in a test environment we collect, parse/grok firewall log messages and put them into elasticsearch - using logstash. The logs are received using tcp input. In the processed logs I noticed another field which was not parsed/groked - called port. Somehow I realised that this port has nothing to do with the firewall logs as such but it is the port which is used on the firewall for connecting to logstash in order to forward the logs. At the end it is written to the index.
Might I be missing anything here?