Hello,
the ingest pipeline is not parsing the IPSEC messages from the Cisco ASA (602303/602304) correctly. I am using filebeat 7.13.1 and the problem is in the filebeat-7.13.1-cisco-asa-asa-ftd-pipeline.
2021-06-08T13:04:34.218+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc027f18f6b1d8fb2, ext:5791826777703, loc:(*time.Location)(0x557298082dc0)}, Meta:{"pipeline":"filebeat-7.13.1-cisco-asa-asa-ftd-pipeline","truncated":false}, Fields:{"agent":{"ephemeral_id":"ff7b578b-76ea-457d-af87-bc4607504f7a","hostname":"xxx","id":"5004e7e5-76fb-4115-993c-fd25bda126c3","name":"xxx","type":"filebeat","version":"7.13.1"},"ecs":{"version":"1.9.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"+02:00"},"fileset":{"name":"asa"},"input":{"type":"udp"},"log":{"source":{"address":"xxx"}},"message":"\u003c166\u003egsn-v003 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x2D0773E5) between xxx and xxx (user= xxx) has been created.\n","service":{"type":"cisco"},"tags":["cisco-asa","forwarded"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [network.inner] tried to parse field [inner] as object, but found a concrete value"}
i changed all valuable data with xxx, but from the error msg it should be clear, what the problem is.
If i change the field name network.inner, it works as expected.
Best regards!