " does not exist");
         }
 
         final License licenseSpec;
@@ -73,11 +73,11 @@ public class LicenseGeneratorTool extends Command {
         } else if (options.has(licenseFileOption)) {
             Path licenseSpecPath = parsePath(licenseFileOption.value(options));
             if (Files.exists(licenseSpecPath) == false) {
-                throw new UserError(ExitCodes.USAGE, licenseSpecPath + " does not exist");
+                throw new UserException(ExitCodes.USAGE, licenseSpecPath + " does not exist");
             }
             licenseSpec = License.fromSource(Files.readAllBytes(licenseSpecPath));
         } else {
-            throw new UserError(ExitCodes.USAGE, "Must specify either --license or --licenseFile");
+            throw new UserException(ExitCodes.USAGE, "Must specify either --license or --licenseFile");
         }
 
         // sign
diff --git a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseVerificationTool.java b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseVerificationTool.java
index cd978178d7e..9a6d67bceef 100644
--- a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseVerificationTool.java
+++ b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/tools/LicenseVerificationTool.java
@@ -12,7 +12,7 @@ import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.PathUtils;
@@ -49,7 +49,7 @@ public class LicenseVerificationTool extends Command {
     protected void execute(Terminal terminal, OptionSet options) throws Exception {
         Path publicKeyPath = parsePath(publicKeyPathOption.value(options));
         if (Files.exists(publicKeyPath) == false) {
-            throw new UserError(ExitCodes.USAGE, publicKeyPath + " does not exist");
+            throw new UserException(ExitCodes.USAGE, publicKeyPath + " does not exist");
         }
 
         final License licenseSpec;
@@ -58,16 +58,16 @@ public class LicenseVerificationTool extends Command {
         } else if (options.has(licenseFileOption)) {
             Path licenseSpecPath = parsePath(licenseFileOption.value(options));
             if (Files.exists(licenseSpecPath) == false) {
-                throw new UserError(ExitCodes.USAGE, licenseSpecPath + " does not exist");
+                throw new UserException(ExitCodes.USAGE, licenseSpecPath + " does not exist");
             }
             licenseSpec = License.fromSource(Files.readAllBytes(licenseSpecPath));
         } else {
-            throw new UserError(ExitCodes.USAGE, "Must specify either --license or --licenseFile");
+            throw new UserException(ExitCodes.USAGE, "Must specify either --license or --licenseFile");
         }
 
         // verify
         if (LicenseVerifier.verifyLicense(licenseSpec, Files.readAllBytes(publicKeyPath)) == false) {
-            throw new UserError(ExitCodes.DATA_ERROR, "Invalid License!");
+            throw new UserException(ExitCodes.DATA_ERROR, "Invalid License!");
         }
         XContentBuilder builder = XContentFactory.contentBuilder(XContentType.JSON);
         builder.startObject();
diff --git a/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/KeyPairGenerationToolTests.java b/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/KeyPairGenerationToolTests.java
index 024c53ac3de..35e70e8d756 100644
--- a/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/KeyPairGenerationToolTests.java
+++ b/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/KeyPairGenerationToolTests.java
@@ -11,9 +11,7 @@ import java.nio.file.Path;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.CommandTestCase;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
-import org.elasticsearch.cli.Terminal;
-import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.cli.UserException;
 
 import static org.hamcrest.CoreMatchers.containsString;
 
@@ -27,12 +25,12 @@ public class KeyPairGenerationToolTests extends CommandTestCase {
     public void testMissingKeyPaths() throws Exception {
         Path exists = createTempFile("", "existing");
         Path dne = createTempDir().resolve("dne");
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", exists.toString(), "--privateKeyPath", dne.toString());
         });
         assertThat(e.getMessage(), containsString("existing"));
         assertEquals(ExitCodes.USAGE, e.exitCode);
-        e = expectThrows(UserError.class, () -> {
+        e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", dne.toString(), "--privateKeyPath", exists.toString());
         });
         assertThat(e.getMessage(), containsString("existing"));
diff --git a/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseGenerationToolTests.java b/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseGenerationToolTests.java
index 77b143400f4..e75e1509887 100644
--- a/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseGenerationToolTests.java
+++ b/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseGenerationToolTests.java
@@ -12,12 +12,9 @@ import java.nio.file.Path;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.CommandTestCase;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
-import org.elasticsearch.cli.MockTerminal;
-import org.elasticsearch.cli.Terminal;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.license.core.License;
 import org.elasticsearch.license.licensor.TestUtils;
-import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
 
 public class LicenseGenerationToolTests extends CommandTestCase {
@@ -38,14 +35,14 @@ public class LicenseGenerationToolTests extends CommandTestCase {
     public void testMissingKeyPaths() throws Exception {
         Path pub = createTempDir().resolve("pub");
         Path pri = createTempDir().resolve("pri");
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", pub.toString(), "--privateKeyPath", pri.toString());
         });
         assertTrue(e.getMessage(), e.getMessage().contains("pri does not exist"));
         assertEquals(ExitCodes.USAGE, e.exitCode);
 
         Files.createFile(pri);
-        e = expectThrows(UserError.class, () -> {
+        e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", pub.toString(), "--privateKeyPath", pri.toString());
         });
         assertTrue(e.getMessage(), e.getMessage().contains("pub does not exist"));
@@ -53,7 +50,7 @@ public class LicenseGenerationToolTests extends CommandTestCase {
     }
 
     public void testMissingLicenseSpec() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", pubKeyPath.toString(), "--privateKeyPath", priKeyPath.toString());
         });
         assertTrue(e.getMessage(), e.getMessage().contains("Must specify either --license or --licenseFile"));
diff --git a/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseVerificationToolTests.java b/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseVerificationToolTests.java
index 5f91d9dbddc..f35dfa84de1 100644
--- a/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseVerificationToolTests.java
+++ b/elasticsearch/license/licensor/src/test/java/org/elasticsearch/license/licensor/tools/LicenseVerificationToolTests.java
@@ -12,7 +12,7 @@ import java.nio.file.Path;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.CommandTestCase;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.license.core.License;
 import org.elasticsearch.license.licensor.TestUtils;
@@ -36,7 +36,7 @@ public class LicenseVerificationToolTests extends CommandTestCase {
 
     public void testMissingKeyPath() throws Exception {
         Path pub = createTempDir().resolve("pub");
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", pub.toString());
         });
         assertTrue(e.getMessage(), e.getMessage().contains("pub does not exist"));
@@ -44,7 +44,7 @@ public class LicenseVerificationToolTests extends CommandTestCase {
     }
 
     public void testMissingLicenseSpec() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", pubKeyPath.toString());
         });
         assertTrue(e.getMessage(), e.getMessage().contains("Must specify either --license or --licenseFile"));
@@ -56,7 +56,7 @@ public class LicenseVerificationToolTests extends CommandTestCase {
         License tamperedLicense = License.builder()
             .fromLicenseSpec(signedLicense, signedLicense.signature())
             .expiryDate(signedLicense.expiryDate() + randomIntBetween(1, 1000)).build();
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("--publicKeyPath", pubKeyPath.toString(),
                     "--license", TestUtils.dumpLicense(tamperedLicense));
         });
diff --git a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java
index 9c3679edc47..c42416b6cc3 100644
--- a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java
+++ b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java
@@ -14,18 +14,18 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.script.GeneralScriptException;
+import org.elasticsearch.script.ScriptException;
 import org.elasticsearch.script.ScriptService.ScriptType;
 import org.elasticsearch.search.internal.InternalSearchResponse;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
-import org.elasticsearch.xpack.watcher.condition.Condition;
+import org.elasticsearch.xpack.common.ScriptServiceProxy;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
 import org.elasticsearch.xpack.watcher.condition.script.ScriptCondition;
 import org.elasticsearch.xpack.watcher.condition.script.ScriptConditionFactory;
 import org.elasticsearch.xpack.watcher.execution.WatchExecutionContext;
 import org.elasticsearch.xpack.watcher.support.Script;
-import org.elasticsearch.xpack.common.ScriptServiceProxy;
 import org.elasticsearch.xpack.watcher.watch.Payload;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
@@ -41,12 +41,10 @@ import static org.elasticsearch.xpack.watcher.support.Exceptions.illegalArgument
 import static org.elasticsearch.xpack.watcher.test.WatcherTestUtils.mockExecutionContext;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.notNullValue;
 
-/**
- */
 public class ScriptConditionTests extends ESTestCase {
-    ThreadPool tp = null;
+
+    private ThreadPool tp = null;
     
     @Before
     public void init() {
@@ -54,8 +52,8 @@ public class ScriptConditionTests extends ESTestCase {
     }
 
     @After
-    public void cleanup() {
-        tp.shutdownNow();
+    public void cleanup() throws InterruptedException {
+        terminate(tp);
     }
 
     public void testExecute() throws Exception {
@@ -136,13 +134,8 @@ public class ScriptConditionTests extends ESTestCase {
         XContentParser parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
         parser.nextToken();
         ScriptCondition scriptCondition = conditionParser.parseCondition("_watch", parser);
-        try {
-            conditionParser.createExecutable(scriptCondition);
-            fail("expected a condition validation exception trying to create an executable with a bad or missing script");
-        } catch (GeneralScriptException e) {
-            // TODO add these when the test if fixed
-            // assertThat(e.getMessage(), is("ASDF"));
-        }
+        GeneralScriptException exception = expectThrows(GeneralScriptException.class,
+                () -> conditionParser.createExecutable(scriptCondition));
     }
 
     public void testScriptConditionParser_badLang() throws Exception {
@@ -153,39 +146,30 @@ public class ScriptConditionTests extends ESTestCase {
         XContentParser parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
         parser.nextToken();
         ScriptCondition scriptCondition = conditionParser.parseCondition("_watch", parser);
-        try {
-            conditionParser.createExecutable(scriptCondition);
-            fail("expected a condition validation exception trying to create an executable with an invalid language");
-        } catch (GeneralScriptException e) {
-            // TODO add these when the test if fixed
-            // assertThat(e.getMessage(), is("ASDF"));
-        }
+        GeneralScriptException exception = expectThrows(GeneralScriptException.class,
+                () -> conditionParser.createExecutable(scriptCondition));
+        assertThat(exception.getMessage(), containsString("script_lang not supported [not_a_valid_lang]]"));
     }
 
     public void testScriptConditionThrowException() throws Exception {
         ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
         ExecutableScriptCondition condition = new ExecutableScriptCondition(
-                new ScriptCondition(Script.inline("assert false").build()), logger, scriptService);
+                new ScriptCondition(Script.inline("null.foo").build()), logger, scriptService);
         SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
         WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-        ScriptCondition.Result result = condition.execute(ctx);
-        assertThat(result, notNullValue());
-        assertThat(result.status(), is(Condition.Result.Status.FAILURE));
-        assertThat(result.reason(), notNullValue());
-        assertThat(result.reason(), containsString("Assertion"));
+        ScriptException exception = expectThrows(ScriptException.class, () -> condition.execute(ctx));
+        assertThat(exception.getMessage(), containsString("Error evaluating null.foo"));
     }
 
-    public void testScriptConditionReturnObject() throws Exception {
+    public void testScriptConditionReturnObjectThrowsException() throws Exception {
         ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
         ExecutableScriptCondition condition = new ExecutableScriptCondition(
                 new ScriptCondition(Script.inline("return new Object()").build()), logger, scriptService);
         SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
         WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-        ScriptCondition.Result result = condition.execute(ctx);
-        assertThat(result, notNullValue());
-        assertThat(result.status(), is(Condition.Result.Status.FAILURE));
-        assertThat(result.reason(), notNullValue());
-        assertThat(result.reason(), containsString("ScriptException"));
+        Exception exception = expectThrows(GeneralScriptException.class, () -> condition.execute(ctx));
+        assertThat(exception.getMessage(),
+                containsString("condition [script] must return a boolean value (true|false) but instead returned [_name]"));
     }
 
     public void testScriptConditionAccessCtx() throws Exception {
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java
index ec4d045ce10..2d58ac38282 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java
@@ -420,7 +420,7 @@ public class TransportGraphExploreAction extends HandledTransportAction<GraphExp
                 // weakest weights.
                 // A priority queue is used to trim vertices according to the size settings
                 // requested for each field.
-                private final void trimNewAdditions(Hop currentHop, ArrayList<Connection> newConnections, ArrayList<Vertex> newVertices) {
+                private void trimNewAdditions(Hop currentHop, ArrayList<Connection> newConnections, ArrayList<Vertex> newVertices) {
                     Set<Vertex> evictions = new HashSet<>();
                     
                     for (int k = 0; k < currentHop.getNumberVertexRequests(); k++) {
@@ -460,7 +460,7 @@ public class TransportGraphExploreAction extends HandledTransportAction<GraphExp
                 // we can do something server-side here
 
                 // Helper method - compute the total signal of all scores in the search results
-                private final double getExpandTotalSignalStrength(Hop lastHop, Hop currentHop, Sampler sample) {
+                private double getExpandTotalSignalStrength(Hop lastHop, Hop currentHop, Sampler sample) {
                     double totalSignalOutput = 0;
                     for (int j = 0; j < lastHop.getNumberVertexRequests(); j++) {
                         VertexRequest lastVr = lastHop.getVertexRequest(j);
@@ -509,7 +509,7 @@ public class TransportGraphExploreAction extends HandledTransportAction<GraphExp
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     listener.onFailure(e);
             }
             });
@@ -688,7 +688,7 @@ public class TransportGraphExploreAction extends HandledTransportAction<GraphExp
                     }
 
                     // Helper method - Provides a total signal strength for all terms connected to the initial query
-                    private final double getInitialTotalSignalStrength(Hop rootHop, Sampler sample) {
+                    private double getInitialTotalSignalStrength(Hop rootHop, Sampler sample) {
                         double totalSignalStrength = 0;
                         for (int i = 0; i < rootHop.getNumberVertexRequests(); i++) {
                             if (request.useSignificance()) {
@@ -711,13 +711,13 @@ public class TransportGraphExploreAction extends HandledTransportAction<GraphExp
                     }
 
                     @Override
-                    public void onFailure(Throwable e) {
+                    public void onFailure(Exception e) {
                         listener.onFailure(e);
                     }
                 });
-            } catch (Throwable t) {
-                logger.error("unable to execute the graph query", t);
-                listener.onFailure(t);
+            } catch (Exception e) {
+                logger.error("unable to execute the graph query", e);
+                listener.onFailure(e);
             }
         }
 
diff --git a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
index a4ad8cdb434..5156a1b6eeb 100644
--- a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
+++ b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
@@ -270,11 +270,10 @@ public class GraphTests extends ESSingleNodeTestCase {
         try {
             GraphExploreResponse response = grb.get();
             if (response.getShardFailures().length > 0) {
-                throw ((ShardSearchFailure) response.getShardFailures()[0]).getCause();
+                expectedError = response.getShardFailures()[0].getCause();
             }
-        } catch (Throwable rte) {
+        } catch (Exception rte) {
             expectedError = rte;
-
         }
         assertNotNull(expectedError);
         String message = expectedError.toString();
diff --git a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/delete/TransportDeleteLicenseAction.java b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/delete/TransportDeleteLicenseAction.java
index d3b27d58012..f36a6b3f5e4 100644
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/delete/TransportDeleteLicenseAction.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/delete/TransportDeleteLicenseAction.java
@@ -59,7 +59,7 @@ public class TransportDeleteLicenseAction extends TransportMasterNodeAction<Dele
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 listener.onFailure(e);
             }
         });
diff --git a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/put/TransportPutLicenseAction.java b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/put/TransportPutLicenseAction.java
index 2a1063c446a..bbcb0becce8 100644
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/put/TransportPutLicenseAction.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/put/TransportPutLicenseAction.java
@@ -61,7 +61,7 @@ public class TransportPutLicenseAction extends TransportMasterNodeAction<PutLice
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 listener.onFailure(e);
             }
         });
diff --git a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java
index d098094644e..52c1e50b2c8 100644
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java
@@ -427,8 +427,8 @@ public class LicensesService extends AbstractLifecycleComponent implements Clust
             }
 
             @Override
-            public void onFailure(String source, @Nullable Throwable t) {
-                logger.error("unexpected failure during [{}]", t, source);
+            public void onFailure(String source, @Nullable Exception e) {
+                logger.error("unexpected failure during [{}]", e, source);
             }
 
         });
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java
index 76b6f8055dd..c2248c739b5 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java
@@ -88,8 +88,8 @@ public abstract class AbstractLicensesIntegrationTestCase extends ESIntegTestCas
             }
 
             @Override
-            public void onFailure(String source, @Nullable Throwable t) {
-                logger.error("error on metaData cleanup after test", t);
+            public void onFailure(String source, @Nullable Exception e) {
+                logger.error("error on metaData cleanup after test", e);
             }
         });
         latch.await();
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TestUtils.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TestUtils.java
index a0dd4f5a0da..e8e1e579bef 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TestUtils.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TestUtils.java
@@ -146,7 +146,7 @@ public class TestUtils {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 latch.countDown();
             }
         });
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesAcknowledgementTests.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesAcknowledgementTests.java
index aa5c9d70486..6bfbb8188ce 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesAcknowledgementTests.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesAcknowledgementTests.java
@@ -157,7 +157,7 @@ public class LicensesAcknowledgementTests extends ESSingleNodeTestCase {
         }
 
         @Override
-        public void onFailure(Throwable throwable) {
+        public void onFailure(Exception throwable) {
             latch.countDown();
         }
     }
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesManagerServiceTests.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesManagerServiceTests.java
index 9081d75aba2..cab7a9ce79d 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesManagerServiceTests.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesManagerServiceTests.java
@@ -174,7 +174,7 @@ public class LicensesManagerServiceTests extends ESSingleNodeTestCase {
             }
 
             @Override
-            public void onFailure(Throwable throwable) {
+            public void onFailure(Exception throwable) {
                 latch.countDown();
             }
         });
diff --git a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkResponse.java b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkResponse.java
index cd3ca7e9275..88b422e109d 100644
--- a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkResponse.java
+++ b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkResponse.java
@@ -84,12 +84,12 @@ public class MonitoringBulkResponse extends ActionResponse {
         }
 
         Error(StreamInput in) throws IOException {
-            this(in.<Throwable>readThrowable());
+            this(in.readException());
         }
 
         @Override
         public void writeTo(StreamOutput out) throws IOException {
-            out.writeThrowable(getCause());
+            out.writeException(getCause());
         }
 
         /**
diff --git a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkAction.java b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkAction.java
index 6c0a83b8a3e..66acc6d28f6 100644
--- a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkAction.java
+++ b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkAction.java
@@ -114,8 +114,8 @@ public class TransportMonitoringBulkAction extends HandledTransportAction<Monito
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
-                    listener.onResponse(new MonitoringBulkResponse(buildTookInMillis(startTimeNanos), new MonitoringBulkResponse.Error(t)));
+                public void onFailure(Exception e) {
+                    listener.onResponse(new MonitoringBulkResponse(buildTookInMillis(startTimeNanos), new MonitoringBulkResponse.Error(e)));
                 }
             });
         }
diff --git a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/AgentService.java b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/AgentService.java
index cb0389684b4..37cfd5617fa 100644
--- a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/AgentService.java
+++ b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/AgentService.java
@@ -204,8 +204,8 @@ public class AgentService extends AbstractLifecycleComponent {
                 } catch (InterruptedException e) {
                     logger.trace("interrupted");
                     Thread.currentThread().interrupt();
-                } catch (Throwable t) {
-                    logger.error("background thread had an uncaught exception", t);
+                } catch (Exception e) {
+                    logger.error("background thread had an uncaught exception", e);
                 }
             }
             logger.debug("worker shutdown");
diff --git a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporter.java b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporter.java
index 4f4027ba65e..e2bb090d295 100644
--- a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporter.java
+++ b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporter.java
@@ -59,9 +59,6 @@ import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.StreamSupport;
 
-/**
- *
- */
 public class HttpExporter extends Exporter {
 
     public static final String TYPE = "http";
@@ -664,9 +661,9 @@ public class HttpExporter extends Exporter {
                     }
                 } catch (InterruptedException e) {
                     // ignore, if closed, good....
-                } catch (Throwable t) {
+                } catch (Exception e) {
                     logger.debug("error in keep alive thread, shutting down (will be restarted after a successful connection has been " +
-                            "made) {}", ExceptionsHelper.detailedMessage(t));
+                            "made) {}", ExceptionsHelper.detailedMessage(e));
                     return;
                 }
             }
diff --git a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporter.java b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporter.java
index 99cd651b42f..efc545c3887 100644
--- a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporter.java
+++ b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporter.java
@@ -211,8 +211,8 @@ public class LocalExporter extends Exporter implements ClusterStateListener, Cle
             }
 
             @Override
-            public void onFailure(Throwable throwable) {
-                logger.error("failed to update monitoring index template [{}]", throwable, template);
+            public void onFailure(Exception e) {
+                logger.error("failed to update monitoring index template [{}]", e, template);
             }
         });
     }
@@ -296,7 +296,7 @@ public class LocalExporter extends Exporter implements ClusterStateListener, Cle
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 logger.error("failed to delete indices", e);
             }
         });
diff --git a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/cleaner/CleanerService.java b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/cleaner/CleanerService.java
index b414cf966ab..524f494900f 100644
--- a/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/cleaner/CleanerService.java
+++ b/elasticsearch/x-pack/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/cleaner/CleanerService.java
@@ -179,8 +179,8 @@ public class CleanerService extends AbstractLifecycleComponent {
             for (Listener listener : listeners) {
                 try {
                     listener.onCleanUpIndices(retention);
-                } catch (Throwable t) {
-                    logger.error("listener failed to clean indices", t);
+                } catch (Exception e) {
+                    logger.error("listener failed to clean indices", e);
                 }
             }
 
@@ -209,8 +209,8 @@ public class CleanerService extends AbstractLifecycleComponent {
         }
 
         @Override
-        public void onFailure(Throwable t) {
-            logger.error("failed to clean indices", t);
+        public void onFailure(Exception e) {
+            logger.error("failed to clean indices", e);
         }
 
         /**
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkTests.java
index 3b2046f4eea..46a67d2ab65 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/MonitoringBulkTests.java
@@ -81,9 +81,9 @@ public class MonitoringBulkTests extends MonitoringIntegTestCase {
 
             threads[i] = new Thread(new AbstractRunnable() {
                 @Override
-                public void onFailure(Throwable t) {
-                    logger.error("unexpected error in exporting thread", t);
-                    exceptions.add(t);
+                public void onFailure(Exception e) {
+                    logger.error("unexpected error in exporting thread", e);
+                    exceptions.add(e);
                 }
 
                 @Override
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkActionTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkActionTests.java
index c3c8c32b8da..9e58be4aa9b 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkActionTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/action/TransportMonitoringBulkActionTests.java
@@ -19,7 +19,7 @@ import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.util.concurrent.ConcurrentCollections;
 import org.elasticsearch.discovery.DiscoverySettings;
 import org.elasticsearch.test.ESTestCase;
@@ -90,7 +90,8 @@ public class TransportMonitoringBulkActionTests extends ESTestCase {
         clusterService =  new ClusterService(Settings.builder().put("cluster.name",
                 TransportMonitoringBulkActionTests.class.getName()).build(),
                 new ClusterSettings(Settings.EMPTY, ClusterSettings.BUILT_IN_CLUSTER_SETTINGS), threadPool);
-        clusterService.setLocalNode(new DiscoveryNode("node", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        clusterService.setLocalNode(new DiscoveryNode("node", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(),
+                Version.CURRENT));
         clusterService.setNodeConnectionsService(new NodeConnectionsService(Settings.EMPTY, null, null) {
             @Override
             public void connectToAddedNodes(ClusterChangedEvent event) {
@@ -152,8 +153,8 @@ public class TransportMonitoringBulkActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(String source, Throwable t) {
-                fail("unexpected exception: " + t);
+            public void onFailure(String source, Exception e) {
+                fail("unexpected exception: " + e);
             }
         });
 
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/ExportersTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/ExportersTests.java
index 4751dd7bd83..c9a9563feec 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/ExportersTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/ExportersTests.java
@@ -296,9 +296,9 @@ public class ExportersTests extends ESTestCase {
             logger.debug("--> exporting thread [{}] exports {} documents", threadNum, threadDocs);
             threads[i] = new Thread(new AbstractRunnable() {
                 @Override
-                public void onFailure(Throwable t) {
-                    logger.error("unexpected error in exporting thread", t);
-                    exceptions.add(t);
+                public void onFailure(Exception e) {
+                    logger.error("unexpected error in exporting thread", e);
+                    exceptions.add(e);
                 }
 
