Currently having a strange parsing error with Cisco ASA logs.
ASA syslogs forwarded to Logstash via syslog-ng, a typical line is like this:
2015-07-31T01:47:35+10:00 10.0.0.25 %ASA-3-313001: Denied ICMP type=3, code=3 from 58.96.9.88 on interface outside
Logstash listens on a TCP port for the forwarded message.
If I send the logs to Logstash with netcat e.g,"cat asa.logs | nc -vv -n logstash_host 1234", then everything works fine. But if I use syslog-ng to forward (all other syslogs work fine this way) then I get a _grokparsefailure.
I can't work out what the issue is, almost like some extra character is getting added in transit.Can't see why the ASA logs would be different to any other.