[Filebeat][Fortinet Module] Failed to parse field

Hi, I'm running filebeat 7.12.1 receiving data from my Fortigate (FortiOS v6.4.1 build1637).
Looking at filebeat log files, I can see that there is happening and parse error on "fortinet.firewall.cat" field:

May 19 12:16:50 test filebeat[24619]: 2021-05-19T12:16:50.514-0300#011WARN#011[elasticsearch]#011elasticsearch/client.go:408#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc02168d862b40e4d, ext:153681752585, loc:(*time.Location)(0x637e5a0)}, Meta:{"pipeline":"filebeat-7.12.1-fortinet-firewall-pipeline","truncated":false}, Fields:{"agent":{"ephemeral_id":"b53e8141-99a8-41ab-8240-1179451b123d","hostname":"test","id":"6d8c2434-8acc-4892-892d-0f0632910345","name":"soc","type":"filebeat","version":"7.12.1"},"ecs":{"version":"1.8.0"},"event":{"dataset":"fortinet.firewall","module":"fortinet"},"fileset":{"name":"firewall"},"input":{"type":"udp"},"log":{"source":{"address":"10.200.144.1:18591"}},"message":"\u003c189\u003eMay 19 12:16:49 FW_FORTINET_BR2 CEF:0|Fortinet|Fortigate|v7.0.0|00020|traffic:forward accept|3|deviceExternalId=FG200ETK18909344 FTNTFGTeventtime=1621437408866460258 FTNTFGTtz=-0300 FTNTFGTlogid=0000000020 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=IP spt=61970 deviceInboundInterface=VPN FTNTFGTsrcintfrole=undefined dst=13.107.136.9 dpt=443 deviceOutboundInterface=port2 FTNTFGTdstintfrole=wan FTNTFGTsrccountry=Reserved FTNTFGTdstcountry=United States externalId=131409673 proto=6 act=accept FTNTFGTpolicyid=90 FTNTFGTpolicytype=policy FTNTFGTpoluuid=509935b8-6abd-51ea-9647-0840e65af00e FTNTFGTpolicyname=INTERNET_VPN duser=user FTNTFGTauthserver=Local FSSO Agent app=HTTPS FTNTFGTtrandisp=snat sourceTranslatedAddress=201.87.145.69 sourceTranslatedPort=61970 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=ICTS-BR2 FTNTFGTduration=3200 out=354996 in=227767 FTNTFGTsentpkt=593 FTNTFGTrcvdpkt=452 FTNTFGTvwlid=47 FTNTFGTvwlservice=Microsoft-Office365.Published FTNTFGTvwlquality=Seq_num(3 port2), alive, latency: 36.621, selected FTNTFGTvwlname=Microsoft_365_Portal FTNTFGTsentdelta=11546 FTNTFGTrcvddelta=7075","service":{"type":"fortinet"},"tags":["fortinet-firewall","forwarded"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [fortinet.firewall.cat] of type [long] in document with id 'aO4zhXkBSyVR8uqFa5jx'. Preview of field's value: 'traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root\""}}

Does anyone had this problem before?

Ok, I see what's going on. The IT team just updated the FortiOS to 7.0 (as show on the log, my bad), and the plugin doesn't support this version yet!

If u create a GitHub issue, the appropriate changes can be made to the module to support the newer version.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.