Hi everyone,
I’m trying to collect package installation/removal events using the system_audit.package stream on Rocky Linux 9.6.
I’m running Elastic Agent 9.1.3 (elastic-agent-complete) inside a Podman container, managed via podman-compose.
Image: docker.elastic.co/elastic-agent/elastic-agent-complete:9.1.3
I’m using the Kibana System Audit Integration v1.11.0.
Context
In this setup, the ingested logs have identical values for host.name, host.hostname, and agent.name — all matching the container name.
However, these containers are actually collecting audit data from the host VM, so I’d like to include an identifier of that VM (not the container).
Could you please advise which ECS field would be most appropriate for that purpose?
Is it recommended to overwrite host.name / host.hostname with the VM’s name, or should I use a different field instead?
What I’ve tried
Mounting /etc/hostname → /etc/hostname
-
→ The agent didn’t seem to use it.
-
Setting an environment variable with the host’s name and adding processors:
processors:
- add_fields:
target: host
fields:
name: "somehostname"
hostname: "somehostname"
But the agent still overwrote these fields internally.
For now, I’ve worked around this using a @custom ingest pipeline in Elasticsearch that replaces the values after ingestion, but I’d much prefer a clean solution directly on the agent level if possible.
Any guidance or best practices on how to handle this would be greatly appreciated 
Thanks!