Im hoping to reduce the amount of data that auditbeat is sending me for a specific host. Host in question is producing 5-10x more than any others. Is running zabbix-server so there are lots of outbound sockets. From the data it appears that these account for the majority of the logged data (95+%).
I see these entries in auditbeat.reference.yml
- module: system
datasets:
- socket # Opened and closed sockets
How would I set auditbeat.yml to not log this data?
Is there a preferred way to reduce the data volume?
What version of Auditbeat are you running? Is it 7.4.0+ with the updated system/socket dataset that produces flows? This one might be producing less events because it should produce only one event when a flow ends.
And to filter you could add a drop_event processor that looks at network.direction: outbound.
auditbeat.modules:
- module: system
datasets: [socket]
processors:
- drop_event.when.equals.network.direction: outbound
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.