Is there a way to configure filebeat to send certain logs as quick as possible?

dmitryyankowski · March 11, 2021, 4:50pm

I'm wondering if there is a way to get Filebeat to report specific logs as soon as possible.. rather than waiting for the minimum amount of events to send in a batch.

For example:

I have a security detection setup, to send an alert to my email, whenever there's an SSH login event with an IP address that isn't my own.

However at the moment the Elastic Agent I have installed on the linux server is super slow to report the SSH events. I'm assuming because it waits until there are x filebeat logs .. and then send's them all together in a batch, to logstash?

I'd like for my Elastic Agent to send the SSH auth logs as soon as possible.. rather than waiting a certain amount of time... or before there are x amount of logs.

I want to be able to react to this alert as soon as possible... if that makes sense.

Thanks for the help in advance

Badger · March 11, 2021, 5:01pm

filebeat uses an in-memory queue which is described here. The default is to flush the queue after one second. The default delay for a batch in logstash is 50 milliseconds.

dmitryyankowski · March 11, 2021, 5:20pm

Thanks for the info @Badger Do you know how I would configure this in the Fleet Agent?

Badger · March 11, 2021, 5:43pm

I did not even know Fleet existed until I just googled it, so I cannot help you there.

Felix_Roessel · March 11, 2021, 6:45pm

Have a look at Policy settings | Fleet User Guide [7.11] | Elastic for all configuration options.

The configuration you are looking for is:
reporting_threshold
and
reporting_check_frequency_sec

system · April 8, 2021, 6:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.