diff --git a/ansible/roles/traffic-engine/files/helm/conf/telegraf_security.conf b/ansible/roles/traffic-engine/files/helm/conf/telegraf_security.conf
new file mode 100644
index 00000000..2d5b7513
--- /dev/null
+++ b/ansible/roles/traffic-engine/files/helm/conf/telegraf_security.conf
@@ -0,0 +1,54 @@
+# Telegraf Configuration
+[global_tags]
+   device_id = "${device_id}"
+{{- range .Values.device.tags -}}
+{{- range $key,$val := . }}
+   {{ $key }} = {{ $val | quote }}
+{{- end }}
+{{- end }}
+   vsys_id = {{ .Values.vsys_id | quote }}
+[agent]
+   interval = "1s"
+   round_interval = true
+   metric_batch_size = 1000
+   metric_buffer_limit = 10000
+   collection_jitter = "0s"
+   flush_interval = "1s"
+   flush_jitter = "0s"
+   precision = ""
+   debug = false
+   quiet = false
+   logfile = ""
+   hostname = ""
+   omit_hostname = true
+
+
+[[inputs.socket_listener]]
+   service_address = "udp://:8400"
+   data_format = "influx"
+
+[[outputs.kafka]]
+   sasl_username = "{{ .Values.external_resources.olap.kafka_brokers.sasl_username }}"
+   sasl_password = "{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}"
+   brokers = [ "{{- include "traffic-engine.config.olap-address"  (list . "\",\"") }}" ]
+  topic = "POLICY-RULE-METRICS"
+  data_format = "json"
+  json_timestamp_units = "1ms"
+
+[[aggregators.basicstats]]
+  period = "1s"
+  drop_original = true
+  stats = ["sum"]
+  fieldpass = ["hit_count", "in_bytes", "out_bytes", "in_pkts", "out_pkts"]
+  #fieldpass = ["new_conn_num", "established_conn_num", "close_conn_num", "total_in_bytes", "total_out_bytes", "total_in_packets", "total_out_packets",
+	#											  "default_conn_num", "default_in_bytes", "default_out_bytes", "default_in_packets", "default_out_packets",
+	#											  "allow_conn_num", "allow_in_bytes", "allow_out_bytes", "allow_in_packets", "allow_out_packets",
+	#											  "deny_conn_num", "deny_in_bytes", "deny_out_bytes", "deny_in_packets", "deny_out_packets",
+	#											  "monitor_conn_num", "monitor_in_bytes", "monitor_out_bytes", "monitor_in_packets", "monitor_out_packets",
+	#											  "intercept_conn_num", "intercept_in_bytes", "intercept_out_bytes", "intercept_in_packets", "intercept_out_packets",
+	#											  "ipv4_in_packets", "ipv4_in_bytes", "ipv4_out_packets", "ipv4_out_bytes",
+	#											  "ipv6_in_packets", "ipv6_in_bytes", "ipv6_out_packets", "ipv6_out_bytes",
+	#											  "tcp_conn_num", "tcp_in_packets", "tcp_in_bytes", "tcp_out_packets", "tcp_out_bytes",
+	#											  "udp_conn_num", "udp_in_packets", "udp_in_bytes", "udp_out_packets", "udp_out_bytes",
+	#											  "alert_bytes", "block_bytes", "pinning_num", "maybe_pinning_num", "not_pinning_num"]
+  namepass = ["security_policy_hits"]   # only "pass" swap metrics through the aggregator.
diff --git a/ansible/roles/traffic-engine/files/helm/templates/telegraf.yaml b/ansible/roles/traffic-engine/files/helm/templates/telegraf.yaml
index 6004a96d..a74ed3c6 100644
--- a/ansible/roles/traffic-engine/files/helm/templates/telegraf.yaml
+++ b/ansible/roles/traffic-engine/files/helm/templates/telegraf.yaml
@@ -6,4 +6,5 @@ metadata:
 data:
   telegraf_statistic.conf: {{ tpl (.Files.Get "conf/telegraf_statistic.conf") . | quote }}
   telegraf_shaping.conf: {{ tpl (.Files.Get "conf/telegraf_shaping.conf") . | quote }}
-  telegraf_sce.conf: {{ tpl (.Files.Get "conf/telegraf_sce.conf") . | quote }}
\ No newline at end of file
+  telegraf_sce.conf: {{ tpl (.Files.Get "conf/telegraf_sce.conf") . | quote }}
+  telegraf_security.conf: {{ tpl (.Files.Get "conf/telegraf_security.conf") . | quote }}
\ No newline at end of file
diff --git a/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml b/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml
index ada8d4ea..28dfd9e3 100644
--- a/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml
+++ b/ansible/roles/traffic-engine/files/helm/templates/traffic-engine.yaml
@@ -453,6 +453,25 @@ spec:
           mountPath: /run/frr
 {{- end }}
 
+      - name: telegraf-security
+        image: "docker.io/library/tsg-telegraf:{{ .Chart.AppVersion }}"
+        imagePullPolicy: Never
+        command: ["/usr/bin/telegraf", "-config", "/etc/telegraf/telegraf_security.conf", "-config-directory", "/etc/telegraf/telegraf_statistic.d"]
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: telegraf
+          mountPath: "/etc/telegraf/telegraf_security.conf"
+          subPath: "telegraf_security.conf"
+        - name: config-volume
+          mountPath: "/opt/tsg/etc/tsg_sn.json"
+          subPath: "opt/tsg/etc/tsg_sn.json"
+        - name: config-volume
+          mountPath: "/etc/default/telegraf"
+          subPath: "etc/default/telegraf"
+        - name: localtime-node
+          mountPath: /etc/localtime
+          readOnly: true
 
       initContainers:
       - name: tsg-init