Hi guys,
Actually i tried to parse fortigate firewall logs with the filebeat module however I'm getting a strange input values into the documents.
Looking the pipeline is someting related to timezone, i've tried to change timezone with add_fields and drop_fields but noting works.
I apreciatte if someone can help me.
Thanks.
fortinet.yml (i'm passing direct the logs)
- module: fortinet
firewall:
enabled: true
var.input: udp
var.syslog_host: 0.0.0.0
var.syslog_port: 5115
Logs example:
<189>date=2022-07-21 time=17:34:39 devname=\"FW1_GROOT\" devid=\"FGT6HD3916\" eventtime=1658442880237036821 tz=\"-0500\" logid=\"0000000020\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"VD_INTERNET\" srcip=10.105.117.130 srcport=49549 srcintf=\"ssl.VD_INTERNET\" srcintfrole=\"undefined\" dstip=172.16.4.232 dstport=8080 dstintf=\"VPN_CDC\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=789869027 proto=6 action=\"accept\" policyid=284 policytype=\"policy\" poluuid=\"a018d544-e126-51ec-baa1-52b34e72c70f\" policyname=\"CX_VPNSSL->S\" user=\"ljyara\" group=\"GRP_USER\" service=\"TCP/8080\" trandisp=\"noop\" duration=121 sentbyte=6331 rcvdbyte=48477 sentpkt=36 rcvdpkt=52 vpn=\"VPN_CDC\" vpntype=\"ipsec-static\" appcat=\"unscanned\" sentdelta=6331 rcvddelta=48477"
Error:
"error": {
"message": "Invalid ID for region-based ZoneId, invalid format: \\\\\\\\\\\\\\\"-0500\\\\\\\\\\\\\\\""
},