Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

host.name behavior inconsistent across the Elastic stack #13777

Closed
fgabolde opened this issue Sep 24, 2019 · 9 comments
Closed

host.name behavior inconsistent across the Elastic stack #13777

fgabolde opened this issue Sep 24, 2019 · 9 comments
Labels
Auditbeat ecs Filebeat Filebeat Functionbeat Heartbeat Journalbeat libbeat Metricbeat Metricbeat Packetbeat Stalled Team:Integrations Label for the Integrations team

Comments

@fgabolde
Copy link

I'm very confused about how host.name, agent.hostname, observer.hostname etc. are supposed to work.

I have a fairly simple setup where my apps live in containers, Filebeat lives in a different container, and all the apps send JSON-formatted logs to Filebeat over UDP. I have no idea what value should be in host.name.

The ECS states:

ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken.

So that's pretty clearly the application's host. The APM dashboard seems to agree; when I click "Show host logs", it gives me logs filtered on host.name, with the application's hostname prefilled.

But Filebeat disagrees. I've tried letting it do its own thing, and I've tried setting host.name in the application logs; in both cases, it overwrites host.name with its own hostname, so of course the log dashboard is empty, since all the traces have the application's hostname.

I've come across a bunch of issues related to host.name but I have not been able to understand which behavior is considered a bug, the APM dashboard's or Filebeat's:

#13706
#13589
#12983
#12107
#10698
@jsoriano
Copy link
Member

Hi @fgabolde,

Thanks for opening this issue. There are actually some issues with these fields, specially when beats are run in namespaces networks in containers.

A possible workaround for your case is to run filebeat container in the host network (--net=host in docker), then its hostname would be the same as the hostname of the host. Take into account that with this option filebeat will have access to the host network, though this should be safe.

I am going to close this case by now as I think that whatever solution we implement for #13589 would also fix this.

@fgabolde
Copy link
Author

@jsoriano , I will subscribe to that issue to follow development, but I don't think it is the same problem. If Filebeat keeps setting host.name to a specific value (however it is obtained), and the rest of the ecosystem keeps using host.name to track where the log originally came from, then the functionality still won't work.

If I understand your workaround, then Filebeat will set host.name to the hostname of the machine that is running the containers, e.g. some AWS instance or my own desktop workstation or whatever. But the APM traces will still have the application containers' host.name value, so they won't match the logs. The issue is worse in my setup, where I have a single Filebeat that is collecting multiple applications' logs. I cannot believe that is not a supported use case, since Filebeat supports autodiscovery of containers.

I guess my question is, who is right? The APM who assumes host.name in logs means the host/container on which the application is running that wrote the logs? Or, Filebeat who assumes host.name in logs should mean the host/container that is collecting the logs?

If Filebeat is right and the host field designates the beat, what is the agent field for?

@jsoriano
Copy link
Member

@fgabolde you are right, I was not thinking in cases where the parsed logs are from other machines. I will reopen this for this case. Thanks for the detailed explanations.

@jsoriano jsoriano reopened this Sep 26, 2019
@andrewkroh andrewkroh mentioned this issue Oct 4, 2019
Open
@sayden sayden mentioned this issue May 4, 2020
Closed
@botelastic
Copy link

botelastic bot commented Oct 15, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added Stalled needs_team Indicates that the issue/PR needs a Team:* label labels Oct 15, 2020
@jsoriano jsoriano removed the Stalled label Oct 15, 2020
@jsoriano jsoriano added the Team:Integrations Label for the Integrations team label May 10, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 10, 2021
@jsoriano jsoriano mentioned this issue Jul 14, 2021
Merged
5 tasks
@botelastic
Copy link

botelastic bot commented May 10, 2022

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label May 10, 2022
@PrplHaz4
Copy link

there have been some enhancements but from what I can tell the overall situation here hasn't changed much...

@botelastic botelastic bot removed the Stalled label May 10, 2022
@fgabolde
Copy link
Author

I should check if the bug is still present, but in the meantime I've been using container.id more which actually does work as intended.

@botelastic
Copy link

botelastic bot commented May 10, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label May 10, 2023
@botelastic botelastic bot closed this as completed Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat ecs Filebeat Filebeat Functionbeat Heartbeat Journalbeat libbeat Metricbeat Metricbeat Packetbeat Stalled Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsoriano @PrplHaz4 @fgabolde @elasticmachine