I am using filebeat to collect syslogs from a cisco firepower IPS straight to logstash. Filebeat is able to parse the time, the issue is that firepower sends the time in RFC3164 in UTC. Filebeat is parsing the syslog timestamp but removing another hour, as such my logs are an hour behind UTC.
Is it possible to access the original unparsed message in logstash so that i can get the SYSLOGTIMESTAMP?
I have been trying to use the below in logstash to no avail.
match => ["timestamp", "MMM dd HH:mm:ss", "ISO8601"]
timezone => "UTC"
Looking at the pipelines in filebeat for elasticsearch it looks as though it expects the full syslog message.