Hosts table : host.name (alias of beat.name) used instead of agent.hostname

Georgios_Gkinis · February 12, 2020, 10:08pm

I am using beats to forward metrics and logs to Elasticsearch.
In the configuration of each beat I have setup its name manually :

name: "${COMPUTERNAME}-filebeat-applications"

When I go to SIEM -> Hosts -> table All Hosts I have a line for each beat instead of each host. (12 hosts instead of the actual 3)

After inspecting the request I see that the aggregation is performed on the host.name field :

{
  "aggregations": {
    "host_count": {
      "cardinality": {
        "field": "**host.name**"
      }
    },
    "host_data": {
      "terms": {
        "size": 10,
        "field": "**host.name**",
        "order": {
          "lastSeen": "desc"
        }
      },

According to the filebeat reference the host.name field is an alias of beat.name which I have changed manually.

I suppose this could be fixed by changing the alias host.name to point to agent.hostname to fix this but then I use a modified ECS template which beats the purpose.

Another fix could be to just query for agent.hostname from SIEM, although I suspect that it could break when data is not shipped by a beat.

Any suggestions on a workaround and a possible fix?

Thanks,

George.

Mike_Paquette · February 17, 2020, 8:10pm

Hi George,
I'm afraid we've caused some confusion with our documentation and some unexpected field population. I've created a beats issue to get to the bottom of this here.

By design, host.name is the field used by the SIEM app to identify hosts, and as you discovered, is used in the aggregations that populate certain host widgets in the SIEM app. This field is defined in Elastic Common Schema here.

In order for your events to be displayed properly in SIEM app host views, the host.name field must be populated properly. Normally, you should not have to do anything special to make this happen, since if you've set up a Filebeat module, the add_host_metadata processor will populate that field for you by default.

However, in your case, it appears that the value you've set for name: in your beats configuration files is unexpectedly populating the host.name field in your events, causing the host displays to be incorrect.

Workaround:
As a solution or workaround, you can remove the setting of name: from your beats configs, and then the hosts should be displayed properly in the SIEM app. If you want to filter on the beat, you can use the ECS field agent.type which is also populated by default, in your case with "filebeat"

Note: We do not recommend building dependence upon the agent.hostname field, as this is not an ECS-defined field, and it's continued use in the future is not certain.

Please let us know if this helps.

system · March 16, 2020, 8:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.