Host.name field winlogbeat (FQDN) vs filebeat (shortname)

jimmburton · April 16, 2020, 8:12pm

I have built a brand new 7.6.2 cluster and I am testing SIEM with it as well as making some changes in the architecture and index layout from my old 6.x cluster I have updated a few times.

I have a windows system where I have auditbeat and winlogbeat installed and sending directly to the ES cluster as an output. I have noticed that the host.name field is set to the FQDN from winlogbeat, and the short name is used with auditbeat. This causes the SIEM dashboard to see 2 hosts one with FQDN and one with short name due to the host.name field being different.

I have looked at the logs and the "Beat name:" is set to the short name for both beats.

Is there a way to make the host.name field the shortname of the host fro auditbeat on a windows system?

johncollaros · April 28, 2020, 2:25am

Hi,

Just to confirm I am experiencing this problem too.
I have recently upgraded to 7.6.2 beats from 7.5.0, and I am seeing the same behaviour where winlogbeat sends the FQDN in the host.name field, and all other beats send just the hostname.

system · May 26, 2020, 4:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hosts duplicated with and without fqdn SIEM	7	1791	July 28, 2020
Host listed twice, one with hostname one with FQDN Beats winlogbeat	2	526	June 19, 2020
SIEM App does not display Hostnames from Beats Events SIEM	6	818	March 20, 2020
Hosts table : host.name (alias of beat.name) used instead of agent.hostname SIEM	2	3550	March 16, 2020
Modify Beats Output Beats winlogbeat , auditbeat	1	262	October 6, 2020

Host.name field winlogbeat (FQDN) vs filebeat (shortname)

Related topics