We are looking at pushing events from a lot of our network and security devices into Elastic for storage, and utilising the SIEM functionality as well. We understand the requirement for ECS, and we have started using Logstash to transform the incoming data (mostly in custom syslog formats from the devices) into ECS.
Rather than invent the wheel, is there a repository of taxonomies somewhere for different log source types (like the QRadar DSM concept)? Our devices include F5 devices, Fortigate firewalls, PA firewalls, Juniper switches and routers, lots of different types of cisco switches (with different log formats) etc. etc. etc. etc. etc.
I'm hoping there is a repository of common "extended" ECS mappings that we can utilise, and add to.
Hi @rossw! While we don't currently have a repository of taxonomies, it's a great suggestion that we'll keep in mind. We are working on expanding support for new data sources, including many of the devices you've listed. However, the implementation guides for our Cisco and Palo Alto Filebeat modules include the ECS field mappings which may serve as a reference for you.
As you transform your data to ECS, you may find the ecs-mapper tool helpful. It's an experimental tool, but allows you to map existing fields to ECS fields within a CSV and automatically generate the pipelines for you. We're currently soliciting feedback on the tool, so would love to hear your thoughts if you use it to generate the pipelines.
Hope that helps - if you have any additional questions, just let me know.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.