We are running +300 agents on Windows servers which have been setup using templated/automated installs. We now see that a lot of hosts share the same host.id value in our logging in Elastic which seems to be a problem when implementing the security rules, especially those that rely on patterns of consecutive events with the same host.id value.
What is a good way of moving forward? Can I alter the host.id? Does this have impact on other things? Any advice welcome.