I'm wondering if there is a way to get Filebeat to report specific logs as soon as possible.. rather than waiting for the minimum amount of events to send in a batch.
I have a security detection setup, to send an alert to my email, whenever there's an SSH login event with an IP address that isn't my own.
However at the moment the Elastic Agent I have installed on the linux server is super slow to report the SSH events. I'm assuming because it waits until there are x filebeat logs .. and then send's them all together in a batch, to logstash?
I'd like for my Elastic Agent to send the SSH auth logs as soon as possible.. rather than waiting a certain amount of time... or before there are x amount of logs.
I want to be able to react to this alert as soon as possible... if that makes sense.
Thanks for the help in advance