I'm currently working on a Logstash pipeline for VMWare NSX firewall logs coming in over syslog forwarding. Some of the ICMP logs have a couple numbers between the protocol name and the source and destination IPs that VMWare's documentation doesn't reference that I can see. My organization's VMWare guy has been less than helpful to say the least.
Example:
<6>1 2022-09-01T16:28:16.920Z redacted_esx_server_name FIREWALL_PKTLOG - - - INET match PASS 4133 IN 80 ICMP 11 0 10.128.251.19->10.20.128.109
4133 is the rule id and 80 is the packet length. Would anyone know what the 11 and 0 are?
I'd like to be able to make an intelligent decision on whether to map them to fields or not rather than just dropping them.