The filebeat 7.5 Cisco module is successfully sending asa, ftd and ios documents to elasticsearch. Using the pipelines created by filebeat modules cisco --pipelines, the documents are being parsed nicely and stats are visible in the respective kibana dashboards.
However, I can now no longer query any word or phrase in the event.original field which is equivalent to the message field for documents that did not use the pipeline. If a document is indexed without using the pipeline, I can query words or phrases in the equivalent message field. I can also query the log.original field of the cisco-ios pipeline but not event.original of the cisco-ftp pipeline.
I see from GET _ingest/pipeline that the filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline seems to convert message to log.original then to event.orginal in some way. I have to assume that something about this process is what makes that field unqueryable.
"rename" : {
"field" : "log.original",
"target_field" : "event.original",
"ignore_missing" : true
}
Any advice on how I might be able to query words or phrases on event.original in these documents?