I am running auditbeat with more than 300 hosts, but there is 50 hosts showing at "[Visualize]Host Count [Auditbeat System] ECS". I find that the host.id is not unique. it's same on filebeat. How is it happened?auditbeat001|422x500
p.s. the hostname looks like vrs001.clive.ghxw.node.abcd.cn, vpm001.mamvod.ghxw.node.abcd.cn and so on
Hello,
Thanks for reaching out regarding auditbeat. All the beats read the contents of /etc/machine-id. Are these hosts possibly cloned from a template? If this is the case, you may need to regenerate the file.
The following article is a good source for updating /etc/machine-id on CentOS/RHEL 7.
https://www.thegeekdiary.com/centos-rhel-7-how-to-change-the-machine-id/
Thanks for your reply. The OS is Centos6.6 and there is not the file /etc/machine-id.
The version of beats is 7.2.0. The beats are intalled by rpm packages.
auditbeat-7.2.0-1.x86_64.rpm
filebeat-7.2.0-1.x86_64.rpm
Older OSes may have the machine-id stored in a different location.
I think the file can be regenerated by removing it and running dbus-uuidgen --ensure.
Got it. Thanks a lot.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.