                 @Override
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/MonitoringDocTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/MonitoringDocTests.java
index b9f6e99efe4..e7328fc2bed 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/MonitoringDocTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/MonitoringDocTests.java
@@ -9,7 +9,7 @@ import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.io.stream.StreamInput;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.test.ESTestCase;
 
 import java.io.IOException;
@@ -130,7 +130,7 @@ public class MonitoringDocTests extends ESTestCase {
             }
         }
         Set<DiscoveryNode.Role> roles = new HashSet<>(randomSubsetOf(Arrays.asList(DiscoveryNode.Role.values())));
-        return new DiscoveryNode(randomAsciiOfLength(5), randomAsciiOfLength(3), randomAsciiOfLength(3), randomAsciiOfLength(3),
-                DummyTransportAddress.INSTANCE, attributes, roles, randomVersion(random()));
+        return new DiscoveryNode(randomAsciiOfLength(5), randomAsciiOfLength(3), LocalTransportAddress.buildUnique(),
+                attributes, roles, randomVersion(random()));
     }
 }
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporterTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporterTests.java
index b9ae02f14a8..2e41597501f 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporterTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/http/HttpExporterTests.java
@@ -22,7 +22,7 @@ import org.elasticsearch.cluster.health.ClusterHealthStatus;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.ESIntegTestCase.Scope;
@@ -439,14 +439,14 @@ public class HttpExporterTests extends MonitoringIntegTestCase {
             IndexRecoveryMonitoringDoc doc = new IndexRecoveryMonitoringDoc(MonitoredSystem.ES.getSystem(), Version.CURRENT.toString());
             doc.setClusterUUID(internalCluster().getClusterName());
             doc.setTimestamp(System.currentTimeMillis());
-            doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+            doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
             doc.setRecoveryResponse(new RecoveryResponse());
             return doc;
         } else {
             ClusterStateMonitoringDoc doc = new ClusterStateMonitoringDoc(MonitoredSystem.ES.getSystem(), Version.CURRENT.toString());
             doc.setClusterUUID(internalCluster().getClusterName());
             doc.setTimestamp(System.currentTimeMillis());
-            doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+            doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
             doc.setClusterState(ClusterState.PROTO);
             doc.setStatus(ClusterHealthStatus.GREEN);
             return doc;
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporterTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporterTests.java
index b27e0451808..e75abdbec94 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporterTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/exporter/local/LocalExporterTests.java
@@ -13,7 +13,7 @@ import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.health.ClusterHealthStatus;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.search.SearchHit;
 import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
 import org.elasticsearch.test.ESIntegTestCase.Scope;
@@ -198,14 +198,14 @@ public class LocalExporterTests extends MonitoringIntegTestCase {
             IndexRecoveryMonitoringDoc doc = new IndexRecoveryMonitoringDoc(MonitoredSystem.ES.getSystem(), Version.CURRENT.toString());
             doc.setClusterUUID(internalCluster().getClusterName());
             doc.setTimestamp(System.currentTimeMillis());
-            doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+            doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
             doc.setRecoveryResponse(new RecoveryResponse());
             return doc;
         } else {
             ClusterStateMonitoringDoc doc = new ClusterStateMonitoringDoc(MonitoredSystem.ES.getSystem(), Version.CURRENT.toString());
             doc.setClusterUUID(internalCluster().getClusterName());
             doc.setTimestamp(System.currentTimeMillis());
-            doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+            doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
             doc.setClusterState(ClusterState.PROTO);
             doc.setStatus(ClusterHealthStatus.GREEN);
             return doc;
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/DataResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/DataResolverTests.java
index a32dfd87196..8a7dac4a5dd 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/DataResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/DataResolverTests.java
@@ -7,7 +7,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.xpack.monitoring.agent.exporter.MonitoringDoc;
@@ -31,7 +31,7 @@ public class DataResolverTests extends MonitoringIndexNameResolverTestCase {
         MonitoringDoc doc = new MonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         return doc;
     }
 
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/TimestampedResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/TimestampedResolverTests.java
index b7c18f7fdc8..ced3cc247cb 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/TimestampedResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/TimestampedResolverTests.java
@@ -8,7 +8,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver;
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.xpack.monitoring.MonitoredSystem;
@@ -40,7 +40,7 @@ public class TimestampedResolverTests extends MonitoringIndexNameResolverTestCas
         MonitoringDoc doc = new MonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode(randomAsciiOfLength(5), DummyTransportAddress.INSTANCE,
+        doc.setSourceNode(new DiscoveryNode(randomAsciiOfLength(5), LocalTransportAddress.buildUnique(),
                 emptyMap(), emptySet(), Version.CURRENT));
         return doc;
     }
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkDataResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkDataResolverTests.java
index 9eef291d194..614ff5f9f0e 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkDataResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkDataResolverTests.java
@@ -8,7 +8,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver.bulk;
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.bytes.BytesArray;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.xpack.monitoring.MonitoredSystem;
 import org.elasticsearch.xpack.monitoring.action.MonitoringBulkDoc;
@@ -39,7 +39,7 @@ public class MonitoringBulkDataResolverTests extends MonitoringIndexNameResolver
 
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         return doc;
     }
 
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkTimestampedResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkTimestampedResolverTests.java
index 81903776846..34b717e499d 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkTimestampedResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/bulk/MonitoringBulkTimestampedResolverTests.java
@@ -8,7 +8,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver.bulk;
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.bytes.BytesArray;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.xpack.monitoring.MonitoredSystem;
 import org.elasticsearch.xpack.monitoring.action.MonitoringBulkDoc;
@@ -41,7 +41,7 @@ public class MonitoringBulkTimestampedResolverTests
         }
 
         doc.setClusterUUID(randomAsciiOfLength(5));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         return doc;
     }
 
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterInfoResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterInfoResolverTests.java
index 788a201d9c6..b3554abd45f 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterInfoResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterInfoResolverTests.java
@@ -10,7 +10,7 @@ import org.elasticsearch.action.admin.cluster.stats.ClusterStatsResponse;
 import org.elasticsearch.cluster.ClusterName;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.license.core.License;
@@ -42,7 +42,7 @@ public class ClusterInfoResolverTests extends MonitoringIndexNameResolverTestCas
             ClusterInfoMonitoringDoc doc = new ClusterInfoMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
             doc.setClusterUUID(randomAsciiOfLength(5));
             doc.setTimestamp(Math.abs(randomLong()));
-            doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+            doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
             doc.setVersion(randomFrom(Version.V_2_0_0, Version.CURRENT).toString());
             doc.setLicense(licenseBuilder.build());
             doc.setClusterName(randomAsciiOfLength(5));
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateNodeResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateNodeResolverTests.java
index b714a1bf4a6..66ec854ac6f 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateNodeResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateNodeResolverTests.java
@@ -7,7 +7,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver.cluster;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.xpack.monitoring.agent.collector.cluster.ClusterStateNodeMonitoringDoc;
 import org.elasticsearch.xpack.monitoring.agent.exporter.MonitoringTemplateUtils;
@@ -28,7 +28,7 @@ public class ClusterStateNodeResolverTests extends
         ClusterStateNodeMonitoringDoc doc = new ClusterStateNodeMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setNodeId(UUID.randomUUID().toString());
         doc.setStateUUID(UUID.randomUUID().toString());
         return doc;
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateResolverTests.java
index b157d72d3d3..62559391561 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStateResolverTests.java
@@ -11,7 +11,6 @@ import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.health.ClusterHealthStatus;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.node.DiscoveryNodes;
-import org.elasticsearch.common.transport.DummyTransportAddress;
 import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.xpack.monitoring.agent.collector.cluster.ClusterStateMonitoringDoc;
@@ -32,7 +31,7 @@ public class ClusterStateResolverTests extends MonitoringIndexNameResolverTestCa
         ClusterStateMonitoringDoc doc = new ClusterStateMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setStatus(randomFrom(ClusterHealthStatus.values()));
 
         DiscoveryNode masterNode = new DiscoveryNode("master", new LocalTransportAddress("master"),
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStatsResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStatsResolverTests.java
index 8a0be5b73c2..f7099b1053e 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStatsResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/cluster/ClusterStatsResolverTests.java
@@ -21,7 +21,7 @@ import org.elasticsearch.cluster.routing.ShardRouting;
 import org.elasticsearch.cluster.routing.UnassignedInfo;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.BoundTransportAddress;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.common.unit.ByteSizeValue;
 import org.elasticsearch.common.xcontent.XContentType;
@@ -63,7 +63,7 @@ public class ClusterStatsResolverTests extends MonitoringIndexNameResolverTestCa
         ClusterStatsMonitoringDoc doc = new ClusterStatsMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setClusterStats(randomClusterStats());
         return doc;
     }
@@ -94,7 +94,7 @@ public class ClusterStatsResolverTests extends MonitoringIndexNameResolverTestCa
      */
     private ClusterStatsResponse randomClusterStats() {
         List<ClusterStatsNodeResponse> responses = Collections.singletonList(
-                new ClusterStatsNodeResponse(new DiscoveryNode("node_0", DummyTransportAddress.INSTANCE,
+                new ClusterStatsNodeResponse(new DiscoveryNode("node_0", LocalTransportAddress.buildUnique(),
                         emptyMap(), emptySet(), Version.CURRENT),
                         ClusterHealthStatus.GREEN, randomNodeInfo(), randomNodeStats(), randomShardStats())
         );
@@ -106,10 +106,10 @@ public class ClusterStatsResolverTests extends MonitoringIndexNameResolverTestCa
      * @return a random {@link NodeInfo} used to resolve a monitoring document.
      */
     private NodeInfo randomNodeInfo() {
-        BoundTransportAddress transportAddress = new BoundTransportAddress(new TransportAddress[]{DummyTransportAddress.INSTANCE},
-                DummyTransportAddress.INSTANCE);
+        BoundTransportAddress transportAddress = new BoundTransportAddress(new TransportAddress[]{LocalTransportAddress.buildUnique()},
+                LocalTransportAddress.buildUnique());
         return new NodeInfo(Version.CURRENT, org.elasticsearch.Build.CURRENT,
-                new DiscoveryNode("node_0", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT),
+                new DiscoveryNode("node_0", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT),
                 Settings.EMPTY, DummyOsInfo.INSTANCE, new ProcessInfo(randomInt(), randomBoolean()), JvmInfo.jvmInfo(),
                 new ThreadPoolInfo(Collections.singletonList(new ThreadPool.Info("test_threadpool", ThreadPool.ThreadPoolType.FIXED, 5))),
                 new TransportInfo(transportAddress, Collections.emptyMap()), new HttpInfo(transportAddress, randomLong()),
@@ -127,7 +127,7 @@ public class ClusterStatsResolverTests extends MonitoringIndexNameResolverTestCa
         };
         Map<Index, List<IndexShardStats>> statsByShard = new HashMap<>();
         statsByShard.put(index, Collections.singletonList(new IndexShardStats(new ShardId(index, 0), randomShardStats())));
-        return new NodeStats(new DiscoveryNode("node_0", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT), 0,
+        return new NodeStats(new DiscoveryNode("node_0", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT), 0,
                 new NodeIndicesStats(new CommonStats(), statsByShard), null, null, null, null,
                 new FsInfo(0, null, pathInfo), null, null, null, null, null, null);
     }
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexRecoveryResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexRecoveryResolverTests.java
index 618c6bd70b3..5d89dec27c6 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexRecoveryResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexRecoveryResolverTests.java
@@ -8,7 +8,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver.indices;
 import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.indices.recovery.RecoveryResponse;
 import org.elasticsearch.cluster.node.DiscoveryNode;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.indices.recovery.RecoveryState;
@@ -32,9 +32,9 @@ public class IndexRecoveryResolverTests extends MonitoringIndexNameResolverTestC
         IndexRecoveryMonitoringDoc doc = new IndexRecoveryMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
 
-        DiscoveryNode localNode = new DiscoveryNode("foo", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT);
+        DiscoveryNode localNode = new DiscoveryNode("foo", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT);
         Map<String, java.util.List<RecoveryState>> shardRecoveryStates = new HashMap<>();
         shardRecoveryStates.put("test", Collections.singletonList(new RecoveryState(new ShardId("test", "uuid", 0), true,
                 RecoveryState.Type.STORE, localNode, localNode)));
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexStatsResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexStatsResolverTests.java
index f5511ddc811..d3db5a06950 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexStatsResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndexStatsResolverTests.java
@@ -12,7 +12,7 @@ import org.elasticsearch.action.admin.indices.stats.ShardStats;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.routing.ShardRouting;
 import org.elasticsearch.cluster.routing.UnassignedInfo;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.cache.query.QueryCacheStats;
@@ -45,7 +45,7 @@ public class IndexStatsResolverTests extends MonitoringIndexNameResolverTestCase
         IndexStatsMonitoringDoc doc = new IndexStatsMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setIndexStats(randomIndexStats());
         return doc;
     }
@@ -58,7 +58,7 @@ public class IndexStatsResolverTests extends MonitoringIndexNameResolverTestCase
     public void testIndexStatsResolver() throws Exception {
         IndexStatsMonitoringDoc doc = newMonitoringDoc();
         doc.setTimestamp(1437580442979L);
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
 
         IndexStatsResolver resolver = newResolver();
         assertThat(resolver.index(doc), equalTo(".monitoring-es-" + MonitoringTemplateUtils.TEMPLATE_VERSION + "-2015.07.22"));
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndicesStatsResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndicesStatsResolverTests.java
index b38dd409db9..ab60058bc34 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndicesStatsResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/indices/IndicesStatsResolverTests.java
@@ -13,7 +13,7 @@ import org.elasticsearch.action.admin.indices.stats.ShardStats;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.routing.ShardRouting;
 import org.elasticsearch.cluster.routing.UnassignedInfo;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.cache.query.QueryCacheStats;
@@ -49,7 +49,7 @@ public class IndicesStatsResolverTests extends MonitoringIndexNameResolverTestCa
         IndicesStatsMonitoringDoc doc = new IndicesStatsMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setIndicesStats(randomIndicesStats());
         return doc;
     }
@@ -63,7 +63,7 @@ public class IndicesStatsResolverTests extends MonitoringIndexNameResolverTestCa
         IndicesStatsMonitoringDoc doc = newMonitoringDoc();
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(1437580442979L);
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
 
         IndicesStatsResolver resolver = newResolver();
         assertThat(resolver.index(doc), equalTo(".monitoring-es-" + MonitoringTemplateUtils.TEMPLATE_VERSION + "-2015.07.22"));
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/DiscoveryNodeResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/DiscoveryNodeResolverTests.java
index 41a915d1cc8..49daad6301e 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/DiscoveryNodeResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/DiscoveryNodeResolverTests.java
@@ -7,7 +7,7 @@ package org.elasticsearch.xpack.monitoring.agent.resolver.node;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.test.VersionUtils;
 import org.elasticsearch.xpack.monitoring.agent.collector.cluster.DiscoveryNodeMonitoringDoc;
@@ -28,9 +28,9 @@ public class DiscoveryNodeResolverTests extends MonitoringIndexNameResolverTestC
         DiscoveryNodeMonitoringDoc doc = new DiscoveryNodeMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setNode(new DiscoveryNode(randomAsciiOfLength(3), UUID.randomUUID().toString(),
-                DummyTransportAddress.INSTANCE, emptyMap(), emptySet(),
+                LocalTransportAddress.buildUnique(), emptyMap(), emptySet(),
                 VersionUtils.randomVersionBetween(random(), VersionUtils.getFirstVersion(), Version.CURRENT)));
         return doc;
     }
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/NodeStatsResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/NodeStatsResolverTests.java
index c7552b42b89..471101f47b1 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/NodeStatsResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/node/NodeStatsResolverTests.java
@@ -14,7 +14,7 @@ import org.elasticsearch.action.admin.indices.stats.ShardStats;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.routing.ShardRouting;
 import org.elasticsearch.cluster.routing.UnassignedInfo;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.cache.query.QueryCacheStats;
@@ -59,7 +59,7 @@ public class NodeStatsResolverTests extends MonitoringIndexNameResolverTestCase<
         NodeStatsMonitoringDoc doc = new NodeStatsMonitoringDoc(randomMonitoringId(), randomAsciiOfLength(2));
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
         doc.setNodeMaster(randomBoolean());
         doc.setNodeId(UUID.randomUUID().toString());
         doc.setDiskThresholdDeciderEnabled(randomBoolean());
@@ -133,7 +133,7 @@ public class NodeStatsResolverTests extends MonitoringIndexNameResolverTestCase<
                 new ThreadPoolStats.Stats(ThreadPool.Names.SEARCH, 0, 0, 0, 0, 0, 0),
                 new ThreadPoolStats.Stats(InternalWatchExecutor.THREAD_POOL_NAME, 0, 0, 0, 0, 0, 0)
         );
-        return new NodeStats(new DiscoveryNode("node_0", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT), 0,
+        return new NodeStats(new DiscoveryNode("node_0", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT), 0,
                 new NodeIndicesStats(new CommonStats(), statsByShard), OsProbe.getInstance().osStats(),
                 ProcessProbe.getInstance().processStats(), JvmStats.jvmStats(),
                 new ThreadPoolStats(threadPoolStats),
diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/shards/ShardsResolverTests.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/shards/ShardsResolverTests.java
index d9aab143d33..086d8c36b7d 100644
--- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/shards/ShardsResolverTests.java
+++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/agent/resolver/shards/ShardsResolverTests.java
@@ -9,7 +9,7 @@ import org.elasticsearch.Version;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.routing.ShardRouting;
 import org.elasticsearch.cluster.routing.UnassignedInfo;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.shard.ShardId;
@@ -31,7 +31,7 @@ public class ShardsResolverTests extends MonitoringIndexNameResolverTestCase<Sha
         doc.setClusterUUID(randomAsciiOfLength(5));
         doc.setTimestamp(Math.abs(randomLong()));
         doc.setClusterStateUUID(UUID.randomUUID().toString());
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
 
         ShardRouting shardRouting = ShardRouting.newUnassigned(new ShardId(new Index(randomAsciiOfLength(5), UUID.randomUUID().toString()),
                 randomIntBetween(0, 5)), null, randomBoolean(), new UnassignedInfo(UnassignedInfo.Reason.INDEX_CREATED, null));
@@ -48,7 +48,7 @@ public class ShardsResolverTests extends MonitoringIndexNameResolverTestCase<Sha
 
         final String clusterStateUUID = UUID.randomUUID().toString();
         doc.setClusterStateUUID(clusterStateUUID);
-        doc.setSourceNode(new DiscoveryNode("id", DummyTransportAddress.INSTANCE, emptyMap(), emptySet(), Version.CURRENT));
+        doc.setSourceNode(new DiscoveryNode("id", LocalTransportAddress.buildUnique(), emptyMap(), emptySet(), Version.CURRENT));
 
         ShardsResolver resolver = newResolver();
         assertThat(resolver.index(doc), equalTo(".monitoring-es-" + MonitoringTemplateUtils.TEMPLATE_VERSION + "-2015.07.22"));
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java
index 444c3186ab6..16d613c9ad7 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -141,8 +141,12 @@ public class Security implements ActionPlugin {
         }
 
         modules.add(new AuthenticationModule(settings));
+        modules.add(new AuthorizationModule(settings));
         if (enabled == false) {
             modules.add(new SecurityModule(settings, securityLicenseState));
+            modules.add(new CryptoModule(settings));
+            modules.add(new AuditTrailModule(settings));
+            modules.add(new SecurityTransportModule(settings));
             return modules;
         }
 
@@ -152,7 +156,6 @@ public class Security implements ActionPlugin {
         securityLicenseState = new SecurityLicenseState();
         modules.add(new SecurityModule(settings, securityLicenseState));
         modules.add(new CryptoModule(settings));
-        modules.add(new AuthorizationModule(settings));
         modules.add(new AuditTrailModule(settings));
         modules.add(new SecurityRestModule(settings));
         modules.add(new SecurityActionModule(settings));
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java
index 18d37bc0192..ab019c37fab 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java
@@ -13,14 +13,21 @@ import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.io.stream.Writeable;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.elasticsearch.xpack.security.authc.Realm;
 import org.elasticsearch.xpack.security.authc.Realms;
 import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
 import org.elasticsearch.xpack.XPackFeatureSet;
+import org.elasticsearch.xpack.security.authz.store.RolesStore;
+import org.elasticsearch.xpack.security.crypto.CryptoService;
+import org.elasticsearch.xpack.security.transport.filter.IPFilter;
+import org.elasticsearch.xpack.security.transport.netty.SecurityNettyHttpServerTransport;
+import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
 
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
@@ -30,16 +37,33 @@ import java.util.stream.Collectors;
  */
 public class SecurityFeatureSet implements XPackFeatureSet {
 
+    private final Settings settings;
     private final boolean enabled;
     private final SecurityLicenseState licenseState;
-    @Nullable private final Realms realms;
+    @Nullable
+    private final Realms realms;
+    @Nullable
+    private final RolesStore rolesStore;
+    @Nullable
+    private final IPFilter ipFilter;
+    @Nullable
+    private final AuditTrailService auditTrailService;
+    @Nullable
+    private final CryptoService cryptoService;
 
     @Inject
     public SecurityFeatureSet(Settings settings, @Nullable SecurityLicenseState licenseState,
-                              @Nullable Realms realms, NamedWriteableRegistry namedWriteableRegistry) {
+                              @Nullable Realms realms, NamedWriteableRegistry namedWriteableRegistry, @Nullable RolesStore rolesStore,
+                              @Nullable IPFilter ipFilter, @Nullable AuditTrailService auditTrailService,
+                              @Nullable CryptoService cryptoService) {
         this.enabled = Security.enabled(settings);
         this.licenseState = licenseState;
         this.realms = realms;
+        this.rolesStore = rolesStore;
+        this.settings = settings;
+        this.ipFilter = ipFilter;
+        this.auditTrailService = auditTrailService;
+        this.cryptoService = cryptoService;
         namedWriteableRegistry.register(Usage.class, Usage.writeableName(Security.NAME), Usage::new);
     }
 
@@ -66,7 +90,12 @@ public class SecurityFeatureSet implements XPackFeatureSet {
     @Override
     public XPackFeatureSet.Usage usage() {
         List<Map<String, Object>> enabledRealms = buildEnabledRealms(realms);
-        return new Usage(available(), enabled(), enabledRealms);
+        Map<String, Object> rolesStoreUsage = rolesStoreUsage(rolesStore);
+        Map<String, Object> sslUsage = sslUsage(settings);
+        Map<String, Object> auditUsage = auditUsage(auditTrailService);
+        Map<String, Object> ipFilterUsage = ipFilterUsage(ipFilter);
+        boolean hasSystemKey = systemKeyUsage(cryptoService);
+        return new Usage(available(), enabled(), enabledRealms, rolesStoreUsage, sslUsage, auditUsage, ipFilterUsage, hasSystemKey);
     }
 
     static List<Map<String, Object>> buildEnabledRealms(Realms realms) {
@@ -84,26 +113,86 @@ public class SecurityFeatureSet implements XPackFeatureSet {
         return enabledRealms;
     }
 
+    static Map<String, Object> rolesStoreUsage(@Nullable RolesStore rolesStore) {
+        if (rolesStore == null) {
+            return Collections.emptyMap();
+        }
+        return rolesStore.usageStats();
+    }
+
+    static Map<String, Object> sslUsage(Settings settings) {
+        Map<String, Object> map = new HashMap<>(2);
+        map.put("http", Collections.singletonMap("enabled", SecurityNettyHttpServerTransport.SSL_SETTING.get(settings)));
+        map.put("transport", Collections.singletonMap("enabled", SecurityNettyTransport.SSL_SETTING.get(settings)));
+        return map;
+    }
+
+    static Map<String, Object> auditUsage(@Nullable AuditTrailService auditTrailService) {
+        if (auditTrailService == null) {
+            return Collections.emptyMap();
+        }
+        return auditTrailService.usageStats();
+    }
+
+    static Map<String, Object> ipFilterUsage(@Nullable IPFilter ipFilter) {
+        if (ipFilter == null) {
+            return Collections.emptyMap();
+        }
+        return ipFilter.usageStats();
+    }
+
+    static boolean systemKeyUsage(CryptoService cryptoService) {
+        // we can piggy back on the encryption enabled method as it is only enabled if there is a system key
+        return cryptoService.encryptionEnabled();
+    }
+
     static class Usage extends XPackFeatureSet.Usage {
 
         private static final String ENABLED_REALMS_XFIELD = "enabled_realms";
+        private static final String ROLES_XFIELD = "roles";
+        private static final String SSL_XFIELD = "ssl";
+        private static final String AUDIT_XFIELD = "audit";
+        private static final String IP_FILTER_XFIELD = "ipfilter";
+        private static final String SYSTEM_KEY_XFIELD = "system_key";
 
         private List<Map<String, Object>> enabledRealms;
+        private Map<String, Object> rolesStoreUsage;
+        private Map<String, Object> sslUsage;
+        private Map<String, Object> auditUsage;
+        private Map<String, Object> ipFilterUsage;
+        private boolean hasSystemKey;
 
         public Usage(StreamInput in) throws IOException {
             super(in);
             enabledRealms = in.readList(StreamInput::readMap);
+            rolesStoreUsage = in.readMap();
+            sslUsage = in.readMap();
+            auditUsage = in.readMap();
+            ipFilterUsage = in.readMap();
+            hasSystemKey = in.readBoolean();
         }
 
