Beats use of non-ECS field agent.hostname causing user confusion
#16377
Comments
|
Should |
|
@jsoriano Yes. (I tried to capture that in the 4th assumption bullet above). |
|
There is a related behavior that is also causing problems for the user who posted in discuss 219088. It appears that when the user sets the For example, this setting (happens to be in auditbeat.yml): Results in this document being indexed in auditbeat-7.6.0-*: In addition, there is an existing alias in https://github.com/elastic/beats/blob/master/libbeat/_meta/fields.common.yml that likewise seems to map the legacy
|
|
Pinging @elastic/integrations (Team:Integrations) |
|
We want to ensure that we continue to have an identifying name for the agent in events when we remove Then for master (8.0) I will remove the |
Since ECS does not define agent.hostname it will be removed in a future release. In order to always have a field available to identify the agent by name we will set the agent.name to hostname unless the user has provided a custom name. Relates elastic#16377
Since ECS does not define agent.hostname it will be removed in a future release. In order to always have a field available to identify the agent by name we will set the agent.name to hostname unless the user has provided a custom name. Relates #16377
Since ECS does not define agent.hostname it will be removed in a future release. In order to always have a field available to identify the agent by name we will set the agent.name to hostname unless the user has provided a custom name. Relates elastic#16377 (cherry picked from commit 3711ee6)
agent.hostname is not part of ECS so this removes the field. Instead the agent.name field can be used for this purpose and it it part of ECS. This add a migration alias pointing from agent.hostname to agent.name. Closes elastic#16377
|
I have open the PR to remove |
agent.hostname is not part of ECS so this removes the field. Instead the agent.name field can be used for this purpose and it it part of ECS. This adds an alias pointing from agent.hostname to agent.name. Closes #16377
During the introduction of ECS-support with the 7.0 release, some breaking changes were made in certain fields populated by beats.
Specifically, a new field
agent.hostnamewas introduced - however this field is not an ECS field, and it's continued use and documentation are creating user confusion.A recent SIEM discuss topic highlights the issue: 219088
Assumptions:
host.nameto display general information about the host object.host.hostnamemay be used.host.nameandhost.hostnamein their default configurations, either by enabling add_host_metadata, or some other means.observer.hostnameRecommended changes:
agent.hostnamefrom the beats docs and replace it withhost.nameand optionallyhost.hostname.beat.hostnamefromagent.hostnametohost.hostnamein https://github.com/elastic/beats/blob/master/libbeat/_meta/fields.common.ymlagent.hostnameas deprecated and stop populating it in 8.0agent.hostnametohost.hostnameonce it is no longer populated, to enable any analysis content that used theagent.hostnamefield to continue to operateThe text was updated successfully, but these errors were encountered: