Cisco ASA module Source and Destination IP incorrect

ajesh · December 4, 2020, 2:04pm

Dear Team,

We are currently ingesting Cisco ASA logs to our elasticsearch cluster using cisco asa module [ECS] which comes with filebeat. After verifying the logs in elasticsearch we could understand that Source.address and destination.address is reversed. Please see the snippet below.

Firewall Logs - Showing the correct flow

Elasticsearch Discovery log console. - Showing the destination IP as source and Source which is our Internal IP as destination

We have checked this on multiple firewalls we have and we see this on all the cisco asa firewalls integrated to elasticsearch cluster

Please let me know if we can do anything to correct this

Thanks,
Ajesh

system · January 1, 2021, 4:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat cisco asa module source and destination IP showing reversed Beats filebeat	3	488	February 18, 2021
[filebeat ASA Module] outbound traffic log is parsed in reverse for the source and destination IP Beats filebeat	2	203	August 23, 2023
Filebeat cisco module not parsing ASA logs Beats filebeat	1	378	November 6, 2019
Filebeat, Cisco ASA and ECS fields Beats filebeat	6	1493	August 13, 2020
Should filebeat's cisco module export ecs fields when outputting to non-elasticsearch Beats beats-module , filebeat	5	825	December 9, 2020

Cisco ASA module Source and Destination IP incorrect

Related Topics