[Packetbeat] Add support for ignoring interfaces #40566
Labels
Comments
botelastic
bot
added
the
needs_team
ycombinator
added
the
Team:Security-Linux Platform
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
botelastic
bot
removed
the
needs_team
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement:
Currently when setting the
packetbeatsniffer the interface field is either an interface name oranyfor all interfaces. If you have N number of interfaces your only option is to useany.Describe a specific use case for the enhancement or feature:
The enhancement would be to add support for specifying a list of interfaces that should be ignore by the sniffer. This would allow packetbeat to focus on interfaces the user cares about.
packetbeat.interfaces.ignore: [lo, eth0, veth, docker0]Current solution
Currently the only way to accomplish this is by adding processors and drop_events, at this point the packetbeat process has sniffed those packets only to be dropped this takes cycles from actual interfaces the user cares about.
The docs say the events have the
interface.namefield, but I don't have that ECS for some reason. Not sure if it's related to my output beinglogstashinstead ofelasticsearch.The text was updated successfully, but these errors were encountered: