- Stage: 0 (strawperson)
- Date: 2020-09-08
Status (process transition, April 2026): The proposed fields were never merged into the ECS schema. The multi-stage RFC process has been retired in favor of the single-stage Proposal process. This RFC is considered inactive. If there is continued interest in these fields, a new proposal can be submitted under the current process.
Many sources populating event host.* fields have different behaviors in how the host values are set. This can cause confusion, complexity, and frustration for users expecting to easily identify unique hosts in their environments. This RFC proposes establishing a common convention to ensure more consistent mapping of these host identifier fields.
At the time of writing, the following are several known challenges caused by these inconsistencies:
- Confusion between the
host.nameandhost.hostnamefields - Unicity problems in raw hostnames. This can be common with workstations on certain OSes, for example a fleet of "MacBook-Pro.local"
- Unicity problems in host.ids (e.g. misconfigured config management tools, machine images, disk snapshots, etc.)
- Usage of unqualified vs. fully-qualified hostnames in the same fields (by different data sources) leads to host duplication
The following are the people that consulted on the contents of this RFC.
- @ebeahan | author
- @webmat | co-author
- Stage 0: #955