You didn't mention what you are monitoring with Packetbeat, but I'm assuming you are talking about
flow data
rather than any one specific protocol.
There are multiple ways to filter Packetbeat data. Here are a few options you can set in your config file.
packetbeat.interfaces.device: eth0
- On Linux the psuedo "any" interface is used by default. If you do not want to capture localhost traffic then you can change the value to listen on a specific interface like
eth0
.
packetbeat.interfaces.bpf_filter: "net 192.168.0.0/16 not port 5044"
- You can use a custom
BPF filter
to select the traffic you are interested in.
Use a
drop_event
processor to select specific events to drop. It's more efficient to filter the traffic using one of the other methods. This would drop the data only after it has been processed by Packetbeat and turned into an event.
https://stackoverflow.com/questions/41944409/how-to-filter-out-the-127-0-0-1-traffic-from-packetbeat-and-logstash/41944992#41944992
share
improve this answer