Logstash Patterns - Firewalls - Best Place to Find it

My use case is Cisco ASA firewall logs but I think these questions apply more broadly.

I am trying do the parsing of Cisco ASA logs in logstash, not using Filebeat.

  1. I'd like to not reinvent the wheel so where can I find the Filebeat Cisco module's code that does this parsing, so that I can use that code in logstash parsing?

  2. There is a logstash-patterns-core/patterns/firewall file. (logstash-patterns-core) But it doesn't map fields to ECS field names. For example it uses src_ip instead of source.address. Why on earth would elastic put out this file and not use ECS field names?

  3. Related to #1, I've looked and looked and looked. Is there an updated github page for mapping Cisco ASA to ECS fields? I would expect it to be the one I linked to already, but using custom, non-ECS fields is a non-starter.

Hi,

Have a look here: https://github.com/elastic/beats/tree/master/x-pack/filebeat/module/cisco

In particular, here is the ingest pipeline for ElasticSearch including the grok patterns: https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml

Best regards
Wolfram