I think I solved it.
The ASA "module" in filebeat writes this ingest pipeline to Elasticsearch. That uses the grok processor along with the date processor to handle a range of date formats, together with the dissect processor to match various log lines and parse fields out of them.
All this means that messages are only parsed if and when they are written into Elasticsearch.