Newb question. Parsing a Cisco ASA log. I've noticed some of my logs don't match the built in parsers. Here is one in particular, 305011.
This is the default pattern.
CISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?((%{DATA:src_fwuser}))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}
My log that fails to parse looks like
{"message":"<166>Sep 23 2019 16:14:47 xxx-fw-p01 : %ASA-6-305011: Built dynamic TCP translation from outside:10.1.1.27/49387(LOCAL\smeyer) to outside:outside-asa/49387\n","host":"99.99.99.51","@version":"1","tags":["_grokparsefailure"],"@timestamp":"2019-09-23T21:16:07.514Z"}
From using http://grokdebug.herokuapp.com/, I deduced that it fails to match because, for example, the filter is looking for an IP when the log presents a hostname. I managed to get it to match if I change the end of the filter to %{WORD:src_xlated_interface}:%{DATA:src_xlated_ip}/%{INT:src_xlated_port} instead of %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}.
I would not have expected to need to edit the built in patterns. Plus, I have no idea if the second Cisco ASA I log to it might match the 1st or the 2nd pattern. I don't particularly want to manage multiple permutations of every possible pattern. Do other people have this problem? Are people editing the built in patterns?