I found that the pipeline in the iptables log ingest have some glitch in the timezone, with version 7.4.0, I have the document 7 hours next from my timezone.
Since I check the date compare to syslog, I put the pipeline like below:
{
.
.
.
},
{
"date": {
"field": "iptables.raw_date",
"target_field": "@timestamp",
"formats": [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"ISO8601"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "iptables.raw_date",
"target_field": "@timestamp",
"formats": [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"ISO8601"
],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "iptables.raw_date",
"ignore_missing": true
}
},
.
.
.
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}]
}
Then all the logs following the UTC and my timezone and works very good...
Now, my document works as expected.