`host.name` and `host.hostname`

What kind of values are folks using for host.name and host.hostname?

Basically I think ECS is encouraging FQDN in host.name and short name in host.hostname?


This might be an interesting discussion for you: Clarify host.name vs. host.hostname · Issue #498 · elastic/ecs · GitHub

Standard use case should be: all events have both host.hostname and host.name filled with the same information, the hostname of the machine.
This way, host.hostname can always be trusted to reflect whatever the reality is on that server, whereas host.name is more of a "true identity", adapted to the user's environment.

We are using this for servers with aliases:

  • host.hostname contains the cryptic hostname, e.g. debh103525
  • host.name contains the more readable server alias, e.g. elastic-01.mycompany.com

Best regards

1 Like

I agree with @Wolfram_Haussig.

Restating another way, host.hostname represents how the system ids itself (usually what's returned by the hostname command). And host.name more readable and meaningful, such as a fully-qualified hostname obtained through a reverse DNS lookup.

A less common but still valid use is described in this GitHub comment from the issue already linked above. In a situation where many devices might have identical hostname values, host.name could contain a unique value.

For example, two laptops with a host.hostname of erics-macbook could have unique host.name values, like Eric's Macbook and Eric's Backup Macbook.

1 Like

This looks like it was a particularly thorny semantic to nail down. I don't envy the schema development work, it's complicated and interconnected and subtle. Even just trying to grasp it as a user and do the right thing is challenging.

So thanks a ton for the responses, @ebeahan and @Wolfram_Haussig

Another way I'm thinking of this is along the lines of «host.name is more of a "true identity", adapted to the user's environment"»: "really trying to provide the best unique/disambiguating identifier possible". A globally-unique identifier in the form of an FQDN is a good choice for that.

In our shop we have unique hostnames, thankfully, so we can use the more convenient-to-type-and-read shorter names in a uniquely-identifying field.

Thanks again!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.