The app was updated a couple months after the initial question.
- Subject is aliased to CIM - DCID destinations IPs are mapped correctly - For delivered messages, the delivery IP is labeled asdel_ip_address(Khoros doesn't allow new inline code blocks, but previous posts retain them) - The internal_message_id is extracted for all related logs
There are still other issues regarding SPF, DKIM, and DMARC parsing, and subject and filename decoding, and issues when Cisco truncates fields to 1024 bytes (the syslog output is then the syslog header length, plus the 1024 bytes of data).
I believe that Cisco will soon include an option to output JSON logs from the ESA appliances, which may alleviate a many of these ESA log parsing issues.
I recommend looking at Jorrit Folmer's app that wraps the messages into a summary. It summarizes almost all of the log lines for each messages into a single line that can be searched against using multiple criteria, without the heavy invocation of transaction that the Cisco ESA app defaults to.