Filebeat Fortinet module - can't parse event as syslog rfc3164

Hey guys my journalctl keeps filled with errors. Filebeat Fortinet module - can't parse event as syslog rfc3164. What I can do to fix it?
I'm using Ubuntu 20.04.
Filebeat version filebeat:amd64/stable 7.16.1 upgradeable to 7.16.3

Sample error log
Feb 01 08:59:42 elk-ls01.xx.xx.xx filebeat[946]: 2022-02-01T08:59:42.559+0200 ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<14>1 2022-02-01T08:59:42-00:00 firewall dns name- - - - 1,2022/02/01 08:59:41,012001031976,TRAFFIC,end,2049,2022/02/01 08:59:41,91.220.59.66,13.107.160.201,0.0.0.0,0.0.0.0,DMZ DNS servers to External DNS queries,,,dns,vsys1,DMZ,External,ae1.91,ae1.90,ELK_forwarding,2022/02/01 08:59:41,123428,1,55388,53,0,0,0x19,udp,allow,220,102,118,2,2022/02/01 08:59:11,1,any,0,712654729,0x0,Poland,United States,0,1,1,aged-out,0,0,0,0,,firewallhostname,from-policy,,,0,,0,,N/A,0,0,0,0\n"}

I just use filebeat to get logs for fortigate firewalls and transport those logs into logstash. Default configuration is barely minimum just to send logs into logstash.
Let me know if any further information would be needed.

By editing pipeline (like this <%{POSINT}>%{POSINT}%{SPACE}%{TIMESTAMP_ISO8601}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{GREEDYDATA:syslog5424_sd}$ ) it started to collect some info but stuck onf "tztime" it doesn't understand what is + on key values splitting. Original value is +0200
maybe i send logs not properly? i wonder if this issue only for me

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.