My use case is Cisco ASA firewall logs but I think these questions apply more broadly.
I am trying do the parsing of Cisco ASA logs in logstash, not using Filebeat.
I'd like to not reinvent the wheel so where can I find the Filebeat Cisco module's code that does this parsing, so that I can use that code in logstash parsing?
There is a logstash-patterns-core/patterns/firewall file. (logstash-patterns-core) But it doesn't map fields to ECS field names. For example it uses src_ip instead of source.address. Why on earth would elastic put out this file and not use ECS field names?
Related to #1, I've looked and looked and looked. Is there an updated github page for mapping Cisco ASA to ECS fields? I would expect it to be the one I linked to already, but using custom, non-ECS fields is a non-starter.