diff --git a/logstash/pipelines/beats/11_beats_logs.conf b/logstash/pipelines/beats/11_beats_logs.conf
index 546439ec0..f2f79c995 100644
--- a/logstash/pipelines/beats/11_beats_logs.conf
+++ b/logstash/pipelines/beats/11_beats_logs.conf
@@ -840,10 +840,9 @@ filter {
              replace => { "[event][module]" => "syslog" } }
 
     # store the originating host name as host.name as it's probably what people will want to search by
-    if ([hostname]) {
-      mutate { id => "mutate_syslog_direct_add_ecs_hostname"
-               add_field => { "[log][syslog][hostname]" => "%{[hostname]}" } }
-    }
+    if ([log][syslog][hostname]) { mutate { id => "mutate_syslog_direct_replace_hostname"
+                                            replace => { "[host][name]" => "%{[log][syslog][hostname]}" }
+                                            remove_field => [ "[hostname]" ] } }
 
     if (![event][hash]) {
       fingerprint {