Does vendor device info get mapped to the agent.* fields?

[MikePaquette]

When a vendor generates log data, is the thought that we’d be recording the vendor name as an “agent” field? If so, like if it was a “Cisco ASA 1000” appliance, agent.name = “cisco-asa”, agent.type = “1000” ? I’m thinking having vendor and model fields would make this more helpful for customers. Especially if you have filebeat running on different appliances and you want to distinguish log sources by vendor.

No. 10 of 16. This question was asked by a new ECS user, who is familiar with mapping IT events to data models and use cases in other schemas. These questions are being posted as a GitHub issue, because a) they may offer valuable insights. b) we expect that many new users will have similar questions.

[MikePaquette]

In ECS, devices like “Cisco ASA 1000” appliances are usually considered observers, not agents. The details you mention would be populated in the observer.* fields, for example:

• observer.type: "firewall"
• observer.vendor "Cisco"
• observer.version: <version_info>
• observer.serial_number: <serial_number>

One field that seems to be missing would be observer.model which in the case, would contain:

• observer.model: "ASA 1000"

[djptek]

Very similar issue under discussion here, #1512

Closing