We are collecting Cisco ASA logs on filebeat using cisco module through syslog.
What we are facing is that some events are parse correctly whereas others or not. As per our troubleshooting, We are collecting logs from ASA in two different format where cisco.asa.message_id, event.severity, log.level are parsed correctly for all the events. but other fields like source IP , Destination IP ... are only parsed for one type of the format that is given below
%ASA-4-106023: Deny udp src Region:x.x.x.x/53814 dst inside:x.x.x.x/162 by access-group "Region_access_in" [0xc86210f4, 0x0]
%ASA-6-106015: Deny TCP (no connection) from x.x.x.x/32801 to x.x.x.x/8080 flags RST on interface client
The log format in problem is as below
%ASA-6-302013: Built inbound TCP connection 4285426846 for LAN:x.x.x.x/65380 (x.x.x.x/65380) to DMZ:x.x.x.x/8080 (x.x.x.x/8080)
its look like the problem is with repeated IP/Port values as highlighted. We appreciate if anyone guide us to where we can correct the parser to handle such log entries.