I am testing auditbeat on three hosts. The Auditbeat system host dashboard only shows a host count of 1. The host list has all 3 hosts. Why is host count only 1? How do I troubleshoot or investigate further. I am runing 7.6.2
Thanks
To troubleshoot you can look at the visualization to see how it computes the count. Edit the dashboard, then edit the "Host Count" visualization, then view how the metric is computed.
It's the "Unique count of host.id". So then you answer are my host.id values unique for each machine by looking at the raw events in the Discover tab.
The host.id on Linux is the machine ID taken from the first of "/etc/machine-id", "/var/lib/dbus/machine-id", "/var/db/dbus/machine-id". If the machines were cloned from the same image without reseting the machine ID then they might be the same. You could edit the vizualization to count the unique host.hostname values instead.
Thanks, that fixed it
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.