Something to beware of is that ASAs can generate syslogs in a variety of formats: with and without timestamp, with and without hostname. There are configuration options which can control this:
logging timestamp
logging device-id hostname
Filebeat does not like messages without hostname (which is non-standard anyway)
If you set those two options you should get something that approximates standard syslog format, although I found I got a spurious colon by itself.
<164>Sep 04 2019 16:50:52 ldex-asa1 : %ASA-4-402116: IPSEC: Received an ESP packet...
IOS is worse: messages can also be prefixed by sequence numbers ([no] service sequence-numbers)
Since the parsing of messages is split between filebeat and ES pipelines, you'll have to check how filebeat does the initial breakdown of the message into JSON, and what fields the ES pipeline expects in its input.