Zookeeper 5-10x audit-activity

Looking at the volume of traffic coming from auditbeat - seems that my 3 zookeeper nodes are creating 5-10x the amount of audit events of any other server. I've added this line which helped a fair bit:

- drop_event.when.equals.network.direction: outbound

Wondering if there are other settings that might help to limit the amount of audit traffic.

These nodes really aren't that busy.

Can you share your Auditbeat version and configuration in auditbeat.yml ?

Logs seem to indicate that its all the RPC work happening in zk. I disabled audits for that and it seems to have calmed down.