Thanks for the reply Jan.
There are currently no extractors on the input or any associated pipelines.
This is a new input.
Like I mentioned before another Cisco device is processing properly where Graylog is assuming the time it extracts as UTC. Funny thing is the FirePower module message format is nearly identical to the ASA with the exception of the year is missing in the timestamp.
ASA message:
<157>Mar 28 2019 11:19:38 ASA : %ASA-5-611103: User logged out: Uname: user
Has Graylog timestamp of:
2019-03-28T11:19:38.175Z
Could the missing year be causing an issue?