-        public Usage(boolean available, boolean enabled, List<Map<String, Object>> enabledRealms) {
+        public Usage(boolean available, boolean enabled, List<Map<String, Object>> enabledRealms, Map<String, Object> rolesStoreUsage,
+                     Map<String, Object> sslUsage, Map<String, Object> auditUsage, Map<String, Object> ipFilterUsage,
+                     boolean hasSystemKey) {
             super(Security.NAME, available, enabled);
             this.enabledRealms = enabledRealms;
+            this.rolesStoreUsage = rolesStoreUsage;
+            this.sslUsage = sslUsage;
+            this.auditUsage = auditUsage;
+            this.ipFilterUsage = ipFilterUsage;
+            this.hasSystemKey = hasSystemKey;
         }
 
         @Override
         public void writeTo(StreamOutput out) throws IOException {
             super.writeTo(out);
             out.writeList(enabledRealms.stream().map((m) -> (Writeable) o -> o.writeMap(m)).collect(Collectors.toList()));
+            out.writeMap(rolesStoreUsage);
+            out.writeMap(sslUsage);
+            out.writeMap(auditUsage);
+            out.writeMap(ipFilterUsage);
+            out.writeBoolean(hasSystemKey);
         }
 
         @Override
@@ -111,6 +200,11 @@ public class SecurityFeatureSet implements XPackFeatureSet {
             super.innerXContent(builder, params);
             if (enabled) {
                 builder.field(ENABLED_REALMS_XFIELD, enabledRealms);
+                builder.field(ROLES_XFIELD, rolesStoreUsage);
+                builder.field(SSL_XFIELD, sslUsage);
+                builder.field(AUDIT_XFIELD, auditUsage);
+                builder.field(IP_FILTER_XFIELD, ipFilterUsage);
+                builder.field(SYSTEM_KEY_XFIELD, hasSystemKey);
             }
         }
     }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java
index f174df21d52..f977bee3a51 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java
@@ -76,7 +76,7 @@ public class SecurityLifecycleService extends AbstractComponent implements Clust
             if (nativeUserStore.canStart(event.state(), master)) {
                 threadPool.generic().execute(new AbstractRunnable() {
                     @Override
-                    public void onFailure(Throwable throwable) {
+                    public void onFailure(Exception throwable) {
                         logger.error("failed to start native user store service", throwable);
                         assert false : "security lifecycle services startup failed";
                     }
@@ -95,7 +95,7 @@ public class SecurityLifecycleService extends AbstractComponent implements Clust
             if (nativeRolesStore.canStart(event.state(), master)) {
                 threadPool.generic().execute(new AbstractRunnable() {
                     @Override
-                    public void onFailure(Throwable throwable) {
+                    public void onFailure(Exception throwable) {
                         logger.error("failed to start native roles store services", throwable);
                         assert false : "security lifecycle services startup failed";
                     }
@@ -117,7 +117,7 @@ public class SecurityLifecycleService extends AbstractComponent implements Clust
                     threadPool.generic().execute(new AbstractRunnable() {
 
                         @Override
-                        public void onFailure(Throwable throwable) {
+                        public void onFailure(Exception throwable) {
                             logger.error("failed to start index audit trail services", throwable);
                             assert false : "security lifecycle services startup failed";
                         }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityTemplateService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityTemplateService.java
index eef53799cf2..d4d580a4978 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityTemplateService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/SecurityTemplateService.java
@@ -90,8 +90,8 @@ public class SecurityTemplateService extends AbstractComponent implements Cluste
                 if (createTemplate && templateCreationPending.compareAndSet(false, true)) {
                     threadPool.generic().execute(new AbstractRunnable() {
                         @Override
-                        public void onFailure(Throwable t) {
-                            logger.warn("failed to create security index template", t);
+                        public void onFailure(Exception e) {
+                            logger.warn("failed to create security index template", e);
                             templateCreationPending.set(false);
                         }
 
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java
index bafdacac3e3..6adde44d6dc 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java
@@ -44,9 +44,6 @@ import java.util.function.Predicate;
 
 import static org.elasticsearch.xpack.security.support.Exceptions.authorizationError;
 
-/**
- *
- */
 public class SecurityActionFilter extends AbstractComponent implements ActionFilter {
 
     private static final Predicate<String> LICENSE_EXPIRATION_ACTION_MATCHER = HealthAndStatsPrivilege.INSTANCE.predicate();
@@ -109,8 +106,8 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
             } else {
                 chain.proceed(task, action, request, listener);
             }
-        } catch (Throwable t) {
-            listener.onFailure(t);
+        } catch (Exception e) {
+            listener.onFailure(e);
         }
     }
 
@@ -231,7 +228,7 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
         }
 
         @Override
-        public void onFailure(Throwable e) {
+        public void onFailure(Exception e) {
             if (threadContext != null) {
                 threadContext.restore();
             }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleAction.java
index 48b65921541..7b5f50c7aed 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleAction.java
@@ -44,7 +44,7 @@ public class TransportDeleteRoleAction extends HandledTransportAction<DeleteRole
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
+                public void onFailure(Exception t) {
                     listener.onFailure(t);
                 }
             });
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesAction.java
index bfaa684c04e..a58c6301141 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesAction.java
@@ -77,7 +77,7 @@ public class TransportGetRolesAction extends HandledTransportAction<GetRolesRequ
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
+                public void onFailure(Exception t) {
                     logger.error("failed to retrieve role [{}]", t, rolename);
                     listener.onFailure(t);
                 }
@@ -95,7 +95,7 @@ public class TransportGetRolesAction extends HandledTransportAction<GetRolesRequ
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
+                public void onFailure(Exception t) {
                     logger.error("failed to retrieve role [{}]", t,
                             Strings.arrayToDelimitedString(request.names(), ","));
                     listener.onFailure(t);
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleAction.java
index 2cb1f983135..1a52983b117 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleAction.java
@@ -48,7 +48,7 @@ public class TransportPutRoleAction extends HandledTransportAction<PutRoleReques
             }
 
             @Override
-            public void onFailure(Throwable t) {
+            public void onFailure(Exception t) {
                 listener.onFailure(t);
             }
         });
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java
index 0cffe5bab86..17d0356e5a0 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java
@@ -12,7 +12,6 @@ import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
-import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
 import org.elasticsearch.xpack.security.user.AnonymousUser;
 import org.elasticsearch.xpack.security.user.SystemUser;
 import org.elasticsearch.threadpool.ThreadPool;
@@ -50,7 +49,7 @@ public class TransportChangePasswordAction extends HandledTransportAction<Change
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 listener.onFailure(e);
             }
         });
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserAction.java
index 387da62f59f..207bac9ba17 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserAction.java
@@ -54,7 +54,7 @@ public class TransportDeleteUserAction extends HandledTransportAction<DeleteUser
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 listener.onFailure(e);
             }
         });
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersAction.java
index 645871ded3e..7a7a5fc962a 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersAction.java
@@ -78,7 +78,7 @@ public class TransportGetUsersAction extends HandledTransportAction<GetUsersRequ
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     logger.error("failed to retrieve user [{}]", e, username);
                     listener.onFailure(e);
                 }
@@ -94,7 +94,7 @@ public class TransportGetUsersAction extends HandledTransportAction<GetUsersRequ
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     logger.error("failed to retrieve user [{}]", e,
                             Strings.arrayToDelimitedString(request.usernames(), ","));
                     listener.onFailure(e);
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportPutUserAction.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportPutUserAction.java
index b4352ce454a..a8de5a48113 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportPutUserAction.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportPutUserAction.java
@@ -59,7 +59,7 @@ public class TransportPutUserAction extends HandledTransportAction<PutUserReques
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 logger.error("failed to put user [{}]", e, request.username());
                 listener.onFailure(e);
             }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailModule.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailModule.java
index f50eef9757c..de26c226e7c 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailModule.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailModule.java
@@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.audit;
 
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.inject.multibindings.Multibinder;
+import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
@@ -44,18 +45,16 @@ public class AuditTrailModule extends AbstractSecurityModule.Node {
 
     @Override
     protected void configureNode() {
-        if (!enabled) {
-            bind(AuditTrail.class).toInstance(AuditTrail.NOOP);
-            return;
-        }
         List<String> outputs = OUTPUTS_SETTING.get(settings);
-        if (outputs.isEmpty()) {
+        if (securityEnabled == false || enabled == false || outputs.isEmpty()) {
+            bind(AuditTrailService.class).toProvider(Providers.of(null));
             bind(AuditTrail.class).toInstance(AuditTrail.NOOP);
             return;
         }
-        bind(AuditTrail.class).to(AuditTrailService.class).asEagerSingleton();
-        Multibinder<AuditTrail> binder = Multibinder.newSetBinder(binder(), AuditTrail.class);
 
+        bind(AuditTrailService.class).asEagerSingleton();
+        bind(AuditTrail.class).to(AuditTrailService.class);
+        Multibinder<AuditTrail> binder = Multibinder.newSetBinder(binder(), AuditTrail.class);
         Set<String> uniqueOutputs = Sets.newHashSet(outputs);
         for (String output : uniqueOutputs) {
             switch (output) {
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
index 690bc6c76f1..87e1e50ee40 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
@@ -16,6 +16,8 @@ import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 import org.elasticsearch.transport.TransportMessage;
 
 import java.net.InetAddress;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -197,4 +199,11 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
             }
         }
     }
+
+    public Map<String, Object> usageStats() {
+        Map<String, Object> map = new HashMap<>(2);
+        map.put("enabled", AuditTrailModule.ENABLED_SETTING.get(settings));
+        map.put("outputs", AuditTrailModule.OUTPUTS_SETTING.get(settings));
+        return map;
+    }
 }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
index bc1f00f0d70..e3b00743df7 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
@@ -886,7 +886,7 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
                     INDEX_TEMPLATE_NAME);
             threadPool.generic().execute(new AbstractRunnable() {
                 @Override
-                public void onFailure(Throwable throwable) {
+                public void onFailure(Exception throwable) {
                     logger.error("failed to update security audit index template [{}]", throwable, INDEX_TEMPLATE_NAME);
                 }
 
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java
index 37bc6a135ad..c4b5c53a6f5 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java
@@ -159,7 +159,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             }
 
             @Override
-            public void onFailure(Throwable t) {
+            public void onFailure(Exception t) {
                 if (t instanceof IndexNotFoundException) {
                     logger.trace("failed to retrieve user [{}] since security index does not exist", username);
                     // We don't invoke the onFailure listener here, instead
@@ -228,7 +228,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
+                public void onFailure(Exception t) {
                     // attempt to clear scroll response
                     if (lastResponse != null && lastResponse.getScrollId() != null) {
                         clearScrollResponse(lastResponse.getScrollId());
@@ -260,7 +260,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             }
 
             @Override
-            public void onFailure(Throwable t) {
+            public void onFailure(Exception t) {
                 if (t instanceof IndexNotFoundException) {
                     logger.trace("failed to retrieve user [{}] since security index does not exist", t, username);
                 } else {
@@ -287,7 +287,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
+                public void onFailure(Exception t) {
                     if (t instanceof IndexNotFoundException) {
                         logger.trace("could not retrieve user [{}] because security index does not exist", t, user);
                     } else {
@@ -334,7 +334,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                     }
 
                     @Override
-                    public void onFailure(Throwable e) {
+                    public void onFailure(Exception e) {
                         Throwable cause = e;
                         if (e instanceof ElasticsearchException) {
                             cause = ExceptionsHelper.unwrapCause(e);
@@ -368,7 +368,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                     }
 
                     @Override
-                    public void onFailure(Throwable e) {
+                    public void onFailure(Exception e) {
                         listener.onFailure(e);
                     }
                 });
@@ -410,7 +410,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                     }
 
                     @Override
-                    public void onFailure(Throwable e) {
+                    public void onFailure(Exception e) {
                         Throwable cause = e;
                         if (e instanceof ElasticsearchException) {
                             cause = ExceptionsHelper.unwrapCause(e);
@@ -455,7 +455,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                     }
 
                     @Override
-                    public void onFailure(Throwable e) {
+                    public void onFailure(Exception e) {
                         listener.onFailure(e);
                     }
                 });
@@ -479,7 +479,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     listener.onFailure(e);
                 }
             });
@@ -550,9 +550,9 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
         if (state.compareAndSet(State.STARTED, State.STOPPING)) {
             try {
                 userPoller.stop();
-            } catch (Throwable t) {
+            } catch (Exception e) {
                 state.set(State.FAILED);
-                throw t;
+                throw e;
             } finally {
                 state.set(State.STOPPED);
             }
@@ -594,10 +594,10 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
         return securityIndexExists;
     }
 
-    char[] reservedUserPassword(String username) throws Throwable {
+    char[] reservedUserPassword(String username) throws Exception {
         assert started();
         final AtomicReference<char[]> passwordHash = new AtomicReference<>();
-        final AtomicReference<Throwable> failure = new AtomicReference<>();
+        final AtomicReference<Exception> failure = new AtomicReference<>();
         final CountDownLatch latch = new CountDownLatch(1);
         client.prepareGet(SecurityTemplateService.SECURITY_INDEX_NAME, RESERVED_USER_DOC_TYPE, username)
                 .execute(new LatchedActionListener<>(new ActionListener<GetResponse>() {
@@ -615,7 +615,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                     }
 
                     @Override
-                    public void onFailure(Throwable e) {
+                    public void onFailure(Exception e) {
                         if (e instanceof IndexNotFoundException) {
                             logger.trace("could not retrieve built in user [{}] password since security index does not exist", e, username);
                         } else {
@@ -634,7 +634,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             failure.set(e);
         }
 
-        Throwable failureCause = failure.get();
+        Exception failureCause = failure.get();
         if (failureCause != null) {
             // if there is any sort of failure we need to throw an exception to prevent the fallback to the default password...
             throw failureCause;
@@ -651,7 +651,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             }
 
             @Override
-            public void onFailure(Throwable t) {
+            public void onFailure(Exception t) {
                 // Not really much to do here except for warn about it...
                 logger.warn("failed to clear scroll [{}]", t, scrollId);
             }
@@ -669,7 +669,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 logger.error("unable to clear realm cache for user [{}]", e, username);
                 ElasticsearchException exception = new ElasticsearchException("clearing the cache for [" + username
                         + "] failed. please clear the realm cache manually", e);
@@ -838,21 +838,22 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             }
 
             // call listeners
-            Throwable th = null;
+            RuntimeException ex = null;
             for (ChangeListener listener : listeners) {
                 try {
                     listener.onUsersChanged(changedUsers);
-                } catch (Throwable t) {
-                    th = ExceptionsHelper.useOrSuppress(th, t);
+                } catch (Exception e) {
+                    if (ex == null) ex = new RuntimeException("exception while notifying listeners");
+                    ex.addSuppressed(e);
                 }
             }
 
-            ExceptionsHelper.reThrowIfNotNull(th);
+            if (ex != null) throw ex;
         }
 
         @Override
-        public void onFailure(Throwable t) {
-            logger.error("error occurred while checking the native users for changes", t);
+        public void onFailure(Exception e) {
+            logger.error("error occurred while checking the native users for changes", e);
         }
 
         private boolean isStopped() {
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java
index 2c2d0a09a29..52aa20550af 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java
@@ -131,7 +131,7 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
                 return DEFAULT_PASSWORD_HASH;
             }
             return passwordHash;
-        } catch (Throwable e) {
+        } catch (Exception e) {
             logger.error("failed to retrieve password hash for reserved user [{}]", e, username);
             return null;
         }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java
index ebd14bae17b..8190ac0e692 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java
@@ -37,9 +37,6 @@ import static java.util.Collections.emptyMap;
 import static java.util.Collections.unmodifiableMap;
 import static org.elasticsearch.xpack.security.support.SecurityFiles.openAtomicMoveWriter;
 
-/**
- *
- */
 public class FileUserPasswdStore {
 
     private final ESLogger logger;
@@ -111,8 +108,8 @@ public class FileUserPasswdStore {
     static Map<String, char[]> parseFileLenient(Path path, ESLogger logger) {
         try {
             return parseFile(path, logger);
-        } catch (Throwable t) {
-            logger.error("failed to parse users file [{}]. skipping/removing all users...", t, path.toAbsolutePath());
+        } catch (Exception e) {
+            logger.error("failed to parse users file [{}]. skipping/removing all users...", e, path.toAbsolutePath());
             return emptyMap();
         }
     }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStore.java
index b5bee42e46b..aa03091112b 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStore.java
@@ -37,9 +37,6 @@ import static java.util.Collections.emptyMap;
 import static java.util.Collections.unmodifiableMap;
 import static org.elasticsearch.xpack.security.support.SecurityFiles.openAtomicMoveWriter;
 
-/**
- *
- */
 public class FileUserRolesStore {
 
     private static final Pattern USERS_DELIM = Pattern.compile("\\s*,\\s*");
@@ -103,8 +100,8 @@ public class FileUserRolesStore {
     static Map<String, String[]> parseFileLenient(Path path, ESLogger logger) {
         try {
             return parseFile(path, logger);
-        } catch (Throwable t) {
-            logger.error("failed to parse users_roles file [{}]. skipping/removing all entries...", t, path.toAbsolutePath());
+        } catch (Exception e) {
+            logger.error("failed to parse users_roles file [{}]. skipping/removing all entries...", e, path.toAbsolutePath());
             return emptyMap();
         }
     }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java
index d86c747b3df..6aa1523272a 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java
@@ -11,7 +11,7 @@ import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.MultiCommand;
 import org.elasticsearch.cli.SettingCommand;
 import org.elasticsearch.cli.Terminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.set.Sets;
@@ -88,7 +88,7 @@ public class UsersTool extends MultiCommand {
             String username = parseUsername(arguments.values(options));
             Validation.Error validationError = Users.validateUsername(username);
             if (validationError != null) {
-                throw new UserError(ExitCodes.DATA_ERROR, "Invalid username [" + username + "]... " + validationError);
+                throw new UserException(ExitCodes.DATA_ERROR, "Invalid username [" + username + "]... " + validationError);
             }
 
             char[] password = parsePassword(terminal, passwordOption.value(options));
@@ -102,7 +102,7 @@ public class UsersTool extends MultiCommand {
 
             Map<String, char[]> users = new HashMap<>(FileUserPasswdStore.parseFile(passwordFile, null));
             if (users.containsKey(username)) {
-                throw new UserError(ExitCodes.CODE_ERROR, "User [" + username + "] already exists");
+                throw new UserException(ExitCodes.CODE_ERROR, "User [" + username + "] already exists");
             }
             Hasher hasher = Hasher.BCRYPT;
             users.put(username, hasher.hash(new SecuredString(password)));
@@ -149,7 +149,7 @@ public class UsersTool extends MultiCommand {
 
             Map<String, char[]> users = new HashMap<>(FileUserPasswdStore.parseFile(passwordFile, null));
             if (users.containsKey(username) == false) {
-                throw new UserError(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
+                throw new UserException(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
             }
             if (Files.exists(passwordFile)) {
                 char[] passwd = users.remove(username);
@@ -205,7 +205,7 @@ public class UsersTool extends MultiCommand {
             FileAttributesChecker attributesChecker = new FileAttributesChecker(file);
             Map<String, char[]> users = new HashMap<>(FileUserPasswdStore.parseFile(file, null));
             if (users.containsKey(username) == false) {
-                throw new UserError(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
+                throw new UserException(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
             }
             users.put(username, Hasher.BCRYPT.hash(new SecuredString(password)));
             FileUserPasswdStore.writeFile(users, file);
@@ -261,7 +261,7 @@ public class UsersTool extends MultiCommand {
 
             Map<String, char[]> usersMap = FileUserPasswdStore.parseFile(usersFile, null);
             if (!usersMap.containsKey(username)) {
-                throw new UserError(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
+                throw new UserException(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
             }
 
             Map<String, String[]> userRoles = FileUserRolesStore.parseFile(rolesFile, null);
@@ -325,7 +325,7 @@ public class UsersTool extends MultiCommand {
 
         if (username != null) {
             if (!users.contains(username)) {
-                throw new UserError(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
+                throw new UserException(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
             }
 
             if (userRoles.containsKey(username)) {
@@ -394,38 +394,38 @@ public class UsersTool extends MultiCommand {
     }
 
     // pkg private for testing
-    static String parseUsername(List<String> args) throws UserError {
+    static String parseUsername(List<String> args) throws UserException {
         if (args.isEmpty()) {
-            throw new UserError(ExitCodes.USAGE, "Missing username argument");
+            throw new UserException(ExitCodes.USAGE, "Missing username argument");
         } else if (args.size() > 1) {
-            throw new UserError(ExitCodes.USAGE, "Expected a single username argument, found extra: " + args.toString());
+            throw new UserException(ExitCodes.USAGE, "Expected a single username argument, found extra: " + args.toString());
         }
         String username = args.get(0);
         Validation.Error validationError = Users.validateUsername(username);
         if (validationError != null) {
-            throw new UserError(ExitCodes.DATA_ERROR, "Invalid username [" + username + "]... " + validationError);
+            throw new UserException(ExitCodes.DATA_ERROR, "Invalid username [" + username + "]... " + validationError);
         }
         return username;
     }
 
     // pkg private for testing
-    static char[] parsePassword(Terminal terminal, String passwordStr) throws UserError {
+    static char[] parsePassword(Terminal terminal, String passwordStr) throws UserException {
         char[] password;
         if (passwordStr != null) {
             password = passwordStr.toCharArray();
             Validation.Error validationError = Users.validatePassword(password);
             if (validationError != null) {
-                throw new UserError(ExitCodes.DATA_ERROR, "Invalid password..." + validationError);
+                throw new UserException(ExitCodes.DATA_ERROR, "Invalid password..." + validationError);
             }
         } else {
             password = terminal.readSecret("Enter new password: ");
             Validation.Error validationError = Users.validatePassword(password);
             if (validationError != null) {
-                throw new UserError(ExitCodes.DATA_ERROR, "Invalid password..." + validationError);
+                throw new UserException(ExitCodes.DATA_ERROR, "Invalid password..." + validationError);
             }
             char[] retyped = terminal.readSecret("Retype new password: ");
             if (Arrays.equals(password, retyped) == false) {
-                throw new UserError(ExitCodes.DATA_ERROR, "Password mismatch");
+                throw new UserException(ExitCodes.DATA_ERROR, "Password mismatch");
             }
         }
         return password;
@@ -446,7 +446,7 @@ public class UsersTool extends MultiCommand {
     }
 
     // pkg private for testing
-    static String[] parseRoles(Terminal terminal, Environment env, String rolesStr) throws UserError {
+    static String[] parseRoles(Terminal terminal, Environment env, String rolesStr) throws UserException {
         if (rolesStr.isEmpty()) {
             return Strings.EMPTY_ARRAY;
         }
@@ -454,7 +454,7 @@ public class UsersTool extends MultiCommand {
         for (String role : roles) {
             Validation.Error validationError = Validation.Roles.validateRoleName(role);
             if (validationError != null) {
-                throw new UserError(ExitCodes.DATA_ERROR, "Invalid role [" + role + "]... " + validationError);
+                throw new UserException(ExitCodes.DATA_ERROR, "Invalid role [" + role + "]... " + validationError);
             }
         }
 
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapSession.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapSession.java
index 0e52ca56897..f6896d8498a 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapSession.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapSession.java
@@ -65,7 +65,7 @@ public class LdapSession implements Closeable {
         return groupsResolver.resolve(ldap, userDn, timeout, logger);
     }
 
-    public static interface GroupsResolver {
+    public interface GroupsResolver {
 
         List<String> resolve(LDAPInterface ldapConnection, String userDn, TimeValue timeout, ESLogger logger);
 
