My use case in short:
I want to run packetbeat on one of my servers and pipe the pcap directly into snort. How can this be done?
I want to use packetbeat to just capture packets as they are (I dont care much about it's ability to decode layer 7 etc for my use case) and send the packets with compression to a remote http end point? This could be haproxy for example, and from there I can consume packets, dump them into a time series database etc
I am aware that packetbeat can write to local pcap files, but just want to capture and send the packets somewhere and analyze them offline using inhouse tools which understand pcap format. I can ofcourse keep copying pcap files from server for offline analysis but this is too heavy on disk IO.
I am also aware that I can get a JSON doc indicating packet and stash it into ES, but I really dont want to store JSON when all I need is actual packets.
Am I thinking in right direction here? Any thoughts? Is this possible?