[Cisco ASA]: Event code 302020 has source and destination swapped for inbound connection

[minars2]

Integration Name

Cisco ASA [cisco_asa]

Dataset Name

No response

Integration Version

2.44.1

Agent Version

9.2.3

Agent Output Type

elasticsearch

Elasticsearch Version

9.2.2

OS Version and Architecture

RHEL 9

Software/API Version

No response

Error Message

No response

Event Original

%ASA-6-302020: Built inbound ICMP connection for faddr /0 gaddr /0 laddr /0

What did you do?

The integration is just configured to take in logs from a syslog server and process them. We have a custom pipeline for after it running to pull some additional information we use and to enrich with some source/destination geo and hostnames

What did you see?

Based on it noting that it's an "Inbound" connection then the first IP in the log should be the source, on an "Outbound" connection the first IP would be the destination, per this documentation: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog/syslog-messages-302003-to-342008.html#con_4770808

What did you expect to see?

I expect to see the first IP as the source and the second IP as the destination. This is based on the direction though so if there is an "Outbound" connect then the first IP should be the destination and second IP the source, as it currently is.

Anything else?

No response

[minars2]

Apparently the values were pulled from the event original:
%ASA-6-302020: Built inbound ICMP connection for faddr SOURCE/0 gaddr DESTINATION/0 laddr DESTINATION/0