Sorry I explained that bad. My issue isn't the filebeats removing the event.timezone. This filebeats only exists to ingest that panos data for the SIEM app.
My concern is that even with removing that field the data still was converted to 4 hours in the past. After changing the Kibana advance setting to UTC it set the data to the right time, but that also broke all the other data sources that come into ELK from various other applications. Their time instead of being correct was set to 4 hours in the future, or UTC time.