During the introduction of ECS-support with the 7.0 release, some breaking changes were made in certain fields populated by beats.
Specifically, a new field agent.hostname was introduced - however this field is not an ECS field, and it's continued use and documentation are creating user confusion.
A recent SIEM discuss topic highlights the issue: 219088
Assumptions:
- All module dashboards, apps, and other ECS data consumers should use the ECS field
host.name to display general information about the host object.
- In special cases, such as DNS, where the visualization is specifically looking for the hostname field,
host.hostname may be used.
- All beats that operate locally on a host should be populating
host.name and host.hostname in their default configurations, either by enabling add_host_metadata, or some other means.
- Beats that operate remotely, such as heartbeat, should be populating
observer.hostname
Recommended changes:
During the introduction of ECS-support with the 7.0 release, some breaking changes were made in certain fields populated by beats.
Specifically, a new field
agent.hostnamewas introduced - however this field is not an ECS field, and it's continued use and documentation are creating user confusion.A recent SIEM discuss topic highlights the issue: 219088
Assumptions:
host.nameto display general information about the host object.host.hostnamemay be used.host.nameandhost.hostnamein their default configurations, either by enabling add_host_metadata, or some other means.observer.hostnameRecommended changes:
agent.hostnamefrom the beats docs and replace it withhost.nameand optionallyhost.hostname.beat.hostnamefromagent.hostnametohost.hostnamein https://github.com/elastic/beats/blob/master/libbeat/_meta/fields.common.ymlagent.hostnameas deprecated and stop populating it in 8.0agent.hostnametohost.hostnameonce it is no longer populated, to enable any analysis content that used theagent.hostnamefield to continue to operate