Thank you for your response, as you see below my cisco log contain Ips with A.B.C.D/port format
%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]
and ossec-logtest for the above log is:-
**Phase 1: Completed pre-decoding.
full event: '%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]'
timestamp: '(null)'
hostname: 'nisir'
program_name: '(null)'
log: '%ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]'
**Phase 2: Completed decoding.
decoder: 'cisco-asa'
id: '4-106023'
action: 'Deny'
protocol: 'tcp'
srcip: 'x.x.x.x'
srcport: '2439'
dstip: 'x.x.x.x'
dstport: '55736'
**Phase 3: Completed filtering (rules).
Rule id: '64004'
Level: '3'
Description: 'ASA warning message.'
**Alert to be generated.
but wazuh alerts.json is as follows. their is no srcip and dstip
{"timestamp":"2021-01-06T00:00:06.653+0300","rule":{"level":3,"description":"ASA warning message.","id":"64004","firedtimes":621,"mail":false,"groups":["syslog","cisco","cisco-asa"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1609880406.368470","full_log":"Jan 05 2021 23:55:45 x.x.x.x : %ASA-4-106023: Deny tcp src outsid:x.x.x.x/2439 dst Inside:x.x.x.x/55736 by access-group \"outsid_access_in\" [0x0, 0x0]","decoder":{"name":"cisco-asa"},"location":"x.x.x.x"}
The followings are some of my cisco logs:-
%ASA-4-106023: Deny icmp src outsid:x.x.x.x dst Inside:x.x.x.x (type 3, code 13) by access-group "outsid_access_in" [0x0, 0x0]
%ASA-4-106023: Deny udp src outsid:x.x.x.x/4364 dst Inside:x.x.x.x/48916 by access-group "outsid_access_in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outsid:x.x.x.x/19895 dst Inside:x.x.x.x/55736 by access-group "outsid_access_in" [0x0, 0x0]
%ASA-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x
YNWA.