I just started using filebeat fortinet module and noticed that the module failed to split the fields on a fortigate 6.4.7
I've resolved the issue by changing,
field_split: " (?=[a-z\\_\\-]+=)"
to
field_split: ",(?=[a-z\\_\\-]+=)"
Unsure if this is a known issue or are the format of my logs different from whats expected?
Log sample:
date=2021-10-19,time=13:24:58,devname="######",devid="###########",eventtime=1634610298318004656,tz="+1100",logid="0000000013",type="traffic",subtype="forward",level="notice",vd="####",srcip=#####,srcport=54334,srcintf="port5",srcintfrole="wan",dstip=######,dstport=51###,dstintf="##",dstintfrole="wan",srccountry="Korea, Republic of",dstcountry="Australia",sessionid=319025746,proto=17,action="deny",policyid=0,policytype="policy",service="udp/51562",trandisp="noop",duration=0,sentbyte=0,rcvdbyte=0,sentpkt=0,appcat="unscanned",crscore=30,craction=131072,crlevel="high"