How to ignore a specific IP?

Elastic Stack Beats
1

So I am doing a data visualization of netflow traffic, and I am running packetbeat in "af mode" to gather all of the netflow data.

The problem is that the IP that I am connecting to the box with packetbeat on it, is something I want to ignore. Since I know what it is and it is just cluttering things up in the visualization.

I want to ignore all of the traffic that has this data:

"dest.ip" of < XYZ >
and
"source.ip" of < IP of server running packetbeat >

I have the "packetbeat.ignore_outgoing: true" set up in my packetbeat.yml file. I am running this on CentOS and outputting the packetbeat data straight to Logstash.

Is there any way to do this?

2

You should be able to use a custom BPF filter for this. Something like not ip ....Do note the limitations stated in the docs.

3

What I ended up doing is writting a Logsash filter:

filter {
      if[type] == "flow" and [dest][ip] == "192.168.X.Y" and [packet_source][ip] == "192.168.Z.D" {
            drop { }
      }
}
1 Like
4

which packetbeat version? You can drop events from within packetbeat using processors. Filtering via BPF would be better. Reason is, you want to filter as early as possible. Filtering late, still requires you to process and analyse the traffic. Filtering out in logstash means packetbeat has to serialize and send events. Filtering early via BPF saves you some resources.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.