Is there a way within the filebeat config to get the log.source.address with just an IP address in, whenever I direct syslog traffic to the filebeat collector the sender IP address and the sending port are present within the field "log.source.address" making it impossible to filter by source as the source port will change depending on the activity.
The filebeat config is as follows,
- module: cisco
asa:
enabled: true
var.input: syslog
var.syslog_host: 0.0.0.0
var.syslog_port: 9002
var.log_level: 6
JSON output showing issue (I've removed a lot of content from this for privacy)
{ "_index": "filebeat-7.13.0-2021.06.03-000006", "_type": "_doc", "_id": "lwXb1XkB4Jv7_rVa0AhU", "_version": 1, "_score": null, "fields": { "event.category": [ "network" ], "ecs.version": [ "1.9.0" ], "log.source.address": [ "10.1.1.1:514" ], "event.dataset": [ "cisco.asa" ] }, "sort": [ 1622794218000 ] }
The Cisco ASA config is as follows,
logging enable
logging timestamp
logging list vpn level debugging class vpn
logging list vpn level debugging class vpnfo
logging buffer-size 1048576
logging monitor informational
logging buffered critical
logging trap informational
logging asdm vpn
logging from-address FIREWALL@COMPANY
logging host inside FILEBEAT 17/9002
logging permit-hostdown
no logging message 304001
logging rate-limit 60 1 level 3
logging rate-limit 60 1 level 4
logging rate-limit 120 1 level 5
logging rate-limit 120 1 level 6
logging rate-limit 120 1 level 7
Can anyone help with the parsing issue identified at all?
Thanks