I have multiple Fortinet devices pushing logs to a collector running Filebeat 7.8.0 with the Fortinet module enabled. All of the logs are being ingested but the pipeline fails at decoding/normalizing the timestamps.
I get the following error:
Text '2020-06-26 13:39:00Z' could not be parsed, unparsed text found at index 19
It appears to be an issue with how the _temp.time field is processed by the Ingest Pipeline but I have not to been able to isolate the issue.
I have the same issue. What version of the FortiOS firmware are you running?
I'm having the same issue and error message with the time stamp normalizing, on FortiOS 6.2 .
Also, the fields are coming through as all 'fortinet.firewall.' instead of the proper ECS equivalent. i.e., instead of 'source.ip' I'm getting 'fortinet.firewall.srcip' .
@Mercwri @Derick_Jansen @tdanno
Could anyone provide a log sample? I have merged some changes for timestamp parsing that should be included in the next release.
Ref: https://github.com/elastic/beats/issues/19154
https://github.com/elastic/beats/issues/19010
https://github.com/elastic/beats/issues/18707
If you want to test it, you can modify the pipeline.yml or the pipeline on elasticsearch with the changes here:
If you look at the date processors here they might have added a third format or something similar to support this.
The revised pipeline appears to have resolved the timestamp processing.
Thanks for confirming! 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.