Add override for Auditbeat socket dataset
When deployed to a container host, the socket dataset of the Auditbeat system module can become very CPU-intensive, as it captures all socket events from all containers, data which largely overlaps with data collected using Packetbeat. This commit adds an override flag to allow this dataset to be selectively disabled in the case that this CPU usage becomes too high. Change-Id: I595c6b909a83e6f49b1042dff29b38953768ef67
This commit is contained in:
parent
e606489403
commit
7252a4349f
@ -32,3 +32,8 @@ processors: {}
|
||||
# Logging level
|
||||
# Available log levels are error, warning, info, debug
|
||||
auditbeat_log_level: "{{ elastic_beat_log_level | default('info') }}"
|
||||
|
||||
# Override flag to ignore the system socket dataset. This can be resource-intensive,
|
||||
# particularly when auditbeat is deployed to a container host, and largely overlaps
|
||||
# with Packetbeat data
|
||||
auditbeat_ignore_socket_data: false
|
||||
|
@ -141,7 +141,7 @@ auditbeat.modules:
|
||||
- login # User logins, logouts, and system boots.
|
||||
- package # Installed, updated, and removed packages
|
||||
- process # Started and stopped processes
|
||||
{% if not (containerised | default(false)) %}
|
||||
{% if not (containerised | default(false)) and not auditbeat_ignore_socket_data %}
|
||||
- socket # Opened and closed sockets
|
||||
{% endif %}
|
||||
- user # User information
|
||||
|
Loading…
Reference in New Issue
Block a user