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/BCrypt.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/BCrypt.java
index 4242beee7af..10579cc5474 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/BCrypt.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/BCrypt.java
@@ -484,7 +484,7 @@ public class BCrypt {
      * @param lr    an array containing the two 32-bit half blocks
      * @param off   the position in the array of the blocks
      */
-    private final void encipher(int lr[], int off) {
+    private void encipher(int lr[], int off) {
         int i, n, l = lr[off], r = lr[off + 1];
 
         l ^= P[0];
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
index bfa74b9f190..2eefccdc2db 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
@@ -95,8 +95,8 @@ public class DnRoleMapper {
     public static Map<DN, Set<String>> parseFileLenient(Path path, ESLogger logger, String realmType, String realmName) {
         try {
             return parseFile(path, logger, realmType, realmName);
-        } catch (Throwable t) {
-            logger.error("failed to parse role mappings file [{}]. skipping/removing all mappings...", t, path.toAbsolutePath());
+        } catch (Exception e) {
+            logger.error("failed to parse role mappings file [{}]. skipping/removing all mappings...", e, path.toAbsolutePath());
             return emptyMap();
         }
     }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/RefreshListener.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/RefreshListener.java
index e50916d0d59..9127d916af3 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/RefreshListener.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authc/support/RefreshListener.java
@@ -10,12 +10,7 @@ package org.elasticsearch.xpack.security.authc.support;
  */
 public interface RefreshListener {
 
-    static final RefreshListener NOOP = new RefreshListener() {
-        @Override
-        public void onRefresh() {
-        }
-    };
+    RefreshListener NOOP = () -> {};
 
     void onRefresh();
-
 }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationModule.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationModule.java
index c1ed7bda2f3..81b584f0d81 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationModule.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationModule.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.security.authz;
 
+import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
 import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
@@ -24,6 +25,10 @@ public class AuthorizationModule extends AbstractSecurityModule.Node {
 
     @Override
     protected void configureNode() {
+        if (securityEnabled == false) {
+            bind(RolesStore.class).toProvider(Providers.of(null));
+            return;
+        }
 
         // First the file and native roles stores must be bound...
         bind(ReservedRolesStore.class).asEagerSingleton();
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IndicesPermission.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IndicesPermission.java
index d6ff71c4462..33f302bc104 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IndicesPermission.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/permission/IndicesPermission.java
@@ -125,7 +125,7 @@ public interface IndicesPermission extends Permission, Iterable<IndicesPermissio
                     if (group.check(action, indexOrAlias)) {
                         granted = true;
                         for (String index : concreteIndices) {
-                            if (group.getFields() != null) {
+                            if (group.hasFields()) {
                                 Set<String> roleFields = rolesFieldsByIndex.get(index);
                                 if (roleFields == null) {
                                     roleFields = new HashSet<>();
@@ -133,7 +133,7 @@ public interface IndicesPermission extends Permission, Iterable<IndicesPermissio
                                 }
                                 roleFields.addAll(group.getFields());
                             }
-                            if (group.getQuery() != null) {
+                            if (group.hasQuery()) {
                                 Set<BytesReference> roleQueries = roleQueriesByIndex.get(index);
                                 if (roleQueries == null) {
                                     roleQueries = new HashSet<>();
@@ -330,5 +330,13 @@ public interface IndicesPermission extends Permission, Iterable<IndicesPermissio
             assert index != null;
             return actionMatcher.test(action) && indexNameMatcher.test(index);
         }
+
+        public boolean hasFields() {
+            return fields != null;
+        }
+
+        public boolean hasQuery() {
+            return query != null;
+        }
     }
 }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
index b6ca53edd6c..b2b9709da56 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
@@ -8,6 +8,9 @@ package org.elasticsearch.xpack.security.authz.store;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.xpack.security.authz.permission.Role;
 
+import java.util.HashMap;
+import java.util.Map;
+
 /**
  * A composite roles store that combines built in roles, file-based roles, and index-based roles. Checks the built in roles first, then the
  * file roles, and finally the index roles.
@@ -40,4 +43,12 @@ public class CompositeRolesStore implements RolesStore {
 
         return nativeRolesStore.role(role);
     }
+
+    @Override
+    public Map<String, Object> usageStats() {
+        Map<String, Object> usage = new HashMap<>(2);
+        usage.put("file", fileRolesStore.usageStats());
+        usage.put("native", nativeRolesStore.usageStats());
+        return usage;
+    }
 }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/FileRolesStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/FileRolesStore.java
index 57f8a16eee7..849c1a87890 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/FileRolesStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/FileRolesStore.java
@@ -15,13 +15,13 @@ import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.yaml.YamlXContent;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.authc.support.RefreshListener;
 import org.elasticsearch.xpack.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.security.authz.permission.IndicesPermission.Group;
 import org.elasticsearch.xpack.security.authz.permission.Role;
 import org.elasticsearch.xpack.security.support.NoOpLogger;
 import org.elasticsearch.xpack.security.support.Validation;
@@ -46,9 +46,6 @@ import static java.util.Collections.emptySet;
 import static java.util.Collections.unmodifiableMap;
 import static org.elasticsearch.xpack.security.Security.setting;
 
-/**
- *
- */
 public class FileRolesStore extends AbstractLifecycleComponent implements RolesStore {
 
     public static final Setting<String> ROLES_FILE_SETTING =
@@ -100,6 +97,28 @@ public class FileRolesStore extends AbstractLifecycleComponent implements RolesS
         return permissions.get(role);
     }
 
+    @Override
+    public Map<String, Object> usageStats() {
+        Map<String, Object> usageStats = new HashMap<>();
+        usageStats.put("size", permissions.size());
+
+        boolean dls = false;
+        boolean fls = false;
+        for (Role role : permissions.values()) {
+            for (Group group : role.indices()) {
+                fls = fls || group.hasFields();
+                dls = dls || group.hasQuery();
+            }
+            if (fls && dls) {
+                break;
+            }
+        }
+        usageStats.put("fls", fls);
+        usageStats.put("dls", dls);
+
+        return usageStats;
+    }
+
     public static Path resolveFile(Settings settings, Environment env) {
         String location = ROLES_FILE_SETTING.get(settings);
         if (location.isEmpty()) {
@@ -288,8 +307,8 @@ public class FileRolesStore extends AbstractLifecycleComponent implements RolesS
                 try {
                     permissions = parseFile(file, logger, settings);
                     logger.info("updated roles (roles file [{}] changed)", file.toAbsolutePath());
-                } catch (Throwable t) {
-                    logger.error("could not reload roles file [{}]. Current roles remain unmodified", t, file.toAbsolutePath());
+                } catch (Exception e) {
+                    logger.error("could not reload roles file [{}]. Current roles remain unmodified", e, file.toAbsolutePath());
                     return;
                 }
                 listener.onRefresh();
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java
index 63786df2aeb..e5d03e24c94 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java
@@ -15,6 +15,9 @@ import org.elasticsearch.action.get.GetResponse;
 import org.elasticsearch.action.index.IndexResponse;
 import org.elasticsearch.action.search.ClearScrollRequest;
 import org.elasticsearch.action.search.ClearScrollResponse;
+import org.elasticsearch.action.search.MultiSearchRequestBuilder;
+import org.elasticsearch.action.search.MultiSearchResponse;
+import org.elasticsearch.action.search.MultiSearchResponse.Item;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchScrollRequest;
@@ -47,6 +50,7 @@ import org.elasticsearch.xpack.security.action.role.ClearRolesCacheResponse;
 import org.elasticsearch.xpack.security.action.role.DeleteRoleRequest;
 import org.elasticsearch.xpack.security.action.role.PutRoleRequest;
 import org.elasticsearch.xpack.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.security.authz.permission.IndicesPermission.Group;
 import org.elasticsearch.xpack.security.authz.permission.Role;
 import org.elasticsearch.xpack.security.client.SecurityClient;
 import org.elasticsearch.xpack.security.support.SelfReschedulingRunnable;
@@ -56,8 +60,10 @@ import org.elasticsearch.threadpool.ThreadPool.Names;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CountDownLatch;
@@ -231,7 +237,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
                 }
 
                 @Override
-                public void onFailure(Throwable t) {
+                public void onFailure(Exception t) {
                     // attempt to clear the scroll request
                     if (lastResponse != null && lastResponse.getScrollId() != null) {
                         clearScollRequest(lastResponse.getScrollId());
@@ -277,7 +283,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     logger.error("failed to delete role from the index", e);
                     listener.onFailure(e);
                 }
@@ -311,7 +317,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
                         }
 
                         @Override
-                        public void onFailure(Throwable e) {
+                        public void onFailure(Exception e) {
                             logger.error("failed to put role [{}]", e, request.name());
                             listener.onFailure(e);
                         }
@@ -329,6 +335,84 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         return roleAndVersion == null ? null : roleAndVersion.getRole();
     }
 
+    @Override
+    public Map<String, Object> usageStats() {
+        if (state() != State.STARTED) {
+            return Collections.emptyMap();
+        }
+
+        boolean dls = false;
+        boolean fls = false;
+        Map<String, Object> usageStats = new HashMap<>();
+        if (securityIndexExists == false) {
+            usageStats.put("size", 0L);
+            usageStats.put("fls", fls);
+            usageStats.put("dls", dls);
+            return usageStats;
+        }
+
+        long count = (long) roleCache.size();
+        for (RoleAndVersion rv : roleCache.values()) {
+            Role role = rv.getRole();
+            for (Group group : role.indices()) {
+                fls = fls || group.hasFields();
+                dls = dls || group.hasQuery();
+            }
+            if (fls && dls) {
+                break;
+            }
+        }
+
+        // slow path - query for necessary information
+        if (fls == false || dls == false) {
+            MultiSearchRequestBuilder builder = client.prepareMultiSearch()
+                    .add(client.prepareSearch(SecurityTemplateService.SECURITY_INDEX_NAME)
+                            .setTypes(ROLE_DOC_TYPE)
+                            .setQuery(QueryBuilders.matchAllQuery())
+                            .setSize(0));
+
+            if (fls == false) {
+                builder.add(client.prepareSearch(SecurityTemplateService.SECURITY_INDEX_NAME)
+                        .setTypes(ROLE_DOC_TYPE)
+                        .setQuery(QueryBuilders.existsQuery("indices.fields"))
+                        .setSize(0)
+                        .setTerminateAfter(1));
+            }
+
+            if (dls == false) {
+                builder.add(client.prepareSearch(SecurityTemplateService.SECURITY_INDEX_NAME)
+                        .setTypes(ROLE_DOC_TYPE)
+                        .setQuery(QueryBuilders.existsQuery("indices.query"))
+                        .setSize(0)
+                        .setTerminateAfter(1));
+            }
+
+            MultiSearchResponse multiSearchResponse = builder.get();
+            int pos = 0;
+            Item[] responses = multiSearchResponse.getResponses();
+            if (responses[pos].isFailure() == false) {
+                count = responses[pos].getResponse().getHits().getTotalHits();
+            }
+
+            if (fls == false) {
+                if (responses[++pos].isFailure() == false) {
+                    fls = responses[pos].getResponse().getHits().getTotalHits() > 0L;
+                }
+            }
+
+            if (dls == false) {
+                if (responses[++pos].isFailure() == false) {
+                    dls = responses[pos].getResponse().getHits().getTotalHits() > 0L;
+                }
+            }
+        }
+
+        usageStats.put("size", count);
+        usageStats.put("fls", fls);
+        usageStats.put("dls", dls);
+        return usageStats;
+    }
+
     private RoleAndVersion getRoleAndVersion(final String roleId) {
         RoleAndVersion roleAndVersion = null;
         final AtomicReference<GetResponse> getRef = new AtomicReference<>(null);
@@ -345,7 +429,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
                         }
 
                         @Override
-                        public void onFailure(Throwable t) {
+                        public void onFailure(Exception t) {
                             if (t instanceof IndexNotFoundException) {
                                 logger.trace("failed to retrieve role [{}] since security index does not exist", t, roleId);
                             } else {
@@ -403,7 +487,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
             }
 
             @Override
-            public void onFailure(Throwable t) {
+            public void onFailure(Exception t) {
                 // Not really much to do here except for warn about it...
                 logger.warn("failed to clear scroll [{}] after retrieving roles", t, scrollId);
             }
@@ -441,7 +525,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 logger.error("unable to clear cache for role [{}]", e, role);
                 ElasticsearchException exception = new ElasticsearchException("clearing the cache for [" + role
                         + "] failed. please clear the role cache manually", e);
@@ -568,8 +652,8 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         }
 
         @Override
-        public void onFailure(Throwable t) {
-            logger.error("error occurred while checking the native roles for changes", t);
+        public void onFailure(Exception e) {
+            logger.error("error occurred while checking the native roles for changes", e);
         }
 
         private boolean isStopped() {
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java
index 485c35d03af..4d2d8cc815a 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java
@@ -19,6 +19,8 @@ import org.elasticsearch.xpack.security.user.SystemUser;
 
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -55,6 +57,11 @@ public class ReservedRolesStore implements RolesStore {
         }
     }
 
+    @Override
+    public Map<String, Object> usageStats() {
+        return Collections.emptyMap();
+    }
+
     public RoleDescriptor roleDescriptor(String role) {
         switch (role) {
             case SuperuserRole.NAME:
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RolesStore.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RolesStore.java
index ece0e559683..eeb3ab8862b 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RolesStore.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RolesStore.java
@@ -7,6 +7,8 @@ package org.elasticsearch.xpack.security.authz.store;
 
 import org.elasticsearch.xpack.security.authz.permission.Role;
 
+import java.util.Map;
+
 /**
  * An interface for looking up a role given a string role name
  */
@@ -14,4 +16,5 @@ public interface RolesStore {
 
     Role role(String role);
 
+    Map<String, Object> usageStats();
 }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/CryptoModule.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/CryptoModule.java
index 64909c25272..7b400e7d8e5 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/CryptoModule.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/CryptoModule.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.security.crypto;
 
+import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.security.support.AbstractSecurityModule;
 
@@ -19,6 +20,10 @@ public class CryptoModule extends AbstractSecurityModule.Node {
 
     @Override
     protected void configureNode() {
+        if (securityEnabled == false) {
+            bind(CryptoService.class).toProvider(Providers.of(null));
+            return;
+        }
         bind(InternalCryptoService.class).asEagerSingleton();
         bind(CryptoService.class).to(InternalCryptoService.class).asEagerSingleton();
     }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/InternalCryptoService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/InternalCryptoService.java
index 63b6fe75aca..08155f3b34e 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/InternalCryptoService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/InternalCryptoService.java
@@ -12,13 +12,12 @@ import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.env.Environment;
-import org.elasticsearch.xpack.security.authc.support.CharArrays;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.security.authc.support.CharArrays;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
@@ -28,6 +27,7 @@ import javax.crypto.Mac;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
@@ -45,12 +45,9 @@ import java.util.Objects;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.regex.Pattern;
 
-import static org.elasticsearch.xpack.security.authc.support.SecuredString.constantTimeEquals;
 import static org.elasticsearch.xpack.security.Security.setting;
+import static org.elasticsearch.xpack.security.authc.support.SecuredString.constantTimeEquals;
 
-/**
- *
- */
 public class InternalCryptoService extends AbstractLifecycleComponent implements CryptoService {
 
     public static final String KEY_ALGO = "HmacSHA512";
@@ -232,8 +229,8 @@ public class InternalCryptoService extends AbstractLifecycleComponent implements
             base64RandomKey = pieces[2];
             receivedSignature = pieces[3].substring(0, length);
             text = pieces[3].substring(length);
-        } catch (Throwable t) {
-            logger.error("error occurred while parsing signed text", t);
+        } catch (Exception e) {
+            logger.error("error occurred while parsing signed text", e);
             throw new IllegalArgumentException("tampered signed text");
         }
 
@@ -270,8 +267,8 @@ public class InternalCryptoService extends AbstractLifecycleComponent implements
             if (constantTimeEquals(sig, receivedSignature)) {
                 return text;
             }
-        } catch (Throwable t) {
-            logger.error("error occurred while verifying signed text", t);
+        } catch (Exception e) {
+            logger.error("error occurred while verifying signed text", e);
             throw new IllegalStateException("error while verifying the signed text");
         }
 
@@ -543,29 +540,20 @@ public class InternalCryptoService extends AbstractLifecycleComponent implements
         }
 
         private void callListeners(SecretKey oldSystemKey, SecretKey oldEncryptionKey) {
-            Throwable th = null;
+            RuntimeException ex = null;
             for (Listener listener : listeners) {
                 try {
                     listener.onKeyChange(oldSystemKey, oldEncryptionKey);
-                } catch (Throwable t) {
-                    if (th == null) {
-                        th = t;
-                    } else {
-                        th.addSuppressed(t);
-                    }
+                } catch (Exception e) {
+                    if (ex == null) ex = new RuntimeException("exception calling key change listeners");
+                    ex.addSuppressed(e);
                 }
             }
 
             // all listeners were notified now rethrow
-            if (th != null) {
-                logger.error("called all key change listeners but one or more exceptions was thrown", th);
-                if (th instanceof RuntimeException) {
-                    throw (RuntimeException) th;
-                } else if (th instanceof Error) {
-                    throw (Error) th;
-                } else {
-                    throw new RuntimeException(th);
-                }
+            if (ex != null) {
+                logger.error("called all key change listeners but one or more exceptions was thrown", ex);
+                throw ex;
             }
         }
     }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/tool/SystemKeyTool.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/tool/SystemKeyTool.java
index 847f5c5800f..602b6c4d8a8 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/tool/SystemKeyTool.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/crypto/tool/SystemKeyTool.java
@@ -7,12 +7,10 @@ package org.elasticsearch.xpack.security.crypto.tool;
 
 import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
-import joptsimple.util.KeyValuePair;
-import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.SettingCommand;
 import org.elasticsearch.cli.Terminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.io.PathUtils;
 import org.elasticsearch.common.settings.Settings;
@@ -26,7 +24,6 @@ import java.nio.file.Path;
 import java.nio.file.StandardOpenOption;
 import java.nio.file.attribute.PosixFileAttributeView;
 import java.nio.file.attribute.PosixFilePermission;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -65,7 +62,7 @@ public class SystemKeyTool extends SettingCommand {
         if (options.hasArgument(arguments)) {
             List<String> args = arguments.values(options);
             if (args.size() > 1) {
-                throw new UserError(ExitCodes.USAGE, "No more than one key path can be supplied");
+                throw new UserException(ExitCodes.USAGE, "No more than one key path can be supplied");
             }
             keyPath = parsePath(args.get(0));
         } else {
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/ssl/AbstractSSLService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/ssl/AbstractSSLService.java
index 63e69307107..8b1a276da95 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/ssl/AbstractSSLService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/ssl/AbstractSSLService.java
@@ -123,8 +123,8 @@ public abstract class AbstractSSLService extends AbstractComponent {
             sslEngine.setEnabledCipherSuites(supportedCiphers(sslEngine.getSupportedCipherSuites(), ciphers, false));
         } catch (ElasticsearchException e) {
             throw e;
-        } catch (Throwable t) {
-            throw new IllegalArgumentException("failed loading cipher suites [" + Arrays.asList(ciphers) + "]", t);
+        } catch (Exception e) {
+            throw new IllegalArgumentException("failed loading cipher suites [" + Arrays.asList(ciphers) + "]", e);
         }
 
         try {
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnable.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnable.java
index c74e875cfa9..d30a0897deb 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnable.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnable.java
@@ -49,8 +49,8 @@ public class SelfReschedulingRunnable extends AbstractRunnable {
     }
 
     @Override
-    public void onFailure(Throwable t) {
-        logger.warn("failed to run scheduled task", t);
+    public void onFailure(Exception e) {
+        logger.warn("failed to run scheduled task", e);
     }
 
     @Override
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityClientTransportService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityClientTransportService.java
index b6de8448652..350e1292afc 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityClientTransportService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityClientTransportService.java
@@ -34,8 +34,8 @@ public class SecurityClientTransportService extends TransportService {
         try {
             clientFilter.outbound(action, request);
             super.sendRequest(node, action, request, options, handler);
-        } catch (Throwable t) {
-            handler.handleException(new TransportException("failed sending request", t));
+        } catch (Exception e) {
+            handler.handleException(new TransportException("failed sending request", e));
         }
     }
 
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportService.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportService.java
index 589a762eb82..e6026d37464 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportService.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportService.java
@@ -38,9 +38,6 @@ import static org.elasticsearch.xpack.security.transport.netty.SecurityNettyTran
 import static org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport.PROFILE_CLIENT_AUTH_SETTING;
 import static org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport.SSL_SETTING;
 
-/**
- *
- */
 public class SecurityServerTransportService extends TransportService {
 
     public static final String SETTING_NAME = "xpack.security.type";
@@ -81,16 +78,16 @@ public class SecurityServerTransportService extends TransportService {
                 try {
                     clientFilter.outbound(action, request);
                     super.sendRequest(node, action, request, options, new ContextRestoreResponseHandler<>(original, handler));
-                } catch (Throwable t) {
-                    handler.handleException(new TransportException("failed sending request", t));
+                } catch (Exception e) {
+                    handler.handleException(new TransportException("failed sending request", e));
                 }
             }
         } else {
             try {
                 clientFilter.outbound(action, request);
                 super.sendRequest(node, action, request, options, handler);
-            } catch (Throwable t) {
-                handler.handleException(new TransportException("failed sending request", t));
+            } catch (Exception e) {
+                handler.handleException(new TransportException("failed sending request", e));
             }
         }
     }
@@ -194,8 +191,8 @@ public class SecurityServerTransportService extends TransportService {
                 RequestContext context = new RequestContext(request, threadContext);
                 RequestContext.setCurrent(context);
                 handler.messageReceived(request, channel, task);
-            } catch (Throwable t) {
-                channel.sendResponse(t);
+            } catch (Exception e) {
+                channel.sendResponse(e);
             } finally {
                 RequestContext.removeCurrent();
             }
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityTransportModule.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityTransportModule.java
index 5e51f442f60..7ab781dac0c 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityTransportModule.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityTransportModule.java
@@ -21,6 +21,11 @@ public class SecurityTransportModule extends AbstractSecurityModule {
 
     @Override
     protected void configure(boolean clientMode) {
+        if (securityEnabled == false) {
+            bind(IPFilter.class).toProvider(Providers.<IPFilter>of(null));
+            return;
+        }
+
         if (clientMode) {
             // no ip filtering on the client
             bind(IPFilter.class).toProvider(Providers.<IPFilter>of(null));
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
index 1c6de4c1433..ed0a27caf44 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
@@ -130,6 +130,13 @@ public class IPFilter {
         updateRules();
     }
 
+    public Map<String, Object> usageStats() {
+        Map<String, Object> map = new HashMap<>(2);
+        map.put("http", Collections.singletonMap("enabled", isHttpFilterEnabled));
+        map.put("transport", Collections.singletonMap("enabled", isIpFilterEnabled));
+        return map;
+    }
+
     private void setTransportProfiles(Settings settings) {
         transportGroups = settings.getAsGroups();
         updateRules();
diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/netty/SecurityNettyTransport.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/netty/SecurityNettyTransport.java
index ae7f224f025..9a4adc8e320 100644
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/netty/SecurityNettyTransport.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/netty/SecurityNettyTransport.java
@@ -26,14 +26,12 @@ import org.jboss.netty.channel.ChannelHandlerContext;
 import org.jboss.netty.channel.ChannelPipeline;
 import org.jboss.netty.channel.ChannelPipelineFactory;
 import org.jboss.netty.channel.ChannelStateEvent;
-import org.jboss.netty.channel.ExceptionEvent;
 import org.jboss.netty.channel.SimpleChannelHandler;
 import org.jboss.netty.handler.ssl.SslHandler;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import java.net.InetSocketAddress;
-import java.util.Collections;
 import java.util.List;
 
 import static org.elasticsearch.xpack.security.Security.featureEnabledSetting;
@@ -113,7 +111,7 @@ public class SecurityNettyTransport extends NettyTransport {
     }
 
