Windows Event Logs allows windows logs from many systems to be automatically collected on a single aggregated node. When Winlogbeat ingests these aggregate logs, it sets host.name to the host that is running the beat, rather than the host that the log originally came from. This causes downstream confusion, e.g. the support case that prompted this noted that the SIEM "Uncommon Processes" category wasn't useful in this setting because logs from many nodes were treated as a single host.
This problem comes up in other settings, such as syslog ingestion in Filebeat which often aggregates logs from many nodes, so while the particular case that prompted it is Winlogbeat, this is arguably a larger meta-issue for any beats / inputs that might serve as aggregation points.
It's still possible to handle these correctly today using advanced features such as script processors, but it would be nice to have a simpler and more consistent configuration story for this increasingly common pattern.
Windows Event Logs allows windows logs from many systems to be automatically collected on a single aggregated node. When Winlogbeat ingests these aggregate logs, it sets
host.nameto the host that is running the beat, rather than the host that the log originally came from. This causes downstream confusion, e.g. the support case that prompted this noted that the SIEM "Uncommon Processes" category wasn't useful in this setting because logs from many nodes were treated as a single host.This problem comes up in other settings, such as syslog ingestion in Filebeat which often aggregates logs from many nodes, so while the particular case that prompted it is Winlogbeat, this is arguably a larger meta-issue for any beats / inputs that might serve as aggregation points.
It's still possible to handle these correctly today using advanced features such as script processors, but it would be nice to have a simpler and more consistent configuration story for this increasingly common pattern.