Cisco ASA module Source and Destination IP incorrect

Dear Team,

We are currently ingesting Cisco ASA logs to our elasticsearch cluster using cisco asa module [ECS] which comes with filebeat. After verifying the logs in elasticsearch we could understand that Source.address and destination.address is reversed. Please see the snippet below.

Firewall Logs - Showing the correct flow

Elasticsearch Discovery log console. - Showing the destination IP as source and Source which is our Internal IP as destination

We have checked this on multiple firewalls we have and we see this on all the cisco asa firewalls integrated to elasticsearch cluster

Please let me know if we can do anything to correct this

Thanks,
Ajesh

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.