duplicate host.id on winlogbeat hosts

[narph]

The same host.id value is listed although data is collected from different winlogbeat hosts. For Windows this is generated using a combination of 2 results:

Machine GUID - reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid SMBIOS UUID - wmic path win32_computersystemproduct get uuid

Looking to the originating source code at the moment only the Machine GUID part is provided: https://github.com/elastic/go-sysinfo/blob/main/providers/windows/machineid_windows.go#L30.

Should the host.id contain a combination of the 2? Any other workaround to distinguish between the different hosts?

Beats 8.5

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

Isn't the root of the problem that the machine was imaged without being syspreped? Sysprep would ensure the new machine comes up with a new MachineGUID.

Should the host.id contain a combination of the 2?

SMBIOS UUID - wmic path win32_computersystemproduct get uuid

I don't think this is a general purpose solution. The docs for this uuid field say that it is a "Universally unique identifier (UUID) for this product." This sounds like it only solves the problem if the those hosts are on different product types, and it means the ID changes when the product changes (like I'm guessing happens on an OS update).

Our host.id is not supposed to change with the OS version or hardware (like changes to network interfaces or CPUs). It is meant to be persistent. That means when you clone an image you need to take some action to reset the identifiers. The same applies to the "agent.id", but instead of being part of the OS it is a file on disk in the Beat's data directory.

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)