We are running +300 agents on Windows servers which have been setup using templated/automated installs. We now see that a lot of hosts share the same host.id value in our logging in Elastic which seems to be a problem when implementing the security rules, especially those that rely on patterns of consecutive events with the same host.id value.
What is a good way of moving forward? Can I alter the host.id? Does this have impact on other things? Any advice welcome.
Since we only have ingests coming from agents, would it work to just copy the agent.id into the host.id field in the ingest?
Hello, we are facing a similar issue, see also:
The duplicate host.id might be caused by e.g. non-persistent VDIs or when you duplicate machines from a “golden image”.
See also my post about a way to alter the host.id:
This can easily be done via registry in Windows and (although not tested by me: for Linux & MacOS it could be possible to alter these values):
The
add_host_metadataprocessor adds ahost.idfield to every Beat event by default. The value is retrieved in go-sysinfo:
Linux: Reads
/etc/machine-id,/var/lib/dbus/machine-id, and/var/db/dbus/machine-id. (machineid.go)macOS:
IOPlatformUUIDvia thegethostuuidAPI call. (machineid_darwin_amd64.go)Windows: Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid(machineid_windows.go)
See also:
I hope this helps. By altering the MachineGuid I could find a way to circumvent the duplicate host.id values. A solution could be a script that checks its hostname against a table of generated custom UUIDs and setting the corresponding MachineGuid to the matching value in the list. This way even for non-persistent VDIs there could be a way to have “persistent”, “unique” host.ids.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.