Dear Team,
We are currently ingesting Cisco ASA logs to our elasticsearch cluster using cisco asa module [ECS] which comes with filebeat. After verifying the logs in elasticsearch we could understand that Source.address and destination.address is reversed. Please see the snippet below.
Firewall Logs - Showing the correct flow
Elasticsearch Discovery log console. - Showing the destination IP as source and Source which is our Internal IP as destination
We have checked this on multiple firewalls we have and we see this on all the cisco asa firewalls integrated to elasticsearch cluster
Please let me know if we can do anything to correct this
Thanks,
Ajesh