When I send syslogs to logstash from my ASA, I get the severity correctly. I prefer to send through rsyslog because It'll let me process archives, but I seem to lose the severity information on my messages when I process input files instead of syslog,
It looks like rsyslog can append pri-text to messages, but I haven't found a way for logstash to process that pri-text "local4.debug:"
Thanks in advance!