Add override for Auditbeat socket dataset

When deployed to a container host, the socket dataset of the Auditbeat
system module can become very CPU-intensive, as it captures all socket
events from all containers, data which largely overlaps with data
collected using Packetbeat. This commit adds an override flag to allow
this dataset to be selectively disabled in the case that this CPU usage
becomes too high.

Change-Id: I595c6b909a83e6f49b1042dff29b38953768ef67
This commit is contained in:
Duncan Martin Walker 2020-05-26 10:55:15 +01:00
parent e606489403
commit 7252a4349f
2 changed files with 6 additions and 1 deletions

View File

@ -32,3 +32,8 @@ processors: {}
# Logging level
# Available log levels are error, warning, info, debug
auditbeat_log_level: "{{ elastic_beat_log_level | default('info') }}"
# Override flag to ignore the system socket dataset. This can be resource-intensive,
# particularly when auditbeat is deployed to a container host, and largely overlaps
# with Packetbeat data
auditbeat_ignore_socket_data: false

View File

@ -141,7 +141,7 @@ auditbeat.modules:
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
{% if not (containerised | default(false)) %}
{% if not (containerised | default(false)) and not auditbeat_ignore_socket_data %}
- socket # Opened and closed sockets
{% endif %}
- user # User information