Thank you for that, however let me provide you with the configuration sections I am struggling with:
if "RT_IDS" in [tags] {
grok {
match => ["messages", "%{CISCOTIMESTAMP} %{IP} %{WORD:Nr} %{SYSLOG5424PRI}1 %{TIMESTAMP_ISO8601} %{IP} %{WORD} - - - %{TIMESTAMP_ISO8601:Date} %{CISCOTAG} RT_IDS - RT_SCREEN_TCP_LS %{SYSLOG5424SD}"]
add_tag => "RT_IDS"
}
date {
locale => "en"
match => ["Date",
"yyyy-mm-dd'T'HH:mm:ss.SSSZ",
"ISO8601"]
timezone => "Africa/Windhoek"
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}