Originally reported in https://discuss.elastic.co/t/cisco-module-arbitrary-parse-error-with-nearly-identical-messages/214884.

When the Filebeat (X-Pack) cisco/ios fileset is enabled and it encounters the following log line:

Jan 13 18:12:31 RO-ROM-VPN-KYOSA 022084: Jan 13 18:12:35.141 LCY: %SEC-6-IPACCESSLOGP: list 101 denied tcp 120.131.176.111(7133) -> 170.257.123.53(7547), 1 packet  

It fails with the following error:

GoError: failed in processor.convert: conversion of field [event.sequence] to type [long] failed: unable to convert value [022084]: strconv.ParseInt: parsing "022084": invalid syntax

However, parsing succeeds with a very similar line:

Jan 13 17:12:30 RO-ROM-VPN-KYOSA 021176: Jan 13 17:12:33.168 LCY: %SEC-6-IPACCESSLOGP: list 101 denied tcp 191.128.99.50(43651) -> 170.257.123.53(9943), 1 packet

Looking at the Cisco module source code, I believe this is where the failure is coming from:

Specifically, that bit of code tries to parse the sequence number string as an integer. It sees the leading 0 and tries to parse the string that follows as an octal (base 8) number. Since base 8 numbers can only have digits 0-7 in them, parsing of 022084 fails but parsing of 021176 succeeds.

I think the intent here is to parse the sequence number as a decimal (base 10) number.