How to ignore a specific IP?

Ben_Hoffman · February 14, 2017, 7:11pm

So I am doing a data visualization of netflow traffic, and I am running packetbeat in "af mode" to gather all of the netflow data.

The problem is that the IP that I am connecting to the box with packetbeat on it, is something I want to ignore. Since I know what it is and it is just cluttering things up in the visualization.

I want to ignore all of the traffic that has this data:

"dest.ip" of < XYZ >
and
"source.ip" of < IP of server running packetbeat >

I have the "packetbeat.ignore_outgoing: true" set up in my packetbeat.yml file. I am running this on CentOS and outputting the packetbeat data straight to Logstash.

Is there any way to do this?

tudor · February 15, 2017, 11:19am

You should be able to use a custom BPF filter for this. Something like not ip ....Do note the limitations stated in the docs.

Ben_Hoffman · February 15, 2017, 7:25pm

What I ended up doing is writting a Logsash filter:

filter {
      if[type] == "flow" and [dest][ip] == "192.168.X.Y" and [packet_source][ip] == "192.168.Z.D" {
            drop { }
      }
}

steffens · February 16, 2017, 5:03pm

which packetbeat version? You can drop events from within packetbeat using processors. Filtering via BPF would be better. Reason is, you want to filter as early as possible. Filtering late, still requires you to process and analyse the traffic. Filtering out in logstash means packetbeat has to serialize and send events. Filtering early via BPF saves you some resources.

system · March 16, 2017, 5:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.