search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
103 stars 4.92k forks source link

Difference Between Reporting of 'host.name' from Winlogbeat and other Beats #21317

Open MakoWish opened 4 years ago

MakoWish commented 4 years ago

Winlogbeat reports the 'host.name' field as a FQDN when other Beats report 'host.name' just as 'hostname' (not a FQDN).

This difference between Beats agents creates difficulty in pivoting across data sources.

elasticmachine commented 4 years ago

Pinging @elastic/integrations (Team:Integrations)

elasticmachine commented 4 years ago

Pinging @elastic/siem (Team:SIEM)

botelastic[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

willemdh commented 3 years ago

It would be nice if this gets fixed some day..

botelastic[bot] commented 2 years ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

MakoWish commented 2 years ago

I totally forgot I even opened this. Since we use Logstash for all data processing, I just added a correction in my pipeline, so it has been "out of sight, out of mind". I currently use Ruby to force all data sources to report host.name as the simple hostname, and host.hostname as the FQDN.

EDIT: Oops! Me replying removed the Stalled tag again. :-(

Eric

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

willemdh commented 1 year ago

There is some solution for this now to make host.name lowercase fqdn, but still in beta and not standardized imho. Also in Agent the lowercasing was forgotten..

elasticmachine commented 9 months ago

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)