After reading this post I Issued "logging device-id hostname" command on the ASA devices.
Now I can see below messages in the "Logs" tab
I sarted to see Network events from Filebeat Cisco module in SIEM
I also see that not all logs are passed correctly. Is this behavior a bug or I can help Filebeat by issuing some command on an ASA?
I can see now some data in default dashboard
Is it proper to have config like below or should i delete the paths for asa or ftd?
-
module: cisco
asa:
enabled: true
var.paths: ["/var/log/syslog/ASA1.log","/var/log/syslog/ASA2.log"]
var.input: "file"ftd:
enabled: true
var.paths: ["/var/log/syslog/ASA1.log","/var/log/syslog/ASA2.log"]
var.input: "file"