How to clear filebeat events so it does not enter kibana?

[iqworks]

Hi, I know I filebeat in my security onion so-status. I am using windows 10. The events get into my kibana, even when i so-elastic-clear and so-nsm-clear. How can I clear filebeat so kibana is completely empty?

thanks for any help, adive or suggestions

[InfosecGoon]

Filebeat is simply an agent -- it reads the files that it's instructed to and then forwards their contents to the Logstash receiver in Security Onion.

If you'd like a completely empty Kibana, you could do this:

Log into the SSH session on your Manager/Standalone node.
Stop logstash: "sudo so-logstash-stop".
Stop filebeat: "sudo so-filebeat-stop".
Stop the salt minion: "sudo systemctl stop salt-minion".
Clear Elasticseach: "so-elastic-clear"

That should stop every process that would be writing into Elasticsearch and clear out whatever's in there, so your Kibana will be empty.

[iqworks]

Thanks infosec, I am working on another project for the next few weeks. Then I will be back on security onion.
That was great clarification, I will try them when I get back. I will let you know what I see.
Thanks for your suggestions and advice !