Hello,
Currently in our company we are using Logstash to collect and parse logs from a couple of cisco devices (asa, ise, ftd and also duo and umbrella).
To make our data integrate better with the builtin dashboards and the SIEM module, we are thinking in use the Elastic Agent in some cases or modify our parses so the output from logstash is equal to the one from the Elastic Agent.
Looking into the the code of those integrations to see how the parse is done and which fields are created I saw that there is some divergence in the name convention for the cisco fields.
For example, some use cisco.something.* and others use cisco_something.*.
For ASA, FTD and Umbrella we have cisco.asa.*, cisco.ftd.* and cisco.umbrella.*, but for duo and ISE it is cisco_duo.* and cisco_ise.*.
Is there any plan to change and use the same naming convention in the future?