Filebeat Fortinet Default Ingest Pipeline fails

I have multiple Fortinet devices pushing logs to a collector running Filebeat 7.8.0 with the Fortinet module enabled. All of the logs are being ingested but the pipeline fails at decoding/normalizing the timestamps.

I get the following error:

Text '2020-06-26 13:39:00Z' could not be parsed, unparsed text found at index 19

It appears to be an issue with how the _temp.time field is processed by the Ingest Pipeline but I have not to been able to isolate the issue.

I have the same issue. What version of the FortiOS firmware are you running?

I'm having the same issue and error message with the time stamp normalizing, on FortiOS 6.2 .

Also, the fields are coming through as all 'fortinet.firewall.' instead of the proper ECS equivalent. i.e., instead of 'source.ip' I'm getting 'fortinet.firewall.srcip' .

@Mercwri @Derick_Jansen @tdanno

Could anyone provide a log sample? I have merged some changes for timestamp parsing that should be included in the next release.


If you want to test it, you can modify the pipeline.yml or the pipeline on elasticsearch with the changes here:

If you look at the date processors here they might have added a third format or something similar to support this.

The revised pipeline appears to have resolved the timestamp processing.

1 Like

Thanks for confirming! :grin:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.