I am trying to understand the fields necessary to populate custom logs into the SIEM. I have the ability to use ECS and get logs to show up, however the hosts they are coming from are not populating the "Hosts" section. Is there a log format or field within ECS schema that is needed to get the new host to appear?
Hi @MrTrav, hosts are identified by the host.name field in the documents. This field is filled by Beats version 7.0 and above with the hostname by default. Is it filled in your documents?
Yes, I have this field populated but I am still not seeing any hosts get populated from our custom logs.
@MrTrav Can you post an example document for a host that is not showing up? You can redact any sensitive data e.g. IPs.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.