Expected Host Not Reporting finds results for hosts that are reporting with a different name; for instance, the short DNS name rather than the fqdn, or the IP address rather than the hostname.
Is there a way to fix this?
what does your hostname -f return?
Add your FQDN on the /etc/hosts, that should provide you the FQDN.
Also, you can add "host = hostname" field in the inputs.conf on the forwarder
I think @edonze is looking for a solution to the Correlation Rule "Expected Host Not Reporting " in Enterprise Security App. We are also facing the same issue and thus we are getting lot of false positive alerts.
Check out asset table on your ES app.
This table contains field called "is_expected" which determines if host is going to be reported by the mentioned correlation search. If you are getting incorrect values as hostname check the asset table and update it as required.