Host.name field winlogbeat (FQDN) vs filebeat (shortname)

jimmburton · April 16, 2020, 8:12pm

I have built a brand new 7.6.2 cluster and I am testing SIEM with it as well as making some changes in the architecture and index layout from my old 6.x cluster I have updated a few times.

I have a windows system where I have auditbeat and winlogbeat installed and sending directly to the ES cluster as an output. I have noticed that the host.name field is set to the FQDN from winlogbeat, and the short name is used with auditbeat. This causes the SIEM dashboard to see 2 hosts one with FQDN and one with short name due to the host.name field being different.

I have looked at the logs and the "Beat name:" is set to the short name for both beats.

Is there a way to make the host.name field the shortname of the host fro auditbeat on a windows system?

johncollaros · April 28, 2020, 2:25am

Hi,

Just to confirm I am experiencing this problem too.
I have recently upgraded to 7.6.2 beats from 7.5.0, and I am seeing the same behaviour where winlogbeat sends the FQDN in the host.name field, and all other beats send just the hostname.

Topic		Replies	Views
Hosts duplicated with and without fqdn SIEM	7	1898	July 28, 2020
Modify Beats Output Beats winlogbeat , auditbeat	1	291	October 6, 2020
Host listed twice, one with hostname one with FQDN Beats winlogbeat	2	590	June 19, 2020
Filebeat Not Capturing "hostname" as full FQDN on Windows Beats filebeat	3	2260	August 1, 2016
Hosts tab in SIEM and WEF SIEM	17	2250	October 14, 2019

Host.name field winlogbeat (FQDN) vs filebeat (shortname)

Related topics