Merge "Add override for Auditbeat socket dataset"

elk_metrics_7x/roles/elastic_auditbeat/defaults/main.yml

@@ -32,3 +32,8 @@ processors: {}
 # Logging level
 # Available log levels are error, warning, info, debug
 auditbeat_log_level: "{{ elastic_beat_log_level | default('info') }}"
+
+# Override flag to ignore the system socket dataset. This can be resource-intensive,
+# particularly when auditbeat is deployed to a container host, and largely overlaps
+# with Packetbeat data
+auditbeat_ignore_socket_data: false

elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2

@@ -141,7 +141,7 @@ auditbeat.modules:
     - login   # User logins, logouts, and system boots.
     - package # Installed, updated, and removed packages
     - process # Started and stopped processes
-{% if not (containerised | default(false)) %}
+{% if not (containerised | default(false)) and not auditbeat_ignore_socket_data %}
     - socket  # Opened and closed sockets
 {% endif  %}
     - user    # User information