     @Override
-    protected void onException(Channel channel, Throwable e) {
+    protected void onException(Channel channel, Exception e) {
         if (isNotSslRecordException(e)) {
             if (logger.isTraceEnabled()) {
                 logger.trace("received plaintext traffic on a encrypted channel, closing connection {}", e, channel);
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java
index a5e9d01bc35..7bb5fa93f25 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java
@@ -146,7 +146,7 @@ public class ClearRealmsCacheTests extends SecurityIntegTestCase {
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     error.set(e);
                     latch.countDown();
                 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index 20569ae8b68..4c4ec18f2e4 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -709,9 +709,9 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         SearchResponse response = client()
                 .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(1));
         assertThat(response.getHits().getAt(0).fields().get("field1").<String>getValue(), equalTo("value1"));
@@ -719,9 +719,9 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         // user2 is granted access to field2 only:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(1));
         assertThat(response.getHits().getAt(0).fields().get("field2").<String>getValue(), equalTo("value2"));
@@ -729,9 +729,9 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         // user3 is granted access to field1 and field2:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(2));
         assertThat(response.getHits().getAt(0).fields().get("field1").<String>getValue(), equalTo("value1"));
@@ -740,18 +740,18 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         // user4 is granted access to no fields:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user4", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(0));
 
         // user5 has no field level security configured:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user5", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(3));
         assertThat(response.getHits().getAt(0).fields().get("field1").<String>getValue(), equalTo("value1"));
@@ -761,9 +761,9 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         // user6 has field level security configured with access to field*:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user6", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(3));
         assertThat(response.getHits().getAt(0).fields().get("field1").<String>getValue(), equalTo("value1"));
@@ -773,9 +773,9 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         // user7 has access to all fields due to a mix of roles without field level security and with:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user7", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(3));
         assertThat(response.getHits().getAt(0).fields().get("field1").<String>getValue(), equalTo("value1"));
@@ -785,9 +785,9 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         // user8 has field level security configured with access to field1 and field2:
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user8", USERS_PASSWD)))
                 .prepareSearch("test")
-                .addField("field1")
-                .addField("field2")
-                .addField("field3")
+                .addStoredField("field1")
+                .addStoredField("field2")
+                .addStoredField("field3")
                 .get();
         assertThat(response.getHits().getAt(0).fields().size(), equalTo(2));
         assertThat(response.getHits().getAt(0).fields().get("field1").<String>getValue(), equalTo("value1"));
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java
index faad01e0072..ca5e8a5b5b1 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java
@@ -5,12 +5,19 @@
  */
 package org.elasticsearch.xpack.security;
 
+import org.elasticsearch.common.collect.MapBuilder;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.elasticsearch.xpack.security.authc.Realm;
 import org.elasticsearch.xpack.security.authc.Realms;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.XPackFeatureSet;
+import org.elasticsearch.xpack.security.authz.store.RolesStore;
+import org.elasticsearch.xpack.security.crypto.CryptoService;
+import org.elasticsearch.xpack.security.transport.filter.IPFilter;
+import org.elasticsearch.xpack.security.transport.netty.SecurityNettyHttpServerTransport;
+import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
 import org.elasticsearch.xpack.watcher.support.xcontent.XContentSource;
 import org.junit.Before;
 
@@ -21,6 +28,7 @@ import java.util.List;
 import java.util.Map;
 
 import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.core.Is.is;
 import static org.mockito.Matchers.anyObject;
@@ -34,24 +42,35 @@ import static org.mockito.Mockito.when;
  */
 public class SecurityFeatureSetTests extends ESTestCase {
 
+    private Settings settings;
     private SecurityLicenseState licenseState;
     private Realms realms;
     private NamedWriteableRegistry namedWriteableRegistry;
+    private IPFilter ipFilter;
+    private RolesStore rolesStore;
+    private AuditTrailService auditTrail;
+    private CryptoService cryptoService;
 
     @Before
     public void init() throws Exception {
+        settings = Settings.builder().put("path.home", createTempDir()).build();
         licenseState = mock(SecurityLicenseState.class);
         realms = mock(Realms.class);
         namedWriteableRegistry = mock(NamedWriteableRegistry.class);
+        ipFilter = mock(IPFilter.class);
+        rolesStore = mock(RolesStore.class);
+        auditTrail = mock(AuditTrailService.class);
+        cryptoService = mock(CryptoService.class);
     }
 
     public void testWritableRegistration() throws Exception {
-        new SecurityFeatureSet(Settings.EMPTY, licenseState, realms, namedWriteableRegistry);
+        new SecurityFeatureSet(settings, licenseState, realms, namedWriteableRegistry, rolesStore, ipFilter, auditTrail, cryptoService);
         verify(namedWriteableRegistry).register(eq(SecurityFeatureSet.Usage.class), eq("xpack.usage.security"), anyObject());
     }
 
     public void testAvailable() throws Exception {
-        SecurityFeatureSet featureSet = new SecurityFeatureSet(Settings.EMPTY, licenseState, realms, namedWriteableRegistry);
+        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms, namedWriteableRegistry, rolesStore,
+                ipFilter, auditTrail, cryptoService);
         boolean available = randomBoolean();
         when(licenseState.authenticationAndAuthorizationEnabled()).thenReturn(available);
         assertThat(featureSet.available(), is(available));
@@ -60,27 +79,60 @@ public class SecurityFeatureSetTests extends ESTestCase {
     public void testEnabledSetting() throws Exception {
         boolean enabled = randomBoolean();
         Settings settings = Settings.builder()
+                .put(this.settings)
                 .put("xpack.security.enabled", enabled)
                 .build();
-        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms, namedWriteableRegistry);
+        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms, namedWriteableRegistry, rolesStore,
+                ipFilter, auditTrail, cryptoService);
         assertThat(featureSet.enabled(), is(enabled));
     }
 
     public void testEnabledDefault() throws Exception {
-        SecurityFeatureSet featureSet = new SecurityFeatureSet(Settings.EMPTY, licenseState, realms, namedWriteableRegistry);
+        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms, namedWriteableRegistry, rolesStore,
+                        ipFilter, auditTrail, cryptoService);
         assertThat(featureSet.enabled(), is(true));
     }
 
     public void testUsage() throws Exception {
 
-        boolean available = randomBoolean();
-        when(licenseState.authenticationAndAuthorizationEnabled()).thenReturn(available);
+        boolean authcAuthzAvailable = randomBoolean();
+        when(licenseState.authenticationAndAuthorizationEnabled()).thenReturn(authcAuthzAvailable);
 
-        Settings.Builder settings = Settings.builder();
+        Settings.Builder settings = Settings.builder().put(this.settings);
 
         boolean enabled = randomBoolean();
         settings.put("xpack.security.enabled", enabled);
 
+        final boolean httpSSLEnabled = randomBoolean();
+        settings.put(SecurityNettyHttpServerTransport.SSL_SETTING.getKey(), httpSSLEnabled);
+        final boolean transportSSLEnabled = randomBoolean();
+        settings.put(SecurityNettyTransport.SSL_SETTING.getKey(), transportSSLEnabled);
+        final boolean auditingEnabled = randomBoolean();
+        final String[] auditOutputs = randomFrom(new String[] {"logfile"}, new String[] {"index"}, new String[] {"logfile", "index"});
+        when(auditTrail.usageStats())
+                .thenReturn(MapBuilder.<String, Object>newMapBuilder()
+                        .put("enabled", auditingEnabled)
+                        .put("outputs", auditOutputs)
+                        .map());
+
+        final boolean httpIpFilterEnabled = randomBoolean();
+        final boolean transportIPFilterEnabled = randomBoolean();
+        when(ipFilter.usageStats())
+                .thenReturn(MapBuilder.<String, Object>newMapBuilder()
+                        .put("http", Collections.singletonMap("enabled", httpIpFilterEnabled))
+                        .put("transport", Collections.singletonMap("enabled", transportIPFilterEnabled))
+                        .map());
+
+
+        final boolean rolesStoreEnabled = randomBoolean();
+        if (rolesStoreEnabled) {
+            when(rolesStore.usageStats()).thenReturn(Collections.singletonMap("count", 1));
+        } else {
+            when(rolesStore.usageStats()).thenReturn(Collections.emptyMap());
+        }
+        final boolean useSystemKey = randomBoolean();
+        when(cryptoService.encryptionEnabled()).thenReturn(useSystemKey);
+
         List<Realm> realmsList= new ArrayList<>();
 
         for (int i = 0; i < 5; i++) {
@@ -93,24 +145,49 @@ public class SecurityFeatureSetTests extends ESTestCase {
             realmUsage.put("key3", i % 2 == 0);
             when(realm.usageStats()).thenReturn(realmUsage);
         }
-        when(realms.iterator()).thenReturn(available ? realmsList.iterator() : Collections.<Realm>emptyIterator());
+        when(realms.iterator()).thenReturn(authcAuthzAvailable ? realmsList.iterator() : Collections.<Realm>emptyIterator());
 
-        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings.build(), licenseState, realms, namedWriteableRegistry);
+        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings.build(), licenseState, realms, namedWriteableRegistry, rolesStore,
+                ipFilter, auditTrail, cryptoService);
         XPackFeatureSet.Usage usage = featureSet.usage();
         assertThat(usage, is(notNullValue()));
         assertThat(usage.name(), is(Security.NAME));
         assertThat(usage.enabled(), is(enabled));
-        assertThat(usage.available(), is(available));
+        assertThat(usage.available(), is(authcAuthzAvailable));
         XContentSource source = new XContentSource(usage);
 
-        if (enabled && available) {
-            for (int i = 0; i < 5; i++) {
-                assertThat(source.getValue("enabled_realms." + i + ".key1"), is("value" + i));
-                assertThat(source.getValue("enabled_realms." + i + ".key2"), is(i));
-                assertThat(source.getValue("enabled_realms." + i + ".key3"), is(i % 2 == 0));
+        if (enabled) {
+            if (authcAuthzAvailable) {
+                for (int i = 0; i < 5; i++) {
+                    assertThat(source.getValue("enabled_realms." + i + ".key1"), is("value" + i));
+                    assertThat(source.getValue("enabled_realms." + i + ".key2"), is(i));
+                    assertThat(source.getValue("enabled_realms." + i + ".key3"), is(i % 2 == 0));
+                }
+            } else {
+                assertThat(source.getValue("enabled_realms"), is(notNullValue()));
             }
-        } else if (enabled) {
-            assertThat(source.getValue("enabled_realms"), is(notNullValue()));
+
+            // check SSL
+            assertThat(source.getValue("ssl.http.enabled"), is(httpSSLEnabled));
+            assertThat(source.getValue("ssl.transport.enabled"), is(transportSSLEnabled));
+
+            // auditing
+            assertThat(source.getValue("audit.enabled"), is(auditingEnabled));
+            assertThat(source.getValue("audit.outputs"), contains(auditOutputs));
+
+            // ip filter
+            assertThat(source.getValue("ipfilter.http.enabled"), is(httpIpFilterEnabled));
+            assertThat(source.getValue("ipfilter.transport.enabled"), is(transportIPFilterEnabled));
+
+            // roles
+            if (rolesStoreEnabled) {
+                assertThat(source.getValue("roles.count"), is(1));
+            } else {
+                assertThat(((Map) source.getValue("roles")).isEmpty(), is(true));
+            }
+
+            // system key
+            assertThat(source.getValue("system_key"), is(useSystemKey));
         } else {
             assertThat(source.getValue("enabled_realms"), is(nullValue()));
         }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/VersionCompatibilityTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/VersionCompatibilityTests.java
index c7a68aca203..e262b646a98 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/VersionCompatibilityTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/VersionCompatibilityTests.java
@@ -33,6 +33,6 @@ public class VersionCompatibilityTests extends ESTestCase {
          *
          */
         assertThat("Remove workaround in LicenseService class when es core supports merging cluster level custom metadata",
-                   Version.CURRENT.equals(Version.V_5_0_0_alpha4), is(true));
+                   Version.CURRENT.equals(Version.V_5_0_0_alpha5), is(true));
     }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleActionTests.java
index e0afd716a0a..e9560e6cfd4 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportDeleteRoleActionTests.java
@@ -55,7 +55,7 @@ public class TransportDeleteRoleActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -96,7 +96,7 @@ public class TransportDeleteRoleActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -108,7 +108,7 @@ public class TransportDeleteRoleActionTests extends ESTestCase {
     }
 
     public void testException() {
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException());
         final String roleName = randomFrom("admin", "dept_a", "restricted");
         NativeRolesStore rolesStore = mock(NativeRolesStore.class);
         TransportDeleteRoleAction action = new TransportDeleteRoleAction(Settings.EMPTY, mock(ThreadPool.class), mock(ActionFilters.class),
@@ -124,7 +124,7 @@ public class TransportDeleteRoleActionTests extends ESTestCase {
                 Object[] args = invocation.getArguments();
                 assert args.length == 2;
                 ActionListener<Boolean> listener = (ActionListener<Boolean>) args[1];
-                listener.onFailure(t);
+                listener.onFailure(e);
                 return null;
             }
         }).when(rolesStore).deleteRole(eq(request), any(ActionListener.class));
@@ -138,14 +138,14 @@ public class TransportDeleteRoleActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(responseRef.get(), is(nullValue()));
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), is(sameInstance(t)));
+        assertThat(throwableRef.get(), is(sameInstance(e)));
         verify(rolesStore, times(1)).deleteRole(eq(request), any(ActionListener.class));
     }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesActionTests.java
index 825f2540af5..2205f0cbcf7 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportGetRolesActionTests.java
@@ -89,7 +89,7 @@ public class TransportGetRolesActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -158,7 +158,7 @@ public class TransportGetRolesActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -251,7 +251,7 @@ public class TransportGetRolesActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -273,7 +273,7 @@ public class TransportGetRolesActionTests extends ESTestCase {
     }
 
     public void testException() {
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException());
         final List<RoleDescriptor> storeRoleDescriptors = randomRoleDescriptors();
         NativeRolesStore rolesStore = mock(NativeRolesStore.class);
         SecurityContext context = mock(SecurityContext.class);
@@ -290,7 +290,7 @@ public class TransportGetRolesActionTests extends ESTestCase {
                     Object[] args = invocation.getArguments();
                     assert args.length == 2;
                     ActionListener<RoleDescriptor> listener = (ActionListener<RoleDescriptor>) args[1];
-                    listener.onFailure(t);
+                    listener.onFailure(e);
                     return null;
                 }
             }).when(rolesStore).getRoleDescriptor(eq(request.names()[0]), any(ActionListener.class));
@@ -301,7 +301,7 @@ public class TransportGetRolesActionTests extends ESTestCase {
                     Object[] args = invocation.getArguments();
                     assert args.length == 2;
                     ActionListener<List<RoleDescriptor>> listener = (ActionListener<List<RoleDescriptor>>) args[1];
-                    listener.onFailure(t);
+                    listener.onFailure(e);
                     return null;
                 }
             }).when(rolesStore).getRoleDescriptors(aryEq(request.names()), any(ActionListener.class));
@@ -316,13 +316,13 @@ public class TransportGetRolesActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), is(t));
+        assertThat(throwableRef.get(), is(e));
         assertThat(responseRef.get(), is(nullValue()));
     }
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleActionTests.java
index 3a7150e4679..6ea5bf6b25c 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/role/TransportPutRoleActionTests.java
@@ -56,7 +56,7 @@ public class TransportPutRoleActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -97,7 +97,7 @@ public class TransportPutRoleActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -109,7 +109,7 @@ public class TransportPutRoleActionTests extends ESTestCase {
     }
 
     public void testException() {
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException());
         final String roleName = randomFrom("admin", "dept_a", "restricted");
         NativeRolesStore rolesStore = mock(NativeRolesStore.class);
         TransportPutRoleAction action = new TransportPutRoleAction(Settings.EMPTY, mock(ThreadPool.class), mock(ActionFilters.class),
@@ -124,7 +124,7 @@ public class TransportPutRoleActionTests extends ESTestCase {
                 Object[] args = invocation.getArguments();
                 assert args.length == 3;
                 ActionListener<Boolean> listener = (ActionListener<Boolean>) args[2];
-                listener.onFailure(t);
+                listener.onFailure(e);
                 return null;
             }
         }).when(rolesStore).putRole(eq(request), any(RoleDescriptor.class), any(ActionListener.class));
@@ -138,14 +138,14 @@ public class TransportPutRoleActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(responseRef.get(), is(nullValue()));
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), is(sameInstance(t)));
+        assertThat(throwableRef.get(), is(sameInstance(e)));
         verify(rolesStore, times(1)).putRole(eq(request), any(RoleDescriptor.class), any(ActionListener.class));
     }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java
index e7b820642a9..236dce76b97 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java
@@ -47,7 +47,7 @@ public class TransportAuthenticateActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -72,7 +72,7 @@ public class TransportAuthenticateActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -99,7 +99,7 @@ public class TransportAuthenticateActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java
index 450e53caf65..35344ba2394 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordActionTests.java
@@ -68,7 +68,7 @@ public class TransportChangePasswordActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -97,7 +97,7 @@ public class TransportChangePasswordActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -135,7 +135,7 @@ public class TransportChangePasswordActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -152,13 +152,13 @@ public class TransportChangePasswordActionTests extends ESTestCase {
         ChangePasswordRequest request = new ChangePasswordRequest();
         request.username(user.principal());
         request.passwordHash(Hasher.BCRYPT.hash(new SecuredString("changeme".toCharArray())));
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new RuntimeException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new RuntimeException());
         doAnswer(new Answer() {
             public Void answer(InvocationOnMock invocation) {
                 Object[] args = invocation.getArguments();
                 assert args.length == 2;
                 ActionListener<Void> listener = (ActionListener<Void>) args[1];
-                listener.onFailure(t);
+                listener.onFailure(e);
                 return null;
             }
         }).when(usersStore).changePassword(eq(request), any(ActionListener.class));
@@ -174,14 +174,14 @@ public class TransportChangePasswordActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(responseRef.get(), is(nullValue()));
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), sameInstance(t));
+        assertThat(throwableRef.get(), sameInstance(e));
         verify(usersStore, times(1)).changePassword(eq(request), any(ActionListener.class));
     }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserActionTests.java
index 9735a698e8b..614681491df 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportDeleteUserActionTests.java
@@ -63,7 +63,7 @@ public class TransportDeleteUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -90,7 +90,7 @@ public class TransportDeleteUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -118,7 +118,7 @@ public class TransportDeleteUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -156,7 +156,7 @@ public class TransportDeleteUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -168,7 +168,7 @@ public class TransportDeleteUserActionTests extends ESTestCase {
     }
 
     public void testException() {
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new RuntimeException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new RuntimeException());
         final User user = new User("joe");
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
         TransportDeleteUserAction action = new TransportDeleteUserAction(Settings.EMPTY, mock(ThreadPool.class),
@@ -180,7 +180,7 @@ public class TransportDeleteUserActionTests extends ESTestCase {
                 Object[] args = invocation.getArguments();
                 assert args.length == 2;
                 ActionListener<Boolean> listener = (ActionListener<Boolean>) args[1];
-                listener.onFailure(t);
+                listener.onFailure(e);
                 return null;
             }
         }).when(usersStore).deleteUser(eq(request), any(ActionListener.class));
@@ -194,14 +194,14 @@ public class TransportDeleteUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(responseRef.get(), is(nullValue()));
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), sameInstance(t));
+        assertThat(throwableRef.get(), sameInstance(e));
         verify(usersStore, times(1)).deleteUser(eq(request), any(ActionListener.class));
     }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersActionTests.java
index 4d8e0e32c37..c5573602968 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportGetUsersActionTests.java
@@ -84,7 +84,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -116,7 +116,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -147,7 +147,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -185,7 +185,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -242,7 +242,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -261,7 +261,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
     }
 
     public void testException() {
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new ValidationException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new ValidationException());
         final List<User> storeUsers =
                 randomFrom(Collections.singletonList(new User("joe")), Arrays.asList(new User("jane"), new User("fred")), randomUsers());
         final String[] storeUsernames = storeUsers.stream().map(User::principal).collect(Collectors.toList()).toArray(Strings.EMPTY_ARRAY);
@@ -277,7 +277,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
                     Object[] args = invocation.getArguments();
                     assert args.length == 2;
                     ActionListener<List<User>> listener = (ActionListener<List<User>>) args[1];
-                    listener.onFailure(t);
+                    listener.onFailure(e);
                     return null;
                 }
             }).when(usersStore).getUsers(aryEq(storeUsernames), any(ActionListener.class));
@@ -288,7 +288,7 @@ public class TransportGetUsersActionTests extends ESTestCase {
                     Object[] args = invocation.getArguments();
                     assert args.length == 2;
                     ActionListener<User> listener = (ActionListener<User>) args[1];
-                    listener.onFailure(t);
+                    listener.onFailure(e);
                     return null;
                 }
             }).when(usersStore).getUser(eq(storeUsernames[0]), any(ActionListener.class));
@@ -303,13 +303,13 @@ public class TransportGetUsersActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), is(sameInstance(t)));
+        assertThat(throwableRef.get(), is(sameInstance(e)));
         assertThat(responseRef.get(), is(nullValue()));
         if (request.usernames().length == 1) {
             verify(usersStore, times(1)).getUser(eq(request.usernames()[0]), any(ActionListener.class));
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java
index a99e0f9da00..52b7a2e247f 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportPutUserActionTests.java
@@ -67,7 +67,7 @@ public class TransportPutUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -95,7 +95,7 @@ public class TransportPutUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -124,7 +124,7 @@ public class TransportPutUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -167,7 +167,7 @@ public class TransportPutUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
@@ -179,7 +179,7 @@ public class TransportPutUserActionTests extends ESTestCase {
     }
 
     public void testException() {
-        final Throwable t = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new ValidationException());
+        final Exception e = randomFrom(new ElasticsearchSecurityException(""), new IllegalStateException(), new ValidationException());
         final User user = new User("joe");
         NativeUsersStore usersStore = mock(NativeUsersStore.class);
         TransportPutUserAction action = new TransportPutUserAction(Settings.EMPTY, mock(ThreadPool.class),
@@ -192,7 +192,7 @@ public class TransportPutUserActionTests extends ESTestCase {
                 Object[] args = invocation.getArguments();
                 assert args.length == 2;
                 ActionListener<Boolean> listener = (ActionListener<Boolean>) args[1];
-                listener.onFailure(t);
+                listener.onFailure(e);
                 return null;
             }
         }).when(usersStore).putUser(eq(request), any(ActionListener.class));
@@ -206,14 +206,14 @@ public class TransportPutUserActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 throwableRef.set(e);
             }
         });
 
         assertThat(responseRef.get(), is(nullValue()));
         assertThat(throwableRef.get(), is(notNullValue()));
-        assertThat(throwableRef.get(), sameInstance(t));
+        assertThat(throwableRef.get(), sameInstance(e));
         verify(usersStore, times(1)).putUser(eq(request), any(ActionListener.class));
     }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailModuleTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailModuleTests.java
index 9072197572d..660304b31b7 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailModuleTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailModuleTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.xpack.security.audit;
 
-import org.elasticsearch.Version;
 import org.elasticsearch.common.inject.Guice;
 import org.elasticsearch.common.inject.Injector;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
@@ -15,20 +14,17 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.indices.breaker.CircuitBreakerService;
 import org.elasticsearch.node.Node;
-import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.local.LocalTransport;
+import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
 
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 
-/**
- *
- */
 public class AuditTrailModuleTests extends ESTestCase {
     public void testEnabled() throws Exception {
         Settings settings = Settings.builder()
@@ -93,7 +89,7 @@ public class AuditTrailModuleTests extends ESTestCase {
         try {
             Guice.createInjector(settingsModule, new AuditTrailModule(settings));
             fail("Expect initialization to fail when an unknown audit trail output is configured");
-        } catch (Throwable t) {
+        } catch (Exception e) {
             // expected
         }
     }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailMutedTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailMutedTests.java
index 1aca5c15fb8..587ce8141ac 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailMutedTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailMutedTests.java
@@ -17,20 +17,20 @@ import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.BoundTransportAddress;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
+import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.transport.Transport;
+import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.xpack.security.InternalClient;
 import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.State;
 import org.elasticsearch.xpack.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 import org.elasticsearch.xpack.security.user.SystemUser;
 import org.elasticsearch.xpack.security.user.User;
-import org.elasticsearch.test.ESTestCase;
-import org.elasticsearch.threadpool.TestThreadPool;
-import org.elasticsearch.threadpool.ThreadPool;
-import org.elasticsearch.transport.Transport;
-import org.elasticsearch.transport.TransportMessage;
 import org.junit.After;
 import org.junit.Before;
 
@@ -58,8 +58,8 @@ public class IndexAuditTrailMutedTests extends ESTestCase {
     @Before
     public void setup() {
         transport = mock(Transport.class);
-        when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { DummyTransportAddress.INSTANCE },
-                        DummyTransportAddress.INSTANCE));
+        when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { LocalTransportAddress.buildUnique() },
+                        LocalTransportAddress.buildUnique()));
 
         threadPool = new TestThreadPool("index audit trail tests");
         transportClient = TransportClient.builder().settings(Settings.EMPTY).build();
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
index 67828e8b0c9..4dadbd0cdf8 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
@@ -21,21 +21,11 @@ import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.BoundTransportAddress;
-import org.elasticsearch.common.transport.DummyTransportAddress;
 import org.elasticsearch.common.transport.InetSocketTransportAddress;
 import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.search.SearchHit;
-import org.elasticsearch.xpack.security.Security;
-import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.Message;
-import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
-import org.elasticsearch.xpack.security.user.SystemUser;
-import org.elasticsearch.xpack.security.user.User;
-import org.elasticsearch.xpack.security.authc.AuthenticationToken;
-import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
-import org.elasticsearch.xpack.security.transport.filter.IPFilter;
-import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
 import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.test.SecurityIntegTestCase;
@@ -46,6 +36,15 @@ import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportInfo;
 import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.transport.TransportRequest;
+import org.elasticsearch.xpack.security.Security;
+import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.Message;
+import org.elasticsearch.xpack.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
+import org.elasticsearch.xpack.security.transport.filter.IPFilter;
+import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
+import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
+import org.elasticsearch.xpack.security.user.SystemUser;
+import org.elasticsearch.xpack.security.user.User;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.format.ISODateTimeFormat;
@@ -64,12 +63,12 @@ import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 
+import static org.elasticsearch.test.ESIntegTestCase.Scope.SUITE;
+import static org.elasticsearch.test.InternalTestCluster.clusterName;
 import static org.elasticsearch.xpack.security.audit.index.IndexNameResolver.Rollover.DAILY;
 import static org.elasticsearch.xpack.security.audit.index.IndexNameResolver.Rollover.HOURLY;
 import static org.elasticsearch.xpack.security.audit.index.IndexNameResolver.Rollover.MONTHLY;
 import static org.elasticsearch.xpack.security.audit.index.IndexNameResolver.Rollover.WEEKLY;
-import static org.elasticsearch.test.ESIntegTestCase.Scope.SUITE;
-import static org.elasticsearch.test.InternalTestCluster.clusterName;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -255,8 +254,8 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         Settings settings = builder.put(settings(rollover, includes, excludes)).build();
         logger.info("--> settings: [{}]", settings.getAsMap().toString());
         Transport transport = mock(Transport.class);
-        BoundTransportAddress boundTransportAddress = new BoundTransportAddress(new TransportAddress[]{DummyTransportAddress.INSTANCE},
-                DummyTransportAddress.INSTANCE);
+        BoundTransportAddress boundTransportAddress = new BoundTransportAddress(new TransportAddress[]{ remoteHostAddress()},
+                remoteHostAddress());
         when(transport.boundAddress()).thenReturn(boundTransportAddress);
         threadPool = new TestThreadPool("index audit trail tests");
         enqueuedMessage = new SetOnce<>();
@@ -279,7 +278,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         assertAuditMessage(hit, "transport", "anonymous_access_denied");
         Map<String, Object> sourceMap = hit.sourceAsMap();
         if (message instanceof RemoteHostMockMessage) {
-            assertEquals(remoteHostAddress(), sourceMap.get("origin_address"));
+            assertEquals(remoteHostAddress().toString(), sourceMap.get("origin_address"));
         } else {
             assertEquals("local[local_host]", sourceMap.get("origin_address"));
         }
@@ -316,7 +315,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         assertAuditMessage(hit, "transport", "authentication_failed");
 
         if (message instanceof RemoteHostMockMessage) {
-            assertEquals(remoteHostAddress(), sourceMap.get("origin_address"));
+            assertEquals(remoteHostAddress().toString(), sourceMap.get("origin_address"));
         } else {
             assertEquals("local[local_host]", sourceMap.get("origin_address"));
         }
@@ -336,7 +335,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         assertAuditMessage(hit, "transport", "authentication_failed");
         Map<String, Object> sourceMap = hit.sourceAsMap();
         if (message instanceof RemoteHostMockMessage) {
-            assertEquals(remoteHostAddress(), sourceMap.get("origin_address"));
+            assertEquals(remoteHostAddress().toString(), sourceMap.get("origin_address"));
         } else {
             assertEquals("local[local_host]", sourceMap.get("origin_address"));
         }
@@ -391,7 +390,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         Map<String, Object> sourceMap = hit.sourceAsMap();
 
         if (message instanceof RemoteHostMockMessage) {
-            assertEquals(remoteHostAddress(), sourceMap.get("origin_address"));
+            assertEquals(remoteHostAddress().toString(), sourceMap.get("origin_address"));
         } else {
             assertEquals("local[local_host]", sourceMap.get("origin_address"));
         }
@@ -621,8 +620,8 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         DateTime dateTime = ISODateTimeFormat.dateTimeParser().withZoneUTC().parseDateTime((String) sourceMap.get("@timestamp"));
         assertThat(dateTime.isBefore(DateTime.now(DateTimeZone.UTC)), is(true));
 
-        assertThat(DummyTransportAddress.INSTANCE.getHost(), equalTo(sourceMap.get("node_host_name")));
-        assertThat(DummyTransportAddress.INSTANCE.getAddress(), equalTo(sourceMap.get("node_host_address")));
+        assertThat(remoteHostAddress().getHost(), equalTo(sourceMap.get("node_host_name")));
+        assertThat(remoteHostAddress().getAddress(), equalTo(sourceMap.get("node_host_address")));
 
         assertEquals(layer, sourceMap.get("layer"));
         assertEquals(type, sourceMap.get("event_type"));
@@ -636,13 +635,13 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
 
     private static class RemoteHostMockMessage extends TransportMessage {
         RemoteHostMockMessage() throws Exception {
-            remoteAddress(DummyTransportAddress.INSTANCE);
+            remoteAddress(remoteHostAddress());
         }
     }
 
     private static class RemoteHostMockTransportRequest extends TransportRequest {
         RemoteHostMockTransportRequest() throws Exception {
-            remoteAddress(DummyTransportAddress.INSTANCE);
+            remoteAddress(remoteHostAddress());
         }
     }
 
@@ -738,8 +737,8 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         return actionGet.getStatus();
     }
 
-    static String remoteHostAddress() throws Exception {
-        return DummyTransportAddress.INSTANCE.toString();
+    private static LocalTransportAddress remoteHostAddress() {
+        return new LocalTransportAddress("_remote_host_");
     }
 }
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailUpdateMappingTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailUpdateMappingTests.java
index b79738ed81e..b6e4c6cfb51 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailUpdateMappingTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailUpdateMappingTests.java
@@ -10,7 +10,7 @@ import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.BoundTransportAddress;
-import org.elasticsearch.common.transport.DummyTransportAddress;
+import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.test.rest.FakeRestRequest;
@@ -49,8 +49,8 @@ public class IndexAuditTrailUpdateMappingTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder().put("xpack.security.audit.index.rollover", rollover.name().toLowerCase(Locale.ENGLISH))
                 .put("path.home", createTempDir()).build();
         Transport transport = mock(Transport.class);
-        when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { DummyTransportAddress.INSTANCE },
-                DummyTransportAddress.INSTANCE));
+        when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { LocalTransportAddress.buildUnique() },
+                LocalTransportAddress.buildUnique()));
         auditor = new IndexAuditTrail(settings, transport, Providers.of(internalClient()), threadPool,
                 mock(ClusterService.class));
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
index 361e7099268..11104ff64d5 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -13,22 +13,21 @@ import org.elasticsearch.common.component.Lifecycle;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.BoundTransportAddress;
-import org.elasticsearch.common.transport.DummyTransportAddress;
 import org.elasticsearch.common.transport.InetSocketTransportAddress;
 import org.elasticsearch.common.transport.LocalTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.rest.RestRequest;
-import org.elasticsearch.xpack.security.user.SystemUser;
-import org.elasticsearch.xpack.security.user.User;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.transport.Transport;
+import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.xpack.security.audit.logfile.CapturingLogger.Level;
 import org.elasticsearch.xpack.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
 import org.elasticsearch.xpack.security.transport.filter.IPFilter;
 import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
-import org.elasticsearch.test.ESTestCase;
-import org.elasticsearch.transport.Transport;
-import org.elasticsearch.transport.TransportMessage;
+import org.elasticsearch.xpack.security.user.SystemUser;
+import org.elasticsearch.xpack.security.user.User;
 import org.junit.Before;
 
 import java.io.IOException;
@@ -115,8 +114,8 @@ public class LoggingAuditTrailTests extends ESTestCase {
                 .build();
         transport = mock(Transport.class);
         when(transport.lifecycleState()).thenReturn(Lifecycle.State.STARTED);
-        when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { DummyTransportAddress.INSTANCE },
-                DummyTransportAddress.INSTANCE));
+        when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { LocalTransportAddress.buildUnique() },
+                LocalTransportAddress.buildUnique()));
         prefix = LoggingAuditTrail.resolvePrefix(settings, transport);
     }
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java
index dfba016d5ef..87045187270 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java
@@ -3,24 +3,16 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.xpack.securit.authc.esnative;
+package org.elasticsearch.xpack.security.authc.esnative;
 
 import com.google.common.base.Charsets;
 import joptsimple.OptionParser;
 import joptsimple.OptionSet;
-import org.apache.lucene.util.CollectionUtil;
-import org.elasticsearch.ElasticsearchSecurityException;
-import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
-import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
-import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.cli.MockTerminal;
-import org.elasticsearch.common.Strings;
-import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
-import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.test.NativeRealmIntegTestCase;
 import org.elasticsearch.test.SecuritySettingsSource;
 import org.elasticsearch.xpack.security.SecurityTemplateService;
@@ -29,16 +21,10 @@ import org.elasticsearch.xpack.security.client.SecurityClient;
 import org.elasticsearch.xpack.security.transport.netty.SecurityNettyHttpServerTransport;
 import org.junit.BeforeClass;
 
-import java.util.ArrayList;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
 
-import static org.hamcrest.Matchers.arrayContaining;
-import static org.hamcrest.Matchers.containsInAnyOrder;
-import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.notNullValue;
 
 /**
  * Integration tests for the {@code ESNativeMigrateTool}
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateToolTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateToolTests.java
index 102df819541..2c652d22679 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateToolTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateToolTests.java
@@ -3,15 +3,13 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.shield.authc.esusers.tool;
+package org.elasticsearch.xpack.security.authc.esnative;
 
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.CommandTestCase;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.xpack.security.authc.esnative.ESNativeRealmMigrateTool;
 import org.elasticsearch.xpack.security.authz.RoleDescriptor;
-import org.junit.Test;
-
 import static org.hamcrest.Matchers.equalTo;
 
 /**
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java
index f4236fd239d..67dd7dcc19a 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java
@@ -18,6 +18,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.xpack.security.SecurityTemplateService;
 import org.elasticsearch.xpack.security.action.role.DeleteRoleResponse;
 import org.elasticsearch.xpack.security.action.role.GetRolesResponse;
+import org.elasticsearch.xpack.security.action.role.PutRoleResponse;
 import org.elasticsearch.xpack.security.action.user.AuthenticateAction;
 import org.elasticsearch.xpack.security.action.user.AuthenticateRequest;
 import org.elasticsearch.xpack.security.action.user.AuthenticateResponse;
@@ -29,6 +30,7 @@ import org.elasticsearch.xpack.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.security.authz.permission.KibanaRole;
 import org.elasticsearch.xpack.security.authz.permission.Role;
 import org.elasticsearch.xpack.security.authz.permission.SuperuserRole;
+import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
 import org.elasticsearch.xpack.security.client.SecurityClient;
 import org.elasticsearch.xpack.security.user.AnonymousUser;
 import org.elasticsearch.xpack.security.user.ElasticUser;
@@ -43,6 +45,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 
 import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
@@ -549,4 +552,47 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
                 .admin().cluster().prepareHealth().get();
         assertThat(response.isTimedOut(), is(false));
     }
+
+    public void testRolesUsageStats() throws Exception {
+        NativeRolesStore rolesStore = internalCluster().getInstance(NativeRolesStore.class);
+        Map<String, Object> usage = rolesStore.usageStats();
+        assertThat(usage.get("size"), is(0L));
+        assertThat(usage.get("fls"), is(false));
+        assertThat(usage.get("dls"), is(false));
+
+        long roles = 0;
+        final boolean fls = randomBoolean();
+        final boolean dls = randomBoolean();
+        SecurityClient client = new SecurityClient(client());
+        PutRoleResponse putRoleResponse = client.preparePutRole("admin_role")
+                .cluster("all")
+                .addIndices(new String[]{"*"}, new String[]{"all"}, null, null)
+                .get();
+        assertThat(putRoleResponse.isCreated(), is(true));
+        roles++;
+        if (fls) {
+            PutRoleResponse roleResponse = client.preparePutRole("admin_role_fls")
+                    .cluster("all")
+                    .addIndices(new String[]{"*"}, new String[]{"all"}, new String[] { "foo" }, null)
+                    .get();
+            assertThat(roleResponse.isCreated(), is(true));
+            roles++;
+        }
+
+        if (dls) {
+            PutRoleResponse roleResponse = client.preparePutRole("admin_role_dls")
+                    .cluster("all")
+                    .addIndices(new String[]{"*"}, new String[]{"all"}, null, new BytesArray("{ \"match_all\": {} }"))
+                    .get();
+            assertThat(roleResponse.isCreated(), is(true));
+            roles++;
+        }
+
+        client.prepareClearRolesCache().get();
+
+        usage = rolesStore.usageStats();
+        assertThat(usage.get("size"), is(roles));
+        assertThat(usage.get("fls"), is(fls));
+        assertThat(usage.get("dls"), is(dls));
+    }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java
index 43826371603..67285e81451 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserRolesStoreTests.java
@@ -49,9 +49,6 @@ import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
-/**
- *
- */
 public class FileUserRolesStoreTests extends ESTestCase {
     private Settings settings;
     private Environment env;
@@ -217,8 +214,8 @@ public class FileUserRolesStoreTests extends ESTestCase {
         try {
             FileUserRolesStore.parseFile(file, logger);
             fail("expected a parse failure");
-        } catch (Throwable t) {
-            this.logger.info("expected", t);
+        } catch (Exception e) {
+            this.logger.info("expected", e);
         }
     }
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java
index 6271c75180e..1ba3dd7c220 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/file/tool/UsersToolTests.java
@@ -11,7 +11,7 @@ import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.CommandTestCase;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.PathUtilsForTesting;
 import org.elasticsearch.common.settings.Settings;
@@ -174,7 +174,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testParseInvalidUsername() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             UsersTool.parseUsername(Collections.singletonList("$34dkl"));
         });
         assertEquals(ExitCodes.DATA_ERROR, e.exitCode);
@@ -182,7 +182,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testParseUsernameMissing() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
            UsersTool.parseUsername(Collections.emptyList());
         });
         assertEquals(ExitCodes.USAGE, e.exitCode);
@@ -190,7 +190,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testParseUsernameExtraArgs() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             UsersTool.parseUsername(Arrays.asList("username", "extra"));
         });
         assertEquals(ExitCodes.USAGE, e.exitCode);
@@ -198,7 +198,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testParseInvalidPasswordOption() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             UsersTool.parsePassword(terminal, "123");
         });
         assertEquals(ExitCodes.DATA_ERROR, e.exitCode);
@@ -207,7 +207,7 @@ public class UsersToolTests extends CommandTestCase {
 
     public void testParseInvalidPasswordInput() throws Exception {
         terminal.addSecretInput("123");
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             UsersTool.parsePassword(terminal, null);
         });
         assertEquals(ExitCodes.DATA_ERROR, e.exitCode);
@@ -217,7 +217,7 @@ public class UsersToolTests extends CommandTestCase {
     public void testParseMismatchPasswordInput() throws Exception {
         terminal.addSecretInput("password1");
         terminal.addSecretInput("password2");
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             UsersTool.parsePassword(terminal, null);
         });
         assertEquals(ExitCodes.DATA_ERROR, e.exitCode);
@@ -239,7 +239,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testParseInvalidRole() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             UsersTool.parseRoles(terminal, new Environment(settings), "$345");
         });
         assertEquals(ExitCodes.DATA_ERROR, e.exitCode);
@@ -266,7 +266,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testUseraddUserExists() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("useradd", pathHomeParameter, fileTypeParameter, "existing_user", "-p", "changeme");
         });
         assertEquals(ExitCodes.CODE_ERROR, e.exitCode);
@@ -282,7 +282,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testUserdelUnknownUser() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("userdel", pathHomeParameter, fileTypeParameter, "unknown");
         });
         assertEquals(ExitCodes.NO_USER, e.exitCode);
@@ -295,7 +295,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testPasswdUnknownUser() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("passwd", pathHomeParameter, fileTypeParameter, "unknown", "-p", "changeme");
         });
         assertEquals(ExitCodes.NO_USER, e.exitCode);
@@ -317,7 +317,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testRolesUnknownUser() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("roles", pathHomeParameter, fileTypeParameter, "unknown");
         });
         assertEquals(ExitCodes.NO_USER, e.exitCode);
@@ -354,7 +354,7 @@ public class UsersToolTests extends CommandTestCase {
     }
 
     public void testListUnknownUser() throws Exception {
-        UserError e = expectThrows(UserError.class, () -> {
+        UserException e = expectThrows(UserException.class, () -> {
             execute("list", pathHomeParameter, fileTypeParameter, "unknown");
         });
         assertEquals(ExitCodes.NO_USER, e.exitCode);
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java
index e745513984f..f4550255b1a 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapSessionFactoryTests.java
@@ -56,9 +56,9 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         ldapServer.setProcessingDelayMillis(500L);
         try (LdapSession session = sessionFactory.session(user, userPass)) {
             fail("expected connection timeout error here");
-        } catch (Throwable t) {
-            assertThat(t, instanceOf(ElasticsearchSecurityException.class));
-            assertThat(t.getCause().getMessage(), containsString("A client-side timeout was encountered while waiting "));
+        } catch (Exception e) {
+            assertThat(e, instanceOf(ElasticsearchSecurityException.class));
+            assertThat(e.getCause().getMessage(), containsString("A client-side timeout was encountered while waiting "));
         } finally {
             ldapServer.setProcessingDelayMillis(0L);
         }
@@ -85,11 +85,11 @@ public class LdapSessionFactoryTests extends LdapTestCase {
         long start = System.currentTimeMillis();
         try (LdapSession session = sessionFactory.session(user, userPass)) {
             fail("expected connection timeout error here");
-        } catch (Throwable t) {
+        } catch (Exception e) {
             long time = System.currentTimeMillis() - start;
             assertThat(time, lessThan(10000L));
-            assertThat(t, instanceOf(IOException.class));
-            assertThat(t.getCause().getCause().getMessage(), containsString("within the configured timeout of"));
+            assertThat(e, instanceOf(IOException.class));
+            assertThat(e.getCause().getCause().getMessage(), containsString("within the configured timeout of"));
         }
     }
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
index 4df6f1a8566..2bde556a536 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
@@ -46,6 +46,7 @@ import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
 import static org.hamcrest.Matchers.startsWith;
+import static org.mockito.Mockito.mock;
 
 /**
  *
@@ -364,4 +365,29 @@ public class FileRolesStoreTests extends ESTestCase {
         assertThat(messages.get(2).text, containsString("role [kibana] is reserved"));
         assertThat(messages.get(3).text, containsString("role [transport_client] is reserved"));
     }
+
+    public void testUsageStats() throws Exception {
+        Path roles = getDataPath("roles.yml");
+        Path tmp = createTempFile();
+        try (OutputStream stream = Files.newOutputStream(tmp)) {
+            Files.copy(roles, stream);
+        }
+
+        final boolean flsDlsEnabled = randomBoolean();
+        Settings settings = Settings.builder()
+                .put("resource.reload.interval.high", "500ms")
+                .put(FileRolesStore.ROLES_FILE_SETTING.getKey(), tmp.toAbsolutePath())
+                .put("path.home", createTempDir())
+                .put(XPackPlugin.featureEnabledSetting(Security.DLS_FLS_FEATURE), flsDlsEnabled)
+                .build();
+        Environment env = new Environment(settings);
+        FileRolesStore store = new FileRolesStore(settings, env, mock(ResourceWatcherService.class));
+        store.start();
+
+        Map<String, Object> usageStats = store.usageStats();
+
+        assertThat(usageStats.get("size"), is(flsDlsEnabled ? 9 : 6));
+        assertThat(usageStats.get("fls"), is(flsDlsEnabled));
+        assertThat(usageStats.get("dls"), is(flsDlsEnabled));
+    }
 }
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnableTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnableTests.java
index b81b879e09f..c871da38ea8 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnableTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/support/SelfReschedulingRunnableTests.java
@@ -55,7 +55,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
         final ThreadPool threadPool = mock(ThreadPool.class);
         final AbstractRunnable runnable = new AbstractRunnable() {
             @Override
-            public void onFailure(Throwable throwable) {
+            public void onFailure(Exception throwable) {
             }
 
             @Override
@@ -88,7 +88,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
         final CountDownLatch pauseLatch = new CountDownLatch(1);
         final AbstractRunnable runnable = new AbstractRunnable() {
             @Override
-            public void onFailure(Throwable throwable) {
+            public void onFailure(Exception throwable) {
             }
 
             @Override
@@ -195,7 +195,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
         final AtomicInteger runCounter = new AtomicInteger(0);
         final AbstractRunnable runnable = new AbstractRunnable() {
             @Override
-            public void onFailure(Throwable throwable) {
+            public void onFailure(Exception throwable) {
                 failureCounter.incrementAndGet();
             }
 
@@ -238,7 +238,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
         final CountDownLatch stopCalledLatch = new CountDownLatch(1);
         final AbstractRunnable runnable = new AbstractRunnable() {
             @Override
-            public void onFailure(Throwable throwable) {
+            public void onFailure(Exception throwable) {
                 throw new IllegalStateException("we should never be in this method!");
             }
 
diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/netty/HandshakeWaitingHandlerTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/netty/HandshakeWaitingHandlerTests.java
index f54934556d9..e848eb44f3d 100644
--- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/netty/HandshakeWaitingHandlerTests.java
+++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/netty/HandshakeWaitingHandlerTests.java
@@ -192,13 +192,13 @@ public class HandshakeWaitingHandlerTests extends ESTestCase {
             try {
                 serverBootstrap.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), randomPort));
                 break;
-            } catch (Throwable t) {
-                if (t.getCause() instanceof BindException) {
+            } catch (Exception e) {
+                if (e.getCause() instanceof BindException) {
                     logger.error("Tried to bind to port [{}], going to retry", randomPort);
                     randomPort = randomIntBetween(49000, 65500);
                 }
                 if (tries >= maxTries) {
-                    throw new RuntimeException("Failed to start server bootstrap [" + tries + "] times, stopping", t);
+                    throw new RuntimeException("Failed to start server bootstrap [" + tries + "] times, stopping", e);
                 }
                 tries++;
             }
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
index df5b59167ea..79249d00a69 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
@@ -13,7 +13,7 @@ import org.elasticsearch.bootstrap.JarHell;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.SettingCommand;
 import org.elasticsearch.cli.Terminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.io.FileSystemUtils;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
@@ -83,7 +83,7 @@ final class InstallXPackExtensionCommand extends SettingCommand {
         // TODO: in jopt-simple 5.0 we can enforce a min/max number of positional args
         List<String> args = arguments.values(options);
         if (args.size() != 1) {
-            throw new UserError(ExitCodes.USAGE, "Must supply a single extension id argument");
+            throw new UserException(ExitCodes.USAGE, "Must supply a single extension id argument");
         }
         String extensionURL = args.get(0);
         boolean isBatch = options.has(batchOption) || System.console() == null;
@@ -116,7 +116,7 @@ final class InstallXPackExtensionCommand extends SettingCommand {
         return zip;
     }
 
-    private Path unzip(Path zip, Path extensionDir) throws IOException, UserError {
+    private Path unzip(Path zip, Path extensionDir) throws IOException, UserException {
         // unzip extension to a staging temp dir
         Path target = Files.createTempDirectory(extensionDir, ".installing-");
         Files.createDirectories(target);
@@ -195,7 +195,7 @@ final class InstallXPackExtensionCommand extends SettingCommand {
             XPackExtensionInfo info = verify(terminal, tmpRoot, env, isBatch);
             final Path destination = resolveXPackExtensionsFile(env).resolve(info.getName());
             if (Files.exists(destination)) {
-                throw new UserError(ExitCodes.USAGE,
+                throw new UserException(ExitCodes.USAGE,
                         "extension directory " + destination.toAbsolutePath() +
                                 " already exists. To update the extension, uninstall it first using 'remove " +
                                 info.getName() + "' command");
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommand.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommand.java
index 1da0e61f863..593ca21b507 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommand.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommand.java
@@ -11,7 +11,7 @@ import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.SettingCommand;
 import org.elasticsearch.cli.Terminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
@@ -44,7 +44,7 @@ class RemoveXPackExtensionCommand  extends SettingCommand {
         // TODO: in jopt-simple 5.0 we can enforce a min/max number of positional args
         List<String> args = arguments.values(options);
         if (args.size() != 1) {
-            throw new UserError(ExitCodes.USAGE, "Must supply a single extension id argument");
+            throw new UserException(ExitCodes.USAGE, "Must supply a single extension id argument");
         }
         execute(terminal, args.get(0), settings);
     }
@@ -56,7 +56,7 @@ class RemoveXPackExtensionCommand  extends SettingCommand {
         Environment env = InternalSettingsPreparer.prepareEnvironment(Settings.EMPTY, terminal, settings);
         Path extensionDir = resolveXPackExtensionsFile(env).resolve(extensionName);
         if (Files.exists(extensionDir) == false) {
-            throw new UserError(ExitCodes.USAGE,
+            throw new UserException(ExitCodes.USAGE,
                     "Extension " + extensionName + " not found. Run 'bin/x-pack/extension list' to get list of installed extensions.");
         }
 
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java
index 922b86e47de..4c9d903f1de 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java
@@ -28,9 +28,6 @@ import java.util.Arrays;
 
 import static org.elasticsearch.common.io.FileSystemUtils.isAccessibleDirectory;
 
-/**
- *
- */
 public class XPackExtensionsService {
     private final Settings settings;
 
@@ -186,7 +183,7 @@ public class XPackExtensionsService {
                             "Settings instance");
                 }
             }
-        } catch (Throwable e) {
+        } catch (Exception e) {
             throw new ElasticsearchException("Failed to load extension class [" + extClass.getName() + "]", e);
         }
     }
diff --git a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/action/TransportXPackInfoActionTests.java b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/action/TransportXPackInfoActionTests.java
index 77318043924..fc3b5faf986 100644
--- a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/action/TransportXPackInfoActionTests.java
+++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/action/TransportXPackInfoActionTests.java
@@ -105,7 +105,7 @@ public class TransportXPackInfoActionTests extends ESTestCase {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 error.set(e);
                 latch.countDown();
             }
diff --git a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
index 04dd9951239..2491a2601ab 100644
--- a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
+++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
@@ -8,7 +8,7 @@ package org.elasticsearch.xpack.extensions;
 import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.Version;
 import org.elasticsearch.cli.MockTerminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
@@ -162,7 +162,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
     public void testExistingExtension() throws Exception {
         String extZip = createExtension("fake", createTempDir());
         installExtension(extZip, home);
-        UserError e = expectThrows(UserError.class, () -> installExtension(extZip, home));
+        UserException e = expectThrows(UserException.class, () -> installExtension(extZip, home));
         assertTrue(e.getMessage(), e.getMessage().contains("already exists"));
         assertInstallCleaned(env);
     }
diff --git a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommandTests.java b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommandTests.java
index fda0b00f3e3..06d4d313274 100644
--- a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommandTests.java
+++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/RemoveXPackExtensionCommandTests.java
@@ -7,7 +7,7 @@ package org.elasticsearch.xpack.extensions;
 
 import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.cli.MockTerminal;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
@@ -58,7 +58,7 @@ public class RemoveXPackExtensionCommandTests extends ESTestCase {
 
     public void testMissing() throws Exception {
         Path extDir = createExtensionDir(env);
-        UserError e = expectThrows(UserError.class, () -> removeExtension("dne", home));
+        UserException e = expectThrows(UserException.class, () -> removeExtension("dne", home));
         assertTrue(e.getMessage(), e.getMessage().contains("Extension dne not found"));
         assertRemoveCleaned(extDir);
     }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/WatcherLifeCycleService.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/WatcherLifeCycleService.java
index 5c96c3a3daa..2b3576c27a6 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/WatcherLifeCycleService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/WatcherLifeCycleService.java
@@ -166,7 +166,7 @@ public class WatcherLifeCycleService extends AbstractComponent implements Cluste
             }
 
             @Override
-            public void onFailure(Throwable throwable) {
+            public void onFailure(Exception throwable) {
                 logger.warn("updating manually stopped isn't acked", throwable);
                 latch.countDown();
             }
@@ -199,7 +199,7 @@ public class WatcherLifeCycleService extends AbstractComponent implements Cluste
             }
 
             @Override
-            public void onFailure(String source, Throwable throwable) {
+            public void onFailure(String source, Exception throwable) {
                 latch.countDown();
                 logger.warn("couldn't update watcher metadata [{}]", throwable, source);
             }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/Condition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/Condition.java
index ff65136b176..7134c65ee22 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/Condition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/Condition.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.xpack.watcher.condition;
 
-import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.common.ParseField;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
@@ -38,13 +37,6 @@ public interface Condition extends ToXContent {
             this.reason = null;
         }
 
-        protected Result(String type, Exception e) {
-            this.status = Status.FAILURE;
-            this.type = type;
-            this.met = false;
-            this.reason = ExceptionsHelper.detailedMessage(e);
-        }
-
         public String type() {
             return type;
         }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/AbstractExecutableCompareCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/AbstractExecutableCompareCondition.java
index 6cf82fc55bf..568320852be 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/AbstractExecutableCompareCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/AbstractExecutableCompareCondition.java
@@ -36,16 +36,8 @@ public abstract class AbstractExecutableCompareCondition<C extends Condition, R
     @Override
     public R execute(WatchExecutionContext ctx) {
         Map<String, Object> resolvedValues = new HashMap<>();
-        try {
-            Map<String, Object> model = Variables.createCtxModel(ctx, ctx.payload());
-            return doExecute(model, resolvedValues);
-        } catch (Exception e) {
-            logger.error("failed to execute [{}] condition for [{}]", e, type(), ctx.id());
-            if (resolvedValues.isEmpty()) {
-                resolvedValues = null;
-            }
-            return doFailure(resolvedValues, e);
-        }
+        Map<String, Object> model = Variables.createCtxModel(ctx, ctx.payload());
+        return doExecute(model, resolvedValues);
     }
 
     protected Object resolveConfiguredValue(Map<String, Object> resolvedValues, Map<String, Object> model, Object configuredValue) {
@@ -70,7 +62,5 @@ public abstract class AbstractExecutableCompareCondition<C extends Condition, R
         return configuredValue;
     }
 
-    protected abstract R doExecute(Map<String, Object> model, Map<String, Object> resolvedValues) throws Exception;
-
-    protected abstract R doFailure(Map<String, Object> resolvedValues, Exception e);
+    protected abstract R doExecute(Map<String, Object> model, Map<String, Object> resolvedValues);
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/CompareCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/CompareCondition.java
index 82f5a75942e..1f969a3cd69 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/CompareCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/CompareCondition.java
@@ -138,11 +138,6 @@ public class CompareCondition implements Condition {
             this.resolveValues = resolveValues;
         }
 
-        Result(@Nullable Map<String, Object> resolvedValues, Exception e) {
-            super(TYPE, e);
-            this.resolveValues = resolvedValues;
-        }
-
         public Map<String, Object> getResolveValues() {
             return resolveValues;
         }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/ExecutableCompareCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/ExecutableCompareCondition.java
index 1b41619a455..591a00ab8eb 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/ExecutableCompareCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/ExecutableCompareCondition.java
@@ -21,7 +21,7 @@ public class ExecutableCompareCondition extends AbstractExecutableCompareConditi
     }
 
     @Override
-    protected CompareCondition.Result doExecute(Map<String, Object> model, Map<String, Object> resolvedValues) throws Exception {
+    protected CompareCondition.Result doExecute(Map<String, Object> model, Map<String, Object> resolvedValues) {
         Object configuredValue = resolveConfiguredValue(resolvedValues, model, condition.getValue());
 
         Object resolvedValue = ObjectPath.eval(condition.getPath(), model);
@@ -29,9 +29,4 @@ public class ExecutableCompareCondition extends AbstractExecutableCompareConditi
 
         return new CompareCondition.Result(resolvedValues, condition.getOp().eval(resolvedValue, configuredValue));
     }
-
-    @Override
-    protected CompareCondition.Result doFailure(Map<String, Object> resolvedValues, Exception e) {
-        return new CompareCondition.Result(resolvedValues, e);
-    }
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ArrayCompareCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ArrayCompareCondition.java
index 3216776e676..7ebece922d3 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ArrayCompareCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ArrayCompareCondition.java
@@ -11,9 +11,9 @@ import org.elasticsearch.common.ParseField;
 import org.elasticsearch.common.ParseFieldMatcher;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.xpack.common.xcontent.XContentUtils;
 import org.elasticsearch.xpack.watcher.condition.Condition;
 import org.elasticsearch.xpack.watcher.condition.compare.LenientCompare;
-import org.elasticsearch.xpack.common.xcontent.XContentUtils;
 
 import java.io.IOException;
 import java.util.List;
@@ -209,11 +209,6 @@ public class ArrayCompareCondition implements Condition {
             this.resolvedValues = resolvedValues;
         }
 
-        Result(@Nullable Map<String, Object> resolvedValues, Exception e) {
-            super(TYPE, e);
-            this.resolvedValues = resolvedValues;
-        }
-
         public Map<String, Object> getResolvedValues() {
             return resolvedValues;
         }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ExecutableArrayCompareCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ExecutableArrayCompareCondition.java
index 8ccb960f849..0827acca17d 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ExecutableArrayCompareCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/compare/array/ExecutableArrayCompareCondition.java
@@ -6,8 +6,8 @@
 package org.elasticsearch.xpack.watcher.condition.compare.array;
 
 import org.elasticsearch.common.logging.ESLogger;
-import org.elasticsearch.xpack.watcher.condition.compare.AbstractExecutableCompareCondition;
 import org.elasticsearch.xpack.support.clock.Clock;
+import org.elasticsearch.xpack.watcher.condition.compare.AbstractExecutableCompareCondition;
 import org.elasticsearch.xpack.watcher.support.xcontent.ObjectPath;
 
 import java.util.ArrayList;
@@ -22,8 +22,7 @@ public class ExecutableArrayCompareCondition extends AbstractExecutableCompareCo
         super(condition, logger, clock);
     }
 
-    @SuppressWarnings("unchecked")
-    public ArrayCompareCondition.Result doExecute(Map<String, Object> model, Map<String, Object> resolvedValues) throws Exception {
+    public ArrayCompareCondition.Result doExecute(Map<String, Object> model, Map<String, Object> resolvedValues) {
         Object configuredValue = resolveConfiguredValue(resolvedValues, model, condition.getValue());
 
         Object object = ObjectPath.eval(condition.getArrayPath(), model);
@@ -31,6 +30,7 @@ public class ExecutableArrayCompareCondition extends AbstractExecutableCompareCo
             throw new IllegalStateException("array path " + condition.getArrayPath() + " did not evaluate to array, was " + object);
         }
 
+        @SuppressWarnings("unchecked")
         List<Object> resolvedArray = object != null ? (List<Object>) object : Collections.emptyList();
 
         List<Object> resolvedValue = new ArrayList<>(resolvedArray.size());
@@ -42,9 +42,4 @@ public class ExecutableArrayCompareCondition extends AbstractExecutableCompareCo
         return new ArrayCompareCondition.Result(resolvedValues, condition.getQuantifier().eval(resolvedValue, configuredValue,
                 condition.getOp()));
     }
-
-    @Override
-    protected ArrayCompareCondition.Result doFailure(Map<String, Object> resolvedValues, Exception e) {
-        return new ArrayCompareCondition.Result(resolvedValues, e);
-    }
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ExecutableScriptCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ExecutableScriptCondition.java
index 75f75ebc420..c03ff54c65d 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ExecutableScriptCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ExecutableScriptCondition.java
@@ -8,10 +8,10 @@ package org.elasticsearch.xpack.watcher.condition.script;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.script.CompiledScript;
 import org.elasticsearch.script.ExecutableScript;
+import org.elasticsearch.xpack.common.ScriptServiceProxy;
 import org.elasticsearch.xpack.watcher.condition.ExecutableCondition;
 import org.elasticsearch.xpack.watcher.execution.WatchExecutionContext;
 import org.elasticsearch.xpack.watcher.support.Variables;
-import org.elasticsearch.xpack.common.ScriptServiceProxy;
 
 import java.util.Map;
 
@@ -38,15 +38,10 @@ public class ExecutableScriptCondition extends ExecutableCondition<ScriptConditi
 
     @Override
     public ScriptCondition.Result execute(WatchExecutionContext ctx) {
-        try {
-            return doExecute(ctx);
-        } catch (Exception e) {
-            logger.error("failed to execute [{}] condition for [{}]", e, ScriptCondition.TYPE, ctx.id());
-            return new ScriptCondition.Result(e);
-        }
+        return doExecute(ctx);
     }
 
-    public ScriptCondition.Result doExecute(WatchExecutionContext ctx) throws Exception {
+    public ScriptCondition.Result doExecute(WatchExecutionContext ctx) {
         Map<String, Object> parameters = Variables.createCtxModel(ctx, ctx.payload());
         if (condition.script.params() != null && !condition.script.params().isEmpty()) {
             parameters.putAll(condition.script.params());
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ScriptCondition.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ScriptCondition.java
index 20d47c508ee..85d4cf59fae 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ScriptCondition.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/condition/script/ScriptCondition.java
@@ -78,10 +78,6 @@ public class ScriptCondition implements Condition {
             super(TYPE, met);
         }
 
-        Result(Exception e) {
-            super(TYPE, e);
-        }
-
         @Override
         protected XContentBuilder typeXContent(XContentBuilder builder, Params params) throws IOException {
             return builder;
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/ExecutionService.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/ExecutionService.java
index b70198d35eb..e8912da88dd 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/ExecutionService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/ExecutionService.java
@@ -15,12 +15,12 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.EsRejectedExecutionException;
 import org.elasticsearch.xpack.watcher.Watcher;
+import org.elasticsearch.xpack.support.clock.Clock;
 import org.elasticsearch.xpack.watcher.actions.ActionWrapper;
 import org.elasticsearch.xpack.watcher.condition.Condition;
 import org.elasticsearch.xpack.watcher.history.HistoryStore;
 import org.elasticsearch.xpack.watcher.history.WatchRecord;
 import org.elasticsearch.xpack.watcher.input.Input;
-import org.elasticsearch.xpack.support.clock.Clock;
 import org.elasticsearch.xpack.watcher.transform.Transform;
 import org.elasticsearch.xpack.watcher.trigger.TriggerEvent;
 import org.elasticsearch.xpack.watcher.watch.Watch;
@@ -38,8 +38,6 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-import static org.elasticsearch.common.logging.LoggerMessageFormat.format;
-
 public class ExecutionService extends AbstractComponent {
 
     public static final Setting<TimeValue> DEFAULT_THROTTLE_PERIOD_SETTING =
@@ -201,7 +199,7 @@ public class ExecutionService extends AbstractComponent {
             }
 
             @Override
-            public void onFailure(Throwable e) {
+            public void onFailure(Exception e) {
                 Throwable cause = ExceptionsHelper.unwrapCause(e);
                 if (cause instanceof EsRejectedExecutionException) {
                     logger.debug("failed to store watch records due to overloaded threadpool [{}]", ExceptionsHelper.detailedMessage(e));
@@ -259,32 +257,14 @@ public class ExecutionService extends AbstractComponent {
             } else {
                 logger.debug("executing watch [{}]", ctx.id().watchId());
 
-                try {
-                    record = executeInner(ctx);
-                } catch (Exception e) {
-                    logger.warn("failed to execute watch [{}]", e, ctx.id());
-                    record = ctx.abortFailedExecution(ExceptionsHelper.detailedMessage(e));
-                }
-
-                if (record != null && ctx.recordExecution()) {
-                    try {
-                        watchStore.updateStatus(ctx.watch());
-                    } catch (Exception e) {
-                        logger.warn("failed to update watch status [{}]", e, ctx.id());
-                        record = new WatchRecord(record, ExecutionState.FAILED, format("failed to update watch status [{}]...{}", ctx.id(),
-                                ExceptionsHelper.detailedMessage(e)));
-                    }
+                record = executeInner(ctx);
+                if (ctx.recordExecution()) {
+                    watchStore.updateStatus(ctx.watch());
                 }
             }
         } catch (Exception e) {
-            logger.warn("failed to execute watch [{}]", e, ctx.id());
-            if (record != null) {
-                record = new WatchRecord(record, ExecutionState.FAILED, format("failed to execute watch. {}",
-                        ExceptionsHelper.detailedMessage(e)));
-            } else {
-                record = ctx.abortFailedExecution(ExceptionsHelper.detailedMessage(e));
-            }
-
+            record = createWatchRecord(record, ctx, e);
+            logWatchRecord(ctx, e);
         } finally {
             if (ctx.knownWatch() && record != null && ctx.recordExecution()) {
                 try {
@@ -295,6 +275,7 @@ public class ExecutionService extends AbstractComponent {
                     }
                 } catch (Exception e) {
                     logger.error("failed to update watch record [{}]", e, ctx.id());
+                    // TODO log watch record in logger, when saving in history store failed, otherwise the info is gone!
                 }
             }
             try {
@@ -312,6 +293,28 @@ public class ExecutionService extends AbstractComponent {
         return record;
     }
 
+    private WatchRecord createWatchRecord(WatchRecord existingRecord, WatchExecutionContext ctx, Exception e) {
+        // it is possible that the watch store update failed, the execution phase is finished
+        if (ctx.executionPhase().sealed()) {
+            if (existingRecord == null) {
+                return new WatchRecord.ExceptionWatchRecord(ctx, e);
+            } else {
+                return new WatchRecord.ExceptionWatchRecord(existingRecord, e);
+            }
+        } else {
+            return ctx.abortFailedExecution(e);
+        }
+    }
+
+    private void logWatchRecord(WatchExecutionContext ctx, Exception e) {
+        // failed watches stack traces are only logged in debug, otherwise they should be checked out in the history
+        if (logger.isDebugEnabled()) {
+            logger.debug("failed to execute watch [{}]", e, ctx.id());
+        } else {
+            logger.warn("Failed to execute watch [{}]", ctx.id());
+        }
+    }
+
     /*
        The execution of an watch is split into two phases:
        1. the trigger part which just makes sure to store the associated watch record in the history
@@ -393,7 +396,7 @@ public class ExecutionService extends AbstractComponent {
             if (watch == null) {
                 String message = "unable to find watch for record [" + triggeredWatch.id().watchId() + "]/[" + triggeredWatch.id() +
                         "], perhaps it has been deleted, ignoring...";
-                WatchRecord record = new WatchRecord(triggeredWatch.id(), triggeredWatch.triggerEvent(),
+                WatchRecord record = new WatchRecord.MessageWatchRecord(triggeredWatch.id(), triggeredWatch.triggerEvent(),
                         ExecutionState.NOT_EXECUTED_WATCH_MISSING, message);
                 historyStore.forcePut(record);
                 triggeredWatchStore.delete(triggeredWatch.id());
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/TriggeredWatchStore.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/TriggeredWatchStore.java
index 0f5a19aa312..e5619f2096c 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/TriggeredWatchStore.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/TriggeredWatchStore.java
@@ -125,7 +125,7 @@ public class TriggeredWatchStore extends AbstractComponent {
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     listener.onFailure(e);
                 }
             });
@@ -149,7 +149,7 @@ public class TriggeredWatchStore extends AbstractComponent {
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     listener.onFailure(e);
                 }
             });
@@ -183,7 +183,7 @@ public class TriggeredWatchStore extends AbstractComponent {
                 }
 
                 @Override
-                public void onFailure(Throwable e) {
+                public void onFailure(Exception e) {
                     listener.onFailure(e);
                 }
             });
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionContext.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionContext.java
index 350056316c1..f9bb9a71786 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionContext.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionContext.java
@@ -190,7 +190,7 @@ public abstract class WatchExecutionContext {
     public WatchRecord abortBeforeExecution(ExecutionState state, String message) {
         assert !phase.sealed();
         phase = ExecutionPhase.ABORTED;
-        return new WatchRecord(id, triggerEvent, state, message);
+        return new WatchRecord.MessageWatchRecord(id, triggerEvent, state, message);
     }
 
     public WatchRecord abortFailedExecution(String message) {
@@ -198,7 +198,15 @@ public abstract class WatchExecutionContext {
         phase = ExecutionPhase.ABORTED;
         long executionFinishMs = System.currentTimeMillis();
         WatchExecutionResult result = new WatchExecutionResult(this, executionFinishMs - startTimestamp);
-        return new WatchRecord(this, result, message);
+        return new WatchRecord.MessageWatchRecord(this, result, message);
+    }
+
+    public WatchRecord abortFailedExecution(Exception e) {
+        assert !phase.sealed();
+        phase = ExecutionPhase.ABORTED;
+        long executionFinishMs = System.currentTimeMillis();
+        WatchExecutionResult result = new WatchExecutionResult(this, executionFinishMs - startTimestamp);
+        return new WatchRecord.ExceptionWatchRecord(this, result, e);
     }
 
     public WatchRecord finish() {
@@ -206,7 +214,7 @@ public abstract class WatchExecutionContext {
         phase = ExecutionPhase.FINISHED;
         long executionFinishMs = System.currentTimeMillis();
         WatchExecutionResult result = new WatchExecutionResult(this, executionFinishMs - startTimestamp);
-        return new WatchRecord(this, result);
+        return new WatchRecord.MessageWatchRecord(this, result);
     }
 
     public WatchExecutionSnapshot createSnapshot(Thread executionThread) {
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionResult.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionResult.java
index 8e5f4f0783b..d05d3e67e57 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionResult.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/WatchExecutionResult.java
@@ -96,7 +96,6 @@ public class WatchExecutionResult implements ToXContent {
         ParseField INPUT = new ParseField("input");
         ParseField CONDITION = new ParseField("condition");
         ParseField ACTIONS = new ParseField("actions");
-
         ParseField TYPE = new ParseField("type");
     }
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryStore.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryStore.java
index 5385bb04c2c..ab54842f46e 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryStore.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryStore.java
@@ -107,7 +107,7 @@ public class HistoryStore extends AbstractComponent {
             client.index(request, (TimeValue) null);
         } catch (VersionConflictEngineException vcee) {
             logger.warn("watch record [{}] has executed multiple times, this can happen during watcher restarts", watchRecord);
-            watchRecord = new WatchRecord(watchRecord, ExecutionState.EXECUTED_MULTIPLE_TIMES,
+            watchRecord = new WatchRecord.MessageWatchRecord(watchRecord, ExecutionState.EXECUTED_MULTIPLE_TIMES,
                     "watch record has been stored before, previous state [" + watchRecord.state() + "]");
             IndexRequest request = new IndexRequest(index, DOC_TYPE, watchRecord.id().value())
                     .source(XContentFactory.jsonBuilder().value(watchRecord));
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/WatchRecord.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/WatchRecord.java
index 6589e30eba6..34b552b8a3a 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/WatchRecord.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/WatchRecord.java
@@ -5,9 +5,11 @@
  */
 package org.elasticsearch.xpack.watcher.history;
 
+import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.ParseField;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.collect.MapBuilder;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.xpack.watcher.condition.Condition;
@@ -23,95 +25,65 @@ import org.elasticsearch.xpack.watcher.watch.Watch;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.Map;
+import java.util.Objects;
 
-public class WatchRecord implements ToXContent {
+public abstract class WatchRecord implements ToXContent {
 
-    private final Wid id;
-    private final TriggerEvent triggerEvent;
-    private final ExecutionState state;
+    protected final Wid id;
+    protected final TriggerEvent triggerEvent;
+    protected final ExecutionState state;
 
     // only emitted to xcontent in "debug" mode
-    private final Map<String, Object> vars;
+    protected final Map<String, Object> vars;
 
-    @Nullable private final ExecutableInput input;
-    @Nullable private final Condition condition;
-    @Nullable private final Map<String,Object> metadata;
+    @Nullable protected final ExecutableInput input;
+    @Nullable protected final Condition condition;
+    @Nullable protected final Map<String,Object> metadata;
+    @Nullable protected final WatchExecutionResult executionResult;
 
-    @Nullable private final String[] messages;
-    @Nullable private final WatchExecutionResult executionResult;
-
-    /**
-     * Called when the execution was aborted before it started
-     */
-    public WatchRecord(Wid id, TriggerEvent triggerEvent, ExecutionState state, String message) {
+    public WatchRecord(Wid id, TriggerEvent triggerEvent, ExecutionState state, Map<String, Object> vars, ExecutableInput input,
+                       Condition condition, Map<String, Object> metadata, WatchExecutionResult executionResult) {
         this.id = id;
         this.triggerEvent = triggerEvent;
         this.state = state;
-        this.messages = new String[] { message };
-        this.vars = Collections.emptyMap();
-        this.executionResult = null;
-        this.condition = null;
-        this.input = null;
-        this.metadata = null;
-    }
-
-    /**
-     * Called when the execution was aborted due to an error during execution (the given result should reflect
-     * were exactly the execution failed)
-     */
-    public WatchRecord(WatchExecutionContext context, WatchExecutionResult executionResult, String message) {
-        this.id = context.id();
-        this.triggerEvent = context.triggerEvent();
-        this.state = ExecutionState.FAILED;
-        this.messages = new String[] { message };
-        this.vars = context.vars();
+        this.vars = vars;
+        this.input = input;
+        this.condition = condition;
+        this.metadata = metadata;
         this.executionResult = executionResult;
-        this.condition = context.watch().condition().condition();
-        this.input = context.watch().input();
-        this.metadata = context.watch().metadata();
     }
 
-    /**
-     * Called when the execution finished.
-     */
+    public WatchRecord(Wid id, TriggerEvent triggerEvent, ExecutionState state) {
+        this(id, triggerEvent, state, Collections.emptyMap(), null, null, null, null);
+    }
+
+    public WatchRecord(WatchRecord record, ExecutionState state) {
+        this(record.id, record.triggerEvent, state, record.vars, record.input, record.condition(), record.metadata, record.executionResult);
+    }
+
+    public WatchRecord(WatchExecutionContext context, ExecutionState state) {
+        this(context.id(), context.triggerEvent(), state, context.vars(), context.watch().input(), context.watch().condition().condition(),
+                context.watch().metadata(), null);
+    }
+
     public WatchRecord(WatchExecutionContext context, WatchExecutionResult executionResult) {
-        this.id = context.id();
-        this.triggerEvent = context.triggerEvent();
-        this.messages = Strings.EMPTY_ARRAY;
-        this.vars = context.vars();
-        this.executionResult = executionResult;
-        this.condition = context.watch().condition().condition();
-        this.input = context.watch().input();
-        this.metadata = context.watch().metadata();
-
-        if (!this.executionResult.conditionResult().met()) {
-            state = ExecutionState.EXECUTION_NOT_NEEDED;
-        } else {
-            if (this.executionResult.actionsResults().throttled()) {
-                state = ExecutionState.THROTTLED;
-            } else {
-                state = ExecutionState.EXECUTED;
-            }
-        }
+        this(context.id(), context.triggerEvent(), getState(executionResult), context.vars(), context.watch().input(),
+                context.watch().condition().condition(), context.watch().metadata(), executionResult);
     }
 
-    public WatchRecord(WatchRecord record, ExecutionState state, String message) {
-        this.id = record.id;
-        this.triggerEvent = record.triggerEvent;
-        this.vars = record.vars;
-        this.executionResult = record.executionResult;
-        this.condition = record.condition;
-        this.input = record.input;
-        this.metadata = record.metadata;
-        this.state = state;
+    private static ExecutionState getState(WatchExecutionResult executionResult) {
+        if (executionResult == null || executionResult.conditionResult() == null) {
+            return ExecutionState.FAILED;
+        }
 
-        if (record.messages.length == 0) {
-            this.messages = new String[] { message };
+        if (executionResult.conditionResult().met()) {
+            if (executionResult.actionsResults().throttled()) {
+                return ExecutionState.THROTTLED;
+            } else {
+                return ExecutionState.EXECUTED;
+            }
         } else {
-            String[] newMessages = new String[record.messages.length + 1];
-            System.arraycopy(record.messages, 0, newMessages, 0, record.messages.length);
-            newMessages[record.messages.length] = message;
-            this.messages = newMessages;
+            return ExecutionState.EXECUTION_NOT_NEEDED;
         }
     }
 
@@ -137,10 +109,6 @@ public class WatchRecord implements ToXContent {
         return state;
     }
 
-    public String[] messages(){
-        return messages;
-    }
-
     public Map<String, Object> metadata() {
         return metadata;
     }
@@ -172,29 +140,26 @@ public class WatchRecord implements ToXContent {
                     .field(condition.type(), condition, params)
                     .endObject();
         }
-        if (messages != null) {
-            builder.field(Field.MESSAGES.getPreferredName(), messages);
-        }
         if (metadata != null) {
             builder.field(Field.METADATA.getPreferredName(), metadata);
         }
         if (executionResult != null) {
             builder.field(Field.EXECUTION_RESULT.getPreferredName(), executionResult, params);
         }
-
+        innerToXContent(builder, params);
         builder.endObject();
         return builder;
     }
 
+    abstract void innerToXContent(XContentBuilder builder, Params params) throws IOException;
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
 
         WatchRecord entry = (WatchRecord) o;
-        if (!id.equals(entry.id)) return false;
-
-        return true;
+        return Objects.equals(id, entry.id);
     }
 
     @Override
@@ -215,5 +180,109 @@ public class WatchRecord implements ToXContent {
         ParseField VARS = new ParseField("vars");
         ParseField METADATA = new ParseField("metadata");
         ParseField EXECUTION_RESULT = new ParseField("result");
+        ParseField EXCEPTION = new ParseField("exception");
+    }
+
+    public static class MessageWatchRecord extends WatchRecord {
+        @Nullable private final String[] messages;
+
+        /**
+         * Called when the execution was aborted before it started
+         */
+        public MessageWatchRecord(Wid id, TriggerEvent triggerEvent, ExecutionState state, String message) {
+            super(id, triggerEvent, state);
+            this.messages = new String[] { message };
+        }
+
+        /**
+         * Called when the execution was aborted due to an error during execution (the given result should reflect
+         * were exactly the execution failed)
+         */
+        public MessageWatchRecord(WatchExecutionContext context, WatchExecutionResult executionResult, String message) {
+            super(context, executionResult);
+            this.messages = new String[] { message };
+        }
+
+        /**
+         * Called when the execution finished.
+         */
+        public MessageWatchRecord(WatchExecutionContext context, WatchExecutionResult executionResult) {
+            super(context, executionResult);
+            this.messages = Strings.EMPTY_ARRAY;
+        }
+
+        public MessageWatchRecord(WatchRecord record, ExecutionState state, String message) {
+            super(record, state);
+            if (record instanceof MessageWatchRecord) {
+                MessageWatchRecord messageWatchRecord = (MessageWatchRecord) record;
+                if (messageWatchRecord.messages.length == 0) {
+                    this.messages = new String[] { message };
+                } else {
+                    String[] newMessages = new String[messageWatchRecord.messages.length + 1];
+                    System.arraycopy(messageWatchRecord.messages, 0, newMessages, 0, messageWatchRecord.messages.length);
+                    newMessages[messageWatchRecord.messages.length] = message;
+                    this.messages = newMessages;
+                }
+            } else {
+                messages = new String []{ message };
+            }
+        }
+
+        public String[] messages(){
+            return messages;
+        }
+
+        @Override
+        void innerToXContent(XContentBuilder builder, Params params) throws IOException {
+            if (messages != null) {
+                builder.field(Field.MESSAGES.getPreferredName(), messages);
+            }
+        }
+    }
+
+    public static class ExceptionWatchRecord extends WatchRecord {
+
+        private static final Map<String, String> STACK_TRACE_ENABLED_PARAMS = MapBuilder.<String, String>newMapBuilder()
+                .put(ElasticsearchException.REST_EXCEPTION_SKIP_STACK_TRACE, "false")
+                .immutableMap();
+
+        @Nullable private final Exception exception;
+
+        public ExceptionWatchRecord(WatchExecutionContext context, WatchExecutionResult executionResult, Exception exception) {
+            super(context, executionResult);
+            this.exception = exception;
+        }
+
+        public ExceptionWatchRecord(WatchRecord record, Exception exception) {
+            super(record, ExecutionState.FAILED);
+            this.exception = exception;
+        }
+
+        public ExceptionWatchRecord(WatchExecutionContext context, Exception exception) {
+            super(context, ExecutionState.FAILED);
+            this.exception = exception;
+        }
+
+        public Exception getException() {
+            return exception;
+        }
+
+        @Override
+        void innerToXContent(XContentBuilder builder, Params params) throws IOException {
+            if (exception != null) {
+                if (exception instanceof ElasticsearchException) {
+                    ElasticsearchException elasticsearchException = (ElasticsearchException) exception;
+                    builder.startObject(Field.EXCEPTION.getPreferredName());
+                    Params delegatingParams = new DelegatingMapParams(STACK_TRACE_ENABLED_PARAMS, params);
+                    elasticsearchException.toXContent(builder, delegatingParams);
+                    builder.endObject();
+                } else {
+                    builder.startObject(Field.EXCEPTION.getPreferredName())
+                            .field("type", ElasticsearchException.getExceptionName(exception))
+                            .field("reason", exception.getMessage())
+                            .endObject();
+                }
+            }
+        }
     }
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/SearchRequestEquivalence.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/SearchRequestEquivalence.java
index fec055628f1..cc063d56920 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/SearchRequestEquivalence.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/SearchRequestEquivalence.java
@@ -29,7 +29,7 @@ public final class SearchRequestEquivalence {
     private SearchRequestEquivalence() {
     }
 
-    public final boolean equivalent(@Nullable SearchRequest a, @Nullable SearchRequest b) {
+    public boolean equivalent(@Nullable SearchRequest a, @Nullable SearchRequest b) {
         return a == b ? true : (a != null && b != null ? this.doEquivalent(a, b) : false);
     }
 
@@ -42,8 +42,8 @@ public final class SearchRequestEquivalence {
             r2.writeTo(output1);
             byte[] bytes2 = BytesReference.toBytes(output1.bytes());
             return Arrays.equals(bytes1, bytes2);
-        } catch (Throwable t) {
-            throw illegalState("could not compare search requests", t);
+        } catch (Exception e) {
+            throw illegalState("could not compare search requests", e);
         }
     }
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/get/TransportGetWatchAction.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/get/TransportGetWatchAction.java
index cb581d5c470..224f56052f3 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/get/TransportGetWatchAction.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/get/TransportGetWatchAction.java
@@ -85,9 +85,9 @@ public class TransportGetWatchAction extends WatcherTransportAction<GetWatchRequ
                 listener.onFailure(e);
             }
 
-        } catch (Throwable t) {
-            logger.error("failed to get watch [{}]", t, request.getId());
-            throw t;
+        } catch (Exception e) {
+            logger.error("failed to get watch [{}]", e, request.getId());
+            throw e;
         }
     }
 
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/trigger/schedule/tool/CronEvalTool.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/trigger/schedule/tool/CronEvalTool.java
index ef424056d39..2af25c830d1 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/trigger/schedule/tool/CronEvalTool.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/trigger/schedule/tool/CronEvalTool.java
@@ -12,7 +12,7 @@ import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
 import org.elasticsearch.cli.Command;
 import org.elasticsearch.cli.ExitCodes;
-import org.elasticsearch.cli.UserError;
+import org.elasticsearch.cli.UserException;
 import org.elasticsearch.cli.Terminal;
 import org.elasticsearch.xpack.watcher.trigger.schedule.Cron;
 import org.joda.time.DateTime;
@@ -46,7 +46,7 @@ public class CronEvalTool extends Command {
         int count = Integer.parseInt(countOption.value(options));
         List<String> args = arguments.values(options);
         if (args.size() != 1) {
-            throw new UserError(ExitCodes.USAGE, "expecting a single argument that is the cron expression to evaluate");
+            throw new UserException(ExitCodes.USAGE, "expecting a single argument that is the cron expression to evaluate");
         }
         execute(terminal, args.get(0), count);
     }
@@ -65,7 +65,7 @@ public class CronEvalTool extends Command {
             long prevTime = time;
             time = cron.getNextValidTimeAfter(time);
             if (time < 0) {
-                throw new UserError(ExitCodes.OK, (i + 1) + ".\t Could not compute future times since ["
+                throw new UserException(ExitCodes.OK, (i + 1) + ".\t Could not compute future times since ["
                     + formatter.print(prevTime) + "] " + "(perhaps the cron expression only points to times in the past?)");
             }
             terminal.println((i+1) + ".\t" + formatter.print(time));
diff --git a/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json b/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json
index dad2b48d7e7..328cb286ae2 100644
--- a/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json
+++ b/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json
@@ -93,6 +93,10 @@
         "messages": {
           "type": "text"
         },
+        "exception" : {
+          "type" : "object",
+          "enabled" : false
+        },
         "result": {
           "type": "object",
           "dynamic": true,
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java
deleted file mode 100644
index b495fe3f3cc..00000000000
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java
+++ /dev/null
@@ -1,226 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.xpack.watcher.condition.script;
-
-
-import org.apache.lucene.util.LuceneTestCase.AwaitsFix;
-import org.elasticsearch.ElasticsearchParseException;
-import org.elasticsearch.action.search.SearchResponse;
-import org.elasticsearch.action.search.ShardSearchFailure;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.xcontent.XContentBuilder;
-import org.elasticsearch.common.xcontent.XContentFactory;
-import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.script.GeneralScriptException;
-import org.elasticsearch.script.ScriptService.ScriptType;
-import org.elasticsearch.search.internal.InternalSearchResponse;
-import org.elasticsearch.test.ESTestCase;
-import org.elasticsearch.threadpool.TestThreadPool;
-import org.elasticsearch.threadpool.ThreadPool;
-import org.elasticsearch.xpack.watcher.condition.Condition;
-import org.elasticsearch.xpack.watcher.execution.WatchExecutionContext;
-import org.elasticsearch.xpack.watcher.support.Script;
-import org.elasticsearch.xpack.common.ScriptServiceProxy;
-import org.elasticsearch.xpack.watcher.watch.Payload;
-import org.joda.time.DateTime;
-import org.joda.time.DateTimeZone;
-import org.junit.After;
-import org.junit.Before;
-
-import java.io.IOException;
-
-import static java.util.Collections.singletonMap;
-import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
-import static org.elasticsearch.xpack.watcher.support.Exceptions.illegalArgument;
-import static org.elasticsearch.xpack.watcher.test.WatcherTestUtils.getScriptServiceProxy;
-import static org.elasticsearch.xpack.watcher.test.WatcherTestUtils.mockExecutionContext;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.notNullValue;
-
-/**
- */
-@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/724")
-public class ScriptConditionTests extends ESTestCase {
-    ThreadPool tp = null;
-
-    @Before
-    public void init() {
-        tp = new TestThreadPool(ThreadPool.Names.SAME);
-    }
-
-    @After
-    public void cleanup() {
-        tp.shutdownNow();
-    }
-
-    public void testExecute() throws Exception {
-        ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
-        ExecutableScriptCondition condition = new ExecutableScriptCondition(
-                new ScriptCondition(Script.inline("ctx.payload.hits.total > 1").build()), logger, scriptService);
-        SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
-        WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-        assertFalse(condition.execute(ctx).met());
-    }
-
-    public void testExecuteMergedParams() throws Exception {
-        ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
-        Script script = Script.inline("ctx.payload.hits.total > threshold")
-                .lang(Script.DEFAULT_LANG).params(singletonMap("threshold", 1)).build();
-        ExecutableScriptCondition executable = new ExecutableScriptCondition(
-                new ScriptCondition(script), logger, scriptService);
-        SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
-        WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-        assertFalse(executable.execute(ctx).met());
-    }
-
-    public void testParserValid() throws Exception {
-        ScriptConditionFactory factory = new ScriptConditionFactory(Settings.builder().build(), getScriptServiceProxy(tp));
-
-        XContentBuilder builder = createConditionContent("ctx.payload.hits.total > 1", null, ScriptType.INLINE);
-
-        XContentParser parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
-        parser.nextToken();
-        ScriptCondition condition = factory.parseCondition("_watch", parser);
-        ExecutableScriptCondition executable = factory.createExecutable(condition);
-
-        SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
-        WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-
-        assertFalse(executable.execute(ctx).met());
-
-
-        builder = createConditionContent("return true", null, ScriptType.INLINE);
-        parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
-        parser.nextToken();
-        condition = factory.parseCondition("_watch", parser);
-        executable = factory.createExecutable(condition);
-
-        ctx = mockExecutionContext("_name", new Payload.XContent(response));
-
-        assertTrue(executable.execute(ctx).met());
-    }
-
-    public void testParserInvalid() throws Exception {
-        ScriptConditionFactory factory = new ScriptConditionFactory(Settings.builder().build(), getScriptServiceProxy(tp));
-        XContentBuilder builder = XContentFactory.jsonBuilder();
-        builder.startObject().endObject();
-        XContentParser parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
-        parser.nextToken();
-        try {
-            factory.parseCondition("_id", parser);
-            fail("expected a condition exception trying to parse an invalid condition XContent");
-        } catch (ElasticsearchParseException e) {
-            // TODO add these when the test if fixed
-            // assertThat(e.getMessage(), is("ASDF"));
-        }
-    }
-
-    public void testScriptConditionParserBadScript() throws Exception {
-        ScriptConditionFactory conditionParser = new ScriptConditionFactory(Settings.builder().build(), getScriptServiceProxy(tp));
-        ScriptType scriptType = randomFrom(ScriptType.values());
-        String script;
-        switch (scriptType) {
-            case STORED:
-            case FILE:
-                script = "nonExisting_script";
-                break;
-            case INLINE:
-            default:
-                script = "foo = = 1";
-        }
-        XContentBuilder builder = createConditionContent(script, "groovy", scriptType);
-        XContentParser parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
-        parser.nextToken();
-        ScriptCondition scriptCondition = conditionParser.parseCondition("_watch", parser);
-        try {
-            conditionParser.createExecutable(scriptCondition);
-            fail("expected a condition validation exception trying to create an executable with a bad or missing script");
-        } catch (GeneralScriptException e) {
-            // TODO add these when the test if fixed
-            // assertThat(e.getMessage(), is("ASDF"));
-        }
-    }
-
-    public void testScriptConditionParser_badLang() throws Exception {
-        ScriptConditionFactory conditionParser = new ScriptConditionFactory(Settings.builder().build(), getScriptServiceProxy(tp));
-        ScriptType scriptType = ScriptType.INLINE;
-        String script = "return true";
-        XContentBuilder builder = createConditionContent(script, "not_a_valid_lang", scriptType);
-        XContentParser parser = XContentFactory.xContent(builder.bytes()).createParser(builder.bytes());
-        parser.nextToken();
-        ScriptCondition scriptCondition = conditionParser.parseCondition("_watch", parser);
-        try {
-            conditionParser.createExecutable(scriptCondition);
-            fail("expected a condition validation exception trying to create an executable with an invalid language");
-        } catch (GeneralScriptException e) {
-            // TODO add these when the test if fixed
-            // assertThat(e.getMessage(), is("ASDF"));
-        }
-    }
-
-    public void testScriptConditionThrowException() throws Exception {
-        ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
-        ExecutableScriptCondition condition =
-                new ExecutableScriptCondition(new ScriptCondition(Script.inline("assert false").build()), logger, scriptService);
-        SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
-        WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-        ScriptCondition.Result result = condition.execute(ctx);
-        assertThat(result, notNullValue());
-        assertThat(result.status(), is(Condition.Result.Status.FAILURE));
-        assertThat(result.reason(), notNullValue());
-        assertThat(result.reason(), containsString("Assertion"));
-    }
-
-    public void testScriptConditionReturnObject() throws Exception {
-        ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
-        ExecutableScriptCondition condition =
-                new ExecutableScriptCondition(new ScriptCondition(Script.inline("return new Object()").build()), logger, scriptService);
-        SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
-        WatchExecutionContext ctx = mockExecutionContext("_name", new Payload.XContent(response));
-        ScriptCondition.Result result = condition.execute(ctx);
-        assertThat(result, notNullValue());
-        assertThat(result.status(), is(Condition.Result.Status.FAILURE));
-        assertThat(result.reason(), notNullValue());
-        assertThat(result.reason(), containsString("ScriptException"));
-    }
-
-    public void testScriptConditionAccessCtx() throws Exception {
-        ScriptServiceProxy scriptService = getScriptServiceProxy(tp);
-        ExecutableScriptCondition condition = new ExecutableScriptCondition(
-                new ScriptCondition(Script.inline("ctx.trigger.scheduled_time.getMillis() < System.currentTimeMillis() ").build()),
-                logger, scriptService);
-        SearchResponse response = new SearchResponse(InternalSearchResponse.empty(), "", 3, 3, 500L, new ShardSearchFailure[0]);
-        WatchExecutionContext ctx = mockExecutionContext("_name", new DateTime(DateTimeZone.UTC), new Payload.XContent(response));
-        Thread.sleep(10);
-        assertThat(condition.execute(ctx).met(), is(true));
-    }
-
-    private static XContentBuilder createConditionContent(String script, String scriptLang, ScriptType scriptType) throws IOException {
-        XContentBuilder builder = jsonBuilder();
-        if (scriptType == null) {
-            return builder.value(script);
-        }
-        builder.startObject();
-        switch (scriptType) {
-            case INLINE:
-                builder.field("inline", script);
-                break;
-            case FILE:
-                builder.field("file", script);
-                break;
-            case STORED:
-                builder.field("id", script);
-                break;
-            default:
-                throw illegalArgument("unsupported script type [{}]", scriptType);
-        }
-        if (scriptLang != null) {
-            builder.field("lang", scriptLang);
-        }
-        return builder.endObject();
-    }
-}
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/execution/ManualExecutionTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/execution/ManualExecutionTests.java
index 30f2e8127df..084a52b78a4 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/execution/ManualExecutionTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/execution/ManualExecutionTests.java
@@ -332,8 +332,8 @@ public class ManualExecutionTests extends AbstractWatcherIntegrationTestCase {
                 WatchRecord record = executionService.execute(ctxBuilder.build());
                 assertThat(record, notNullValue());
                 assertThat(record.state(), is(ExecutionState.NOT_EXECUTED_WATCH_MISSING));
-            } catch (Throwable t) {
-                throw new ElasticsearchException("Failure mode execution of [{}] failed in an unexpected way", t, watchId);
+            } catch (Exception e) {
+                throw new ElasticsearchException("Failure mode execution of [{}] failed in an unexpected way", e, watchId);
             }
         }
     }
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/history/HistoryStoreTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/history/HistoryStoreTests.java
index 1f52b12c660..59b4213d6a5 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/history/HistoryStoreTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/history/HistoryStoreTests.java
@@ -44,7 +44,7 @@ public class HistoryStoreTests extends ESTestCase {
     public void testPut() throws Exception {
         Wid wid = new Wid("_name", 0, new DateTime(0, UTC));
         ScheduleTriggerEvent event = new ScheduleTriggerEvent(wid.watchId(), new DateTime(0, UTC), new DateTime(0, UTC));
-        WatchRecord watchRecord = new WatchRecord(wid, event, ExecutionState.EXECUTED, null);
+        WatchRecord watchRecord = new WatchRecord.MessageWatchRecord(wid, event, ExecutionState.EXECUTED, null);
 
         IndexResponse indexResponse = mock(IndexResponse.class);
         IndexRequest indexRequest = indexRequest(".watcher-history-1970.01.01", HistoryStore.DOC_TYPE, wid.value()
@@ -57,7 +57,7 @@ public class HistoryStoreTests extends ESTestCase {
     public void testPutStopped() throws Exception {
         Wid wid = new Wid("_name", 0, new DateTime(0, UTC));
         ScheduleTriggerEvent event = new ScheduleTriggerEvent(wid.watchId(), new DateTime(0, UTC), new DateTime(0, UTC));
-        WatchRecord watchRecord = new WatchRecord(wid, event, ExecutionState.EXECUTED, null);
+        WatchRecord watchRecord = new WatchRecord.MessageWatchRecord(wid, event, ExecutionState.EXECUTED, null);
 
         historyStore.stop();
         try {
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
index dcda61a5813..0bf7a796cfb 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
@@ -375,7 +375,7 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
                     .setSource(jsonBuilder().value(triggeredWatch))
                     .get();
 
-            WatchRecord watchRecord = new WatchRecord(wid, event, ExecutionState.EXECUTED, "executed");
+            WatchRecord watchRecord = new WatchRecord.MessageWatchRecord(wid, event, ExecutionState.EXECUTED, "executed");
             client().prepareIndex(watchRecordIndex, HistoryStore.DOC_TYPE, watchRecord.id().value())
                     .setSource(jsonBuilder().value(watchRecord))
                     .get();