Similar to locked post In SEM last event not updating due to IP address issue.
Linux nodes here are configured similar to HPC clusters, where nodes have 2 interfaces: 1 on the enterprise network and 1 using a non routable network for deployment and management. Also, there is a separate domain for authentication (FreeIPA) and the hostnames of the nodes must reflect this domain name to configure authentication properly.
The issue I see, (especially with Ubuntu based nodes) is both the FQDN and the non-routable ip show up in the dashboard, and cause 2 licenses to be used up. There are no logs showing for the Agent enabled FQDN instance, but the non-routable IP (non-agent) shows logs. The detection ip is the non-routable while the ingestion IP is the FQDN.
I put in a call to support and they worked me though this article but none of those options are working.
Anyone with experience with a 2 nic server and the SEM agent?
Desired behavior:
node displayed as FQDN hostname (Agent) and no duplicates
