I don't have an ASA Firewall to play with, but by looking at a manual I found online, it doesn't look like you can change the timestamp format. We have to update the syslog
message parser to make it support more formats.
In the mean time, I had some success by doing this change:
diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml
index 32e87abc8..9d23b77f2 100644
--- a/x-pack/filebeat/module/cisco/asa/config/input.yml
+++ b/x-pack/filebeat/module/cisco/asa/config/input.yml
@@ -1,8 +1,7 @@
{{ if eq .input "syslog" }}
-type: syslog
-protocol.udp:
- host: "{{.syslog_host}}:{{.syslog_port}}"
+type: udp
+host: "{{.syslog_host}}:{{.syslog_port}}"
( This file is probably /etc/filebeat/module/cisco/asa/config/input.yml
in your installation, or C:\program files\filebeat\module\...
in Windows )
But you will lose the original timestamp in the messages as it won't be parsed.
I will create an issue to support more syslog
formats.
Edit: we have this https://github.com/elastic/beats/issues/6872