Endpoint Agent two host showing in logs-* per host

The1WhoPrtNocks · January 19, 2021, 1:53pm

Re-created with elastic-agent tag for better visibility.

Hi,

I have recently been rolling out the Endpoint agent to some host for testing.
Within the fleet agents tab, there is a single entry for each host in the format "hostname".

However within the logs-* index there are two host names for each host in the following formats, "hostname" and "hostname.domain.name.here" .

This is then showing as two separate hosts under the SIEM hosts location.

Any idea as to what could be causing this ?

Thanks in advance

mtojek · January 20, 2021, 9:10am

Would you mind posting a Kibana screenshot and/or dump of Elasticsearch index (relevant dumps)?

The1WhoPrtNocks · January 20, 2021, 10:58am

Hi @mtojek,

Thanks for getting back to me.

Below is the list of test agents I have deployed using fleet.

Here is a screen grab from the logs-* index , you can see i could filter by host.hostname:"IPPLAP067" but IPPLAP067.ipperf.local is also available in the index

Finally here is the data in the SIEM app which pulls from this log clearly showing the two host names also with different features.

system · February 17, 2021, 12:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Endpoint Agent two host showing in logs-* per host Beats filebeat	1	213	February 8, 2021
Elastic SIEM showing duplicate hosts when Defender ATP logs are shipped in SIEM	6	833	October 21, 2020
How to set/change Elastic Agent with same hostname Elastic Agent	7	493	April 5, 2024
How to Differentiate Elastic Agent with same hostname Elastic Agent	1	253	March 6, 2023
Elastic Security - what is the difference between adding something to the fleet, and a host / endpoint? SIEM	1	229	December 25, 2023

Endpoint Agent two host showing in logs-* per host

Related Topics