### tested on logstash 1.4.2
input {
  file {
    path => "/var/log/collection/asa/*"
    type => "asa"
  }
}
########################################
filter {
  if [type] == "asa" {
    # Split the syslog part and Cisco tag out of the message
    grok {
      match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
    }
    # Parse the syslog severity and facility
    syslog_pri { }

    # Parse the date from the "timestamp" field to the "@timestamp" field
    # 2015-05-01T00:00:00+02:00 is ISO8601
    grok {
      match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"]
    }

 date {
      #2015-05-01T00:00:00+02:00
      match => ["timestamp",
        "yyyy-MM-dd'T'HH:mm:ssZ"
#        "yyyy MM dd HH:mm:ss",
        ]
      #timezone => "Europe/Paris"
      }

    # Clean up redundant fields if parsing was successful
    if "_grokparsefailure" not in [tags] {
      mutate {
        rename => ["cisco_message", "message"]
        remove_field => ["timestamp"]
      }
    }

    # Extract fields from the each of the detailed message types
    grok {
      match => [
        "message", "%{CISCOFW106001}",
        "message", "%{CISCOFW106006_106007_106010}",
        "message", "%{CISCOFW106014}",
        "message", "%{CISCOFW106015}",
        "message", "%{CISCOFW106021}",
        "message", "%{CISCOFW106023}",
        "message", "%{CISCOFW106100}",
        "message", "%{CISCOFW110002}",
        "message", "%{CISCOFW302010}",
        "message", "%{CISCOFW302013_302014_302015_302016}",
        "message", "%{CISCOFW302020_302021}",
        "message", "%{CISCOFW305011}",
        "message", "%{CISCOFW313001_313004_313008}",
        "message", "%{CISCOFW313005}",
        "message", "%{CISCOFW402117}",
        "message", "%{CISCOFW402119}",
        "message", "%{CISCOFW419001}",
        "message", "%{CISCOFW419002}",
        "message", "%{CISCOFW500004}",
        "message", "%{CISCOFW602303_602304}",
        "message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "message", "%{CISCOFW713172}",
        "message", "%{CISCOFW733100}"
      ]
    }
  }
  geoip {
    source => "dst_ip"
    database => "/opt/GeoLiteCity.dat" ### Change me to location of GeoLiteCity.dat file
    target => "dst_geoip"
  }
  geoip {
    source => "src_ip"
    database => "/opt/GeoLiteCity.dat" ### Change me to location of GeoLiteCity.dat file
    target => "src_geoip"
  }
  mutate {
    convert => [ "[src_geoip][coordinates]", "float" ]
  }  
}
########################################
output {
  if [type] == "asa" {
    elasticsearch {
      host => "192.168.0.5" ### Change me to the Elasticsearch IP or Fqdn
      protocol => "http"
      index => "asa-%{+YYYY.MM.dd}"
    }
  }
}