diff --git a/elk_metrics_7x/roles/elastic_auditbeat/defaults/main.yml b/elk_metrics_7x/roles/elastic_auditbeat/defaults/main.yml
index 3388b041..7e7287ba 100644
--- a/elk_metrics_7x/roles/elastic_auditbeat/defaults/main.yml
+++ b/elk_metrics_7x/roles/elastic_auditbeat/defaults/main.yml
@@ -32,3 +32,8 @@ processors: {}
 # Logging level
 # Available log levels are error, warning, info, debug
 auditbeat_log_level: "{{ elastic_beat_log_level | default('info') }}"
+
+# Override flag to ignore the system socket dataset. This can be resource-intensive,
+# particularly when auditbeat is deployed to a container host, and largely overlaps
+# with Packetbeat data
+auditbeat_ignore_socket_data: false
diff --git a/elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2 b/elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
index e1c1ae5b..4cb0afa8 100644
--- a/elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
+++ b/elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
@@ -141,7 +141,7 @@ auditbeat.modules:
     - login   # User logins, logouts, and system boots.
     - package # Installed, updated, and removed packages
     - process # Started and stopped processes
-{% if not (containerised | default(false)) %}
+{% if not (containerised | default(false)) and not auditbeat_ignore_socket_data %}
     - socket  # Opened and closed sockets
 {% endif  %}
     - user    # User information