Error fortinet module - 7.17.3

Hi guys,
Actually i tried to parse fortigate firewall logs with the filebeat module however I'm getting a strange input values into the documents.

Looking the pipeline is someting related to timezone, i've tried to change timezone with add_fields and drop_fields but noting works.

I apreciatte if someone can help me.

Thanks.

fortinet.yml (i'm passing direct the logs)

- module: fortinet
  firewall:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 5115

Logs example:

<189>date=2022-07-21 time=17:34:39 devname=\"FW1_GROOT\" devid=\"FGT6HD3916\" eventtime=1658442880237036821 tz=\"-0500\" logid=\"0000000020\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"VD_INTERNET\" srcip=10.105.117.130 srcport=49549 srcintf=\"ssl.VD_INTERNET\" srcintfrole=\"undefined\" dstip=172.16.4.232 dstport=8080 dstintf=\"VPN_CDC\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=789869027 proto=6 action=\"accept\" policyid=284 policytype=\"policy\" poluuid=\"a018d544-e126-51ec-baa1-52b34e72c70f\" policyname=\"CX_VPNSSL->S\" user=\"ljyara\" group=\"GRP_USER\" service=\"TCP/8080\" trandisp=\"noop\" duration=121 sentbyte=6331 rcvdbyte=48477 sentpkt=36 rcvdpkt=52 vpn=\"VPN_CDC\" vpntype=\"ipsec-static\" appcat=\"unscanned\" sentdelta=6331 rcvddelta=48477"

Error:

"error": {
      "message": "Invalid ID for region-based ZoneId, invalid format: \\\\\\\\\\\\\\\"-0500\\\\\\\\\\\\\\\""
    },

when i try to test the pipeline this is the result.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.