Host.id is not unique

navigator182 · August 23, 2019, 10:02am

I am running auditbeat with more than 300 hosts, but there is 50 hosts showing at "[Visualize]Host Count [Auditbeat System] ECS". I find that the host.id is not unique. it's same on filebeat. How is it happened?auditbeat001|422x500
p.s. the hostname looks like vrs001.clive.ghxw.node.abcd.cn, vpm001.mamvod.ghxw.node.abcd.cn and so on

Michael_Madden · September 3, 2019, 7:56pm

Hello,

Thanks for reaching out regarding auditbeat. All the beats read the contents of /etc/machine-id. Are these hosts possibly cloned from a template? If this is the case, you may need to regenerate the file.

The following article is a good source for updating /etc/machine-id on CentOS/RHEL 7.
https://www.thegeekdiary.com/centos-rhel-7-how-to-change-the-machine-id/

navigator182 · September 5, 2019, 9:43am

Thanks for your reply. The OS is Centos6.6 and there is not the file /etc/machine-id.
The version of beats is 7.2.0. The beats are intalled by rpm packages.

auditbeat-7.2.0-1.x86_64.rpm
filebeat-7.2.0-1.x86_64.rpm

andrewkroh · September 5, 2019, 2:47pm

Older OSes may have the machine-id stored in a different location.

github.com

elastic/go-sysinfo/blob/51d9d1362d77a4792dfb39a7a19f056cdf1b9840/providers/linux/machineid.go#L31-L33


	// Possible (current and historic) locations of the machine-id file.
	// These will be searched in order.
	machineIDFiles = []string{"/etc/machine-id", "/var/lib/dbus/machine-id", "/var/db/dbus/machine-id"}

I think the file can be regenerated by removing it and running dbus-uuidgen --ensure.

navigator182 · September 6, 2019, 2:39am

Got it. Thanks a lot.

system · October 4, 2019, 4:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.