When using the journald input from Filebeat (currently used by the "Custom Journald logs" and the System integration once https://github.com/elastic/integrations/pull/11618), the field host.hostname can be overwritten by the add_host_metadata processor that runs by default on Beats running under Elastic-Agent.
The default processors added by the Elastic-Agent (and not shown in the policy/Fleet UI are):
When using the journald input from Filebeat (currently used by the "Custom Journald logs" and the System integration once https://github.com/elastic/integrations/pull/11618), the field
host.hostname
can be overwritten by theadd_host_metadata
processor that runs by default on Beats running under Elastic-Agent.The default processors added by the Elastic-Agent (and not shown in the policy/Fleet UI are):
This is added by this piece of code from Beats when running under Elastic-Agent:
That is later called during startup.
One way to avoid
host.hostname
being overwritten is to add theforwarded
tag to the events produced by the journald input (or any input).Currently the
forwarded
tag is not added by default.