I hope this helps someone ...
I've been having a *mare getting the Cisco ASA module to recognise logs input to UDP/9001. I could see the records hit my machine via TCPDUMP, but nothing showed up when I ran "filebeat -e".
Turned out that I needed to tick the "enable timestamp on syslogs messages" in "configuration->device management->logging->syslog setup", and chose 'RFC5424' as timestamp format on the same page.
I'm sure these facts must be documented somewhere, but too much of a newbie to find them.
Hope this helps some other poor newbie save a day of their life 