Is it possible to have Auditbeat filter before sending the results


#1

I'd like to filter out a number of processes, before Auditbeat sends to Logstash. Sure the filter works on Logstash, but it is causing lots of reporting and network traffic that could be avoided.

So Auditbeat is on one system Logstash on another.

Yes I guess I could put Logstash on the Auditbeat system, but this is a heavily loaded system and we'd rather try to avoid it. What would be good is to have some of the Logstash filtering in the Auditbeat itself and perhaps remove the need for Logstash all together if it is only used for filtering before getting to Elasticsearch.

Just a thought.


(Mathieu Martin) #2

Hi!

You can already do this with the drop processor. You drop only when a certain condition matches. Here are two links to get you started:


#3

Hi Matthieu, Just to confirm that this is in the auditbeat.yml file? Before it even gets to Logstash? You might have just made my day. Thanks, N


#4

Hi, so I have in logstash a filter of

  if [process][exe] == "/opt/tivoli/tsm/client/ba/bin/dsmc" {
    drop { }
  }

is the equivalent in Auditbeat

#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.

processors:
 - drop_event:
     equals:
       process.exe: /opt/tivoli/tsm/client/ba/bin/dsmc

And if I want to add further ones like this something like

processors:
 - drop_event:
     equals:
       process.exe: /opt/tivoli/tsm/client/ba/bin/dsmc
     equals:
       process.exe: /usr/bin/rsync

Or would it be more efficient to use an or: in here.


(Adrian Serrano) #5

That's probably not going to work as expected. It's easier with two processors:

processors:
 - drop_event:
     equals:
       process.exe: /opt/tivoli/tsm/client/ba/bin/dsmc
 - drop_event:
     equals:
       process.exe: /usr/bin/rsync

#6

Thanks Adrian, will give it a go.