Duplicate Windows hosts in Security - Hosts when using Elastic Agent

[rseldner]

Kibana version: 7.15.2

Elasticsearch version: 7.15.2

Elastic Agent version: 7.15.2

Elastic Agent OS: Windows Server 2019 & Windows 10

Original install method: ESS deployment

Describe the bug:

Windows hosts running Elastic Agent are displayed twice in Kibana>Security>Hosts. Once with the hostname, and another with the FQDN.

Edit: Host is joined to AD

Meanwhile, a single agent is displayed/configured

It appears host.name is parsed differently depending on the dataset. A single host is displayed if Agent Monitoring is disabled on the policy. Two hosts are displayed after Enabling Agent Monitoring>Collect Agent Logs

Steps to reproduce:

Duplicate Hosts (hostname and FQDN):

1. Create an Agent Policy
2. Edit the policy and add the Windows Integration (edit: also occurs with System integration)
3. Add an Agent (Enroll and start the Elastic Agent using the fleet provided enrollment command/token)

Single Host:

1. Create a custom Policy
2. Edit the Policy and untoggle Agent Monitoring settings
3. Add the Windows Integration
4. Add an Agent (Enroll and start the Elastic Agent using the fleet provided enrollment command/token)

---

Screesnshots: Side-by-side comparison

Duplicate hosts	Single Host

Expected behavior: 1 Host to 1 Agent

Any additional context:

For comparison, I tested with elastic agent on MacOS using the default policy. I only saw a single host.

Workaround

Add a processor on every Windows event log collector enabled in the Windows and/or System integration that will split host.name and return the first substring.

  - script:
      lang: javascript
      id: short-hostname
      source: >
        function process(event) {
            event.Put('host.name', event.Get('host.name').split('.')[0]);
        }

EDIT: added workaround to OP for visibility.

[elasticmachine]

Pinging @elastic/fleet (Feature:Fleet)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[rseldner]

workaround: courtesy of @andrewkroh set a processor on the integration's event log collectors to split host.name and return the first substring

processors:
  - script:
      lang: javascript
      id: short-hostname
      source: >
        function process(event) {
            event.Put('host.name', event.Get('host.name').split('.')[0]);
        }

[joshdover]

I think this is a UI issue in SIEM, so I'm removing the Fleet label.

[wmeens]

Any progress on this one? Seeing this issues too.

[jcimins]

Hello - I have the same problem as well. Does this one have any movements?

[jcimins]

And one more thing. I just tested this out - when you add this way - then it gives just one host, but when you add ElasticSecurity To this policy then it adds another line there. Using elastic version 7.17

[fastlorenzo]

Still there with 8.1.2

Quickly checking the raw logs shows that host.name can have both the short hostname (vmdc01 in my case), or the fqdn (vmdc01.xhack.lab for me).

This results in the host being shown twice in "Security":

For information, I only have 2 integrations enabled for this policy: system and endpoint.

[willemdh]

This is not a new problem.. We have been asking for years for more consistency in host.name convention and usage. See https://github.com/elastic/beats/issues/1070

Imho host.name should always be lowercase fqdn, simple because not all of us use only one domain...

Some new host field should be created such as host.shortname and host.hostname for users who need those..