Hi, is there a setting to allow winlogbeat to use more CPU resources?
We are currently testing a config file with about 1700 lines of filtering. We also have another config file with less filtering (about 300) currently being used on the event collector. We tested shipping the same 3GB evtx file to logstash using these 2 config files.
Shipping with the 300-line config file was very fast and move events ended up in the cluster due to the loosen filtering. Shipping with 1700 line config file was 3-4 times slower but we have higher quality events in the cluster and all the noisy events are filtered out.
We know the processing time with the 1700 line config file is higher due to the amount of filtering lines needing to be processed. During processing time, the CPU usage on the winlogbeat host never went over 40% and we know winlogbeat is supposed to behave however we fear that due to the slow processing time, the event collector will not be able to keep up with the spead at which events are comming in.
We would like to know if there are config settings to tell winlogbeat to use more processing power so it ships events faster? We plan to add more CPUs to the event collector but we have feeling winlogbeat will only use a small percentage.
Any advise will be appreciated.
Thanks