Im hoping to reduce the amount of data that auditbeat is sending me for a specific host. Host in question is producing 5-10x more than any others. Is running zabbix-server so there are lots of outbound sockets. From the data it appears that these account for the majority of the logged data (95+%).
I see these entries in auditbeat.reference.yml
- module: system datasets: - socket # Opened and closed sockets
How would I set auditbeat.yml to not log this data?
Is there a preferred way to reduce the data volume?