Hi, Im using the Filebeat 7.6.0 to parse CEF logs from our ArcSight SmartConnector. I've noticed that agent.hostname and agent.name is incorrectly set. Agent.name should not be the hostname of the host where the SmartConnector is running, but the actual name that is configured for the SmartConnector. And agent.hostname is reporting the hostname of the host that actually created the log, the original sender, which is incorrect. agent.hostname should be the hostname of the host that is running the SmartConnector (same as cef.extensions.agentHostName).
Hi, thanks for replying. I'm using the cef module in filebeat.
Ok, so agent is for Beats, got it.
That is true that cef.extensions.agentHostName is populated, but where is cef.extensions.agentName in that case? The information is necessary since a host can have multiple ArcSight SmartConnectors and the name is the only way to distinguish them from one another.
Edit: I see, this is a limitation of the CEF standard, that's why I'm missing this information.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.