You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a vendor generates log data, is the thought that we’d be recording the vendor name as an “agent” field? If so, like if it was a “Cisco ASA 1000” appliance, agent.name = “cisco-asa”, agent.type = “1000” ? I’m thinking having vendor and model fields would make this more helpful for customers. Especially if you have filebeat running on different appliances and you want to distinguish log sources by vendor.
No. 10 of 16. This question was asked by a new ECS user, who is familiar with mapping IT events to data models and use cases in other schemas. These questions are being posted as a GitHub issue, because a) they may offer valuable insights. b) we expect that many new users will have similar questions.
The text was updated successfully, but these errors were encountered:
In ECS, devices like “Cisco ASA 1000” appliances are usually considered observers, not agents. The details you mention would be populated in the observer.* fields, for example:
observer.type: "firewall"
observer.vendor "Cisco"
observer.version: <version_info>
observer.serial_number: <serial_number>
One field that seems to be missing would be observer.model which in the case, would contain:
When a vendor generates log data, is the thought that we’d be recording the vendor name as an “agent” field? If so, like if it was a “Cisco ASA 1000” appliance, agent.name = “cisco-asa”, agent.type = “1000” ? I’m thinking having vendor and model fields would make this more helpful for customers. Especially if you have filebeat running on different appliances and you want to distinguish log sources by vendor.
No. 10 of 16. This question was asked by a new ECS user, who is familiar with mapping IT events to data models and use cases in other schemas. These questions are being posted as a GitHub issue, because a) they may offer valuable insights. b) we expect that many new users will have similar questions.
The text was updated successfully, but these errors were encountered: