Auditbeat - how to exclude outbound socket data

Im hoping to reduce the amount of data that auditbeat is sending me for a specific host. Host in question is producing 5-10x more than any others. Is running zabbix-server so there are lots of outbound sockets. From the data it appears that these account for the majority of the logged data (95+%).

I see these entries in auditbeat.reference.yml

- module: system
    - socket  # Opened and closed sockets

How would I set auditbeat.yml to not log this data?

Is there a preferred way to reduce the data volume?

What version of Auditbeat are you running? Is it 7.4.0+ with the updated system/socket dataset that produces flows? This one might be producing less events because it should produce only one event when a flow ends.

And to filter you could add a drop_event processor that looks at network.direction: outbound.

- module: system
  datasets: [socket]
  - outbound

Yes 7.4.x - I have puppet set to install whatever the latest, greatest version is.

I'll try this setting. TY.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.