@Michal,
That’s a really good suggestion! Latest p0f is from 2016, so it’s not that maintained anyway I guess. The thing I noticed for software.log is that the OS info gets logged only via software calls from apps like Firefox/Chrome/etc; it would be nice to not rely on this.
Thanks,
What’s needed here is some heuristics. If I see, for example, windows crypto api, BITS, calls to MS services for reporting what usb devices were plugged in, certain DNS lookups - that’s MS.
Apple also has similar services. So does iOS and Android. It’s more an art than a science 
JA3 would also be great.