The module is working well but I am getting a couple of errors causing some messages not to parse. First is that an icmp code is to large for the short is stored in. The bigger issue is with message id 106023 I am receiving messages that could be either ip address or host name. The pipeline is only expecting an ip address.
pattern: "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}"
I tried to mimic the grok patterns from the 302xxx messages but that just cause me to exceed the script compilations limit. I still fairly new to customizing a beat pipeline so I wanted to see if anyone had some ideas on how get the messages to parse for both IP an host name in the destination.