I'd like to filter out a number of processes, before Auditbeat sends to Logstash. Sure the filter works on Logstash, but it is causing lots of reporting and network traffic that could be avoided.
So Auditbeat is on one system Logstash on another.
Yes I guess I could put Logstash on the Auditbeat system, but this is a heavily loaded system and we'd rather try to avoid it. What would be good is to have some of the Logstash filtering in the Auditbeat itself and perhaps remove the need for Logstash all together if it is only used for filtering before getting to Elasticsearch.
Just a thought.