Hello, hope everyone is in good health.
We want to monitor the amount of data (gb's) which are being send to a https endpoint from our logstash servers. To do so we installed packetbeat with the attached configuration.
Usually this would be a case of searching for all traffic on TLS to the ipaddresses of the endpoint, however these are relatively dynamic as it's a AWS loadbalancer. The challenge which we face is some of the events logged contain a destination.domain with the endpoint, where as the ones with byte fields do not but do contain the IP addresses.
Does anyone have any experience/solutions/pointers how we could monitor this traffic properly?
#============================== Network device ================================ packetbeat: interfaces: device: any #================================== Flows ===================================== packetbeat.flows: # Enable Network flows. Default: true #enabled: true # Set network flow timeout. Flow is killed if no packet is received before being # timed out. timeout: 30s # Configure reporting period. If set to -1, only killed flows will be reported period: 10s # Set to true to publish fields with null values in events. #keep_null: false #========================== Transaction protocols ============================= packetbeat.protocols: - type: http enabled: true ports:  tags: ["elk", "logstash"] - type: tls enabled: true ports:  tags: ["elk", "logstash"] #================================ Processors ===================================