@Marius_Iversen thanks for your response, please find document below:
{
"_index": "filebeat-7.7.1-2020.06.10-000001",
"_type": "_doc",
"_id": "bkL7nXIB5pEhvMFhWMuB",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "xx",
"id": "89ad49b4-bcd9-41c1-b4fa-2d004c365ec5",
"type": "filebeat",
"ephemeral_id": "1cb6648a-ed5d-4865-8b7c-13b91deac958",
"version": "7.7.1"
},
"_temp": {
"time": "2020-06-10 12:26:31 UTC+1:00"
},
"log": {
"source": {
"address": "xx"
}
},
"syslog5424_sd": "timestamp=1591788391 tz=\"UTC+1:00\" devname=\"xx\" devid=\"xx\" vd=\"root\" date=2020-06-10 time=12:26:31 logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" eventtime=1591788391 srcip=xx srcname=\"ubuntu\" srcport=xx srcintf=\"port1\" srcintfrole=\"lan\" dstip=xx dstport=xx dstintf=\"xx\" dstintfrole=\"undefined\" poluuid=\"xx\" sessionid=3971007 proto=17 action=\"accept\" policyid=103 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=88 rcvdbyte=104 sentpkt=1 rcvdpkt=1 vpn=\"xx\" vpntype=\"ipsec-static\" appcat=\"unscanned\" devtype=\"Linux PC\" devcategory=\"None\" osname=\"Linux\" osversion=\"Debian\" mastersrcmac=\"xx\" srcmac=\"xx\" srcserver=1",
"message": "<189>timestamp=1591788391 tz=\"UTC+1:00\" devname=\"xx\" devid=\"xx\" vd=\"root\" date=2020-06-10 time=12:26:31 logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" eventtime=1591788391 srcip=xx srcname=\"ubuntu\" srcport=xx srcintf=\"port1\" srcintfrole=\"lan\" dstip=xx dstport=xx dstintf=\"xx\" dstintfrole=\"undefined\" poluuid=\"xx\" sessionid=3971007 proto=17 action=\"accept\" policyid=103 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=88 rcvdbyte=104 sentpkt=1 rcvdpkt=1 vpn=\"xx\" vpntype=\"ipsec-static\" appcat=\"unscanned\" devtype=\"Linux PC\" devcategory=\"None\" osname=\"Linux\" osversion=\"Debian\" mastersrcmac=\"xx\" srcmac=\"xx\" srcserver=1\n",
"fileset": {
"name": "firewall"
},
"error": {
"message": "Invalid ID for ZoneOffset, non numeric characters found: +1:00"
},
"tags": [
"fortinet-firewall"
],
"input": {
"type": "udp"
},
"observer": {
"product": "Fortigate",
"vendor": "Fortinet",
"type": "firewall"
},
"@timestamp": "2020-06-10T11:26:33.580Z",
"ecs": {
"version": "1.5.0"
},
"service": {
"type": "fortinet"
},
"syslog5424_pri": "189",
"fortinet": {
"firewall": {
"devid": "xx",
"date": "2020-06-10",
"srcip": "xx",
"srcintfrole": "lan",
"poluuid": "xx",
"dstport": "xx",
"tz": "UTC+1:00",
"eventtime": "1591788391",
"sessionid": "3971007",
"sentpkt": "1",
"type": "traffic",
"devcategory": "None",
"srccountry": "Reserved",
"duration": "180",
"policyid": "103",
"subtype": "forward",
"mastersrcmac": "xx",
"action": "accept",
"srcmac": "xx",
"devname": "xx",
"dstip": "xx",
"dstintf": "xx",
"trandisp": "noop",
"osname": "Linux",
"timestamp": "1591788391",
"srcintf": "port1",
"sentbyte": "88",
"level": "notice",
"policytype": "policy",
"srcserver": "1",
"vpntype": "ipsec-static",
"vd": "root",
"dstintfrole": "undefined",
"appcat": "unscanned",
"devtype": "Linux PC",
"srcname": "ubuntu",
"vpn": "xx",
"service": "DNS",
"proto": "17",
"srcport": "xx",
"logid": "0000000013",
"time": "12:26:31",
"dstcountry": "Reserved",
"osversion": "Debian",
"rcvdbyte": "104",
"rcvdpkt": "1"
}
},
"host": {
"hostname": "xx",
"os": {
"kernel": "4.19.0-9-amd64",
"codename": "buster",
"name": "Debian GNU/Linux",
"family": "debian",
"version": "10 (buster)",
"platform": "debian"
},
"containerized": false,
"ip": [
"xx",
"xx"
],
"name": "xx",
"id": "xx",
"mac": [
"xx"
],
"architecture": "x86_64"
},
"event": {
"timezone": "UTC+1:00",
"module": "fortinet",
"dataset": "fortinet.firewall"
}
},
}
I've removed some things and replaced with xx, you can assume the original data there was correct. This throws another question, is there some reason as to why the original message is stored twice in very similar format? can i remove one of these somehow as I imagine when I ramp things up it will cost space.
Thanks for your assistance with this!