Is there a way to configure filebeat to send certain logs as quick as possible?

I'm wondering if there is a way to get Filebeat to report specific logs as soon as possible.. rather than waiting for the minimum amount of events to send in a batch.

For example:

I have a security detection setup, to send an alert to my email, whenever there's an SSH login event with an IP address that isn't my own.

However at the moment the Elastic Agent I have installed on the linux server is super slow to report the SSH events. I'm assuming because it waits until there are x filebeat logs .. and then send's them all together in a batch, to logstash?

I'd like for my Elastic Agent to send the SSH auth logs as soon as possible.. rather than waiting a certain amount of time... or before there are x amount of logs.

I want to be able to react to this alert as soon as possible... if that makes sense.

Thanks for the help in advance :slight_smile:

filebeat uses an in-memory queue which is described here. The default is to flush the queue after one second. The default delay for a batch in logstash is 50 milliseconds.

1 Like

Thanks for the info @Badger Do you know how I would configure this in the Fleet Agent? :slight_smile:

I did not even know Fleet existed until I just googled it, so I cannot help you there.

Have a look at Policy settings | Fleet User Guide [7.11] | Elastic for all configuration options.

The configuration you are looking for is:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.