Looking at the volume of traffic coming from auditbeat - seems that my 3 zookeeper nodes are creating 5-10x the amount of audit events of any other server. I've added this line which helped a fair bit:
- drop_event.when.equals.network.direction: outbound
Wondering if there are other settings that might help to limit the amount of audit traffic.
These nodes really aren't that busy.
Can you share your Auditbeat version and configuration in auditbeat.yml ?
Logs seem to indicate that its all the RPC work happening in zk. I disabled audits for that and it seems to have calmed down.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.