Add agent.hostname

[webmat]

In cases where an agent is not running on a host generating an event (e.g. APM server), it's useful to track where the agent is running without touching host.hostname.

Beats has already replaced beat.hostname with agent.hostname here elastic/beats#8873.

So the relationship between the two fields is:

• host.hostname should be populated with the hostname of the node generating the event
• agent.hostname should be populated with the hostname of the node where the agent is running, if different than the source of the event.
  • Question: should we always populate it, even if it's the exact same value?

[ruflin]

+1 on this proposal. For the population of the fields: Undecided but I think for now I would leave it out of scope of ECS to define it.

[ave19]

I think one of my analysts just had an aneurism. :)

[webmat]

I get the joke vs your feedback from yesterday ;-) I think we could do a better job of highlighting which fields are the "main" field (hostname is a good example), and which ones are to be used for secondary situations, like the agent.hostname above.

Does this make sense, though? Imagine you're using Filebeat's syslog input to act as a sink for an area of your network. agent.hostname is that sink's hostname, where host.hostname is the hostname of the source of the event.

Does that make sense? Is there anything about it that we're missing?

[MikePaquette]

Sorry for overlooking this issue forever :-(

ECS should not have a field agent.hostname as this breaks the entity relationship implicit in the fact that an agent is a software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Therefore an agent cannot have a hostname associated with it.

In the case where an agent is not running on a host generating an event (e.g. APM server), the APM server is considered the observer, and its hostname should be populated in the observer.hostname field.

The APM Server example is explicitly documented in the ECS documentation here.

Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers.

[ppf2]

Given the note above, should filebeat (and other beats) have made the breaking change in 7.0 to rename beat.hostname to agent.hostname?

btw, our documentation (https://www.elastic.co/guide/en/beats/libbeat/6.5/breaking-changes-6.3.html#beats-template-versioned-indices) previously suggested users to switch to use beat.hostname from host.name for backwards compatibility - which makes me wonder why we didn't end up renaming beat.hostname to host.name.

[ebeahan]

Per reasoning laid out in #178 (comment), not moving forward adding agent.